The challenges of BYOD for campus network by Leonard Raphael

1. Leonard Raphael, 10th October 2013

2. 
BYOD Momentum

Identifying the Risks with BYOD

Security as the Main Challenge

BOYD Creates Management Challenges & Role
of Network Access Control

Mitigating Risk

3. 





BYOD Expertise
Know Every Device
Know Ever User
Reduce Help Desk
Minimise Risk
Ensure Compliance
3

4. Embrace
Contain
Block
Disregard
Visibility
Automation

5. Archiving is much more difficult

Data on personally owned devices is more difficult to archive because some of it is stored on
the mobile devices themselves, not necessarily on the backend servers that are operated by IT.
Monitoring content is more difficult

Monitoring content sent from and received by mobile devices is much more difficult than it is
from a conventional desktop infrastructure. This means that legal and regulatory violations are
easier to commit, which can lead to adverse legal judgments and regulatory sanctions.
Users are more autonomous

Mobile users tend to be more independent from IT’s control because they are outside of the
office and so IT cannot control how devices are used.
Compliance is more difficult

According to an Osterman Research survey, nearly two in five organisations find managing
policies for e-discovery or regulatory compliance to be difficult or very difficult, while 35% find
managing other types of policies to be this difficult. Managing mobile policies for issues like ediscovery and regulatory compliance is slightly more difficult than managing other types of
policies.
The environment is more diverse

The normal desktop infrastructure consists of mostly Windows machines and possibly some
Macs and maybe a few Linux machines. The typical BYOD environment, on the other hand, is
much more diverse, typically consisting of iPhones, Android smartphones, iPads, Windows
phones, BlackBerry devices, and other platforms. Further complicating the management of this
environment is that there are multiple versions of the operating systems in use, each of which
can provide users with slightly different capabilities.

6. Phishing
Email on
Device
Device
Compromised
Internal
Network
Scan
Data
Consolidation
Attack Surface is Multiplying With Every New Device
Data
Exfiltration

7. Configuration
Managed
Unmanaged
Devices
Consistent
Diverse
Applications
Corp Push
User Downloaded
Risk
Websites
Endpoint
Protection
Contained
Mature
Open
Emerging

8. Enable BYOD
60%
NAC is now one of the key
mechanisms for mitigating
the risks of consumerisation
Know The Devices
9%
(BYOD)
Gartner
Strategic Road Map for Network Access Control
Published: 11 October 2011 ID:G00219087

9. Have Access to Campus
Networks, Systems, and Data
Download/Store/Forward
Sensitive Information
9

10. Unauthorized Network
Access
Network Risk
Malicious Applications
Application Risk
Vulnerable Devices
Device Risk

11. Mobile Device Mgmt
Hosted Virtual Desktop
Network Access Control
11

12. 


Implementing the right Technologies
Implement the right Network Policy
Providing the right Resources to meet the
challenges.

13. Hybrid
Devices
Consumerization
BYOD
Guest
Device
Corp
Device
Guest
Networking
Endpoint
Compliance
Employee
Guest
Hybrid Users

14. BYOD RISK
MITIGATION
NETWORK
SENTRY
BYOD RISK
ASSESSMENT

15. WHO
WHAT
WHERE
WHEN
TRUSTED
LOCATIONS
TRUSTED
USERS
TRUSTED
TIME
TRUSTED
DEVICES

16. Students
University
Staffs
Guest Users
g
g
g
Desktop
iPad
a a a
a
h
a a
h
g
g
Smart
Phone
g
h
Laptop
g
Researchers
hh
hh
hh
Road
g
Devices
Branch Office
g
Telemarketer
IP
Academic
Staffs
PII
Profiles
Office
Locations
Guest Access
Information
a
a
a
16

17. SECURITY
MOBILITY
NETWORK
ACCESS
CONTROL
WIRED & WIRELESS
SECURE
BYOD
EDGE
VISIBILITY
GUEST
MANAGEMENT
NETWORK
SENTRY
NETWORK
ANALYTICS
EASY 802.1X
ONBOARDING
ENDPOINT
COMPLIANCE
WHEN
WHERE
REGULATORY
COMPLIANCE
WHAT
WHO

18. 3.0
Consumerization
BYOD
All
Devices
2.0
Guest
Networking
Guest
Device
Cloud
1.0
Corp
Device
Endpoint
Compliance
Virtual Server
Appliance
Appliance
Employee
Guest
Virtual Server
Appliance
All Users

19. WHERE
LOCATION 1
Real-Time
Visibility
LOCATION 2
….
Single
Network Sentry
Appliance
LOCATION N
VPN
WHO
WHAT
WHEN

21. Assign
Network Access
Assess
Risk
Unrestricted
Access
Identify
Device
Identify
User
Restricted
Access
Guest
Access
No
Access

23. Single
Mgmt Appliance
Location HQ
Location 1
High Trust
Required VLAN
Med Trust
Required VLAN
Low Trust
Required VLAN
No Trust
Required VLAN
Faculty
Data
Students
Data
Guest
Access
Captive
Portal
Faculty
Registered Device
Compliance
Student
Registered Device
Compliance
Any User
Any Device
Not Jailbroken
Any User
Any Device

24. Single
Mgmt Appliance
Location 1
Remote Registration and Scanning
Location HQ
Welcome
To gain network access users are required to adhere to our established
registration policies. Please select one of the following options:
 Authorized Users
Delegated & Automated
User
Device
Compliance
Guest
Access
Captive
Portal
 Pre-Authorized Guest With An Account
 Device Registration
 Self-Service Guest Registration
In need of assistance, please call the Help Desk.

25. Enterprise Resources
Databases Apps
Email
Enterprise SSID
Full Access
Restricted Access
802.1x
Xirrus
Wireless AP/Array
MDM
Guest SSID
Internet Only
AAA
AD/LDAP
Open or PSK
XMS
Blocked Devices
Captive Portal
Classify User/Device/Location
Enforce Policies
Network Sentry
Internet
Mobility Device
Management
•
•
•
•
Visibility
Policy Manager
Automation / Control
Compliance

26. Security
Rules
Job
Scheduler
WHO
Analytics
Engine
Network Sentry
Data Warehouse
Report
Server
COMPLIANCE
INVENTORY
WHAT
WHERE
HTTPS
HTTPS
ANOMALIES
EXCEPTIONS
WHEN
Network Sentry
Appliance
Network
Sentry/Analytics

27. Partial
Visibility
Remediation
Active
Directory
Devices
And Users
AD Registered
Devices & Users
Palo Alto
Networks
Agent
Palo Alto
Networks
Firewall
100%
Devices & Users
Non-Active
Directory
Devices
and Users
100%
Visibility
Remediation
Guests, Contractors, Students