Wednesday, 20 June 2012

Building BYOD pt 1 - Requirements

We've used hotspot style Wi-Fi 'guest' services for years, but they aren't exactly slick for the business or the end user.  It also means that the device will be outside of the corporate firewall.  This type of service will always have it's place, however, you're going to put untrusted devices directly in touch with business systems at some point.

With that in mind, the decision to move to BYOD will be significant for any organisation.  Taking business systems from Windows to a multi-OS mobile environment is a massive challenge in terms of security, user experience, infrastructure readiness and support.  

This blog will be delivered in a few parts.  The idea to is to highlight the design decisions that will help build the right BYOD service for your organisation.

Step 1 - Gather the requirements, here are some examples;

  • Connecting & Profiling Users - We need to...
    • provide a quick and simple on-boarding process.
    • offer self-registration for staff, but not all staff.
    • offer long-term accounts for employees and contractors but not visitors. 
    • pre-authorise third-party users.
    • support any device type, but restrict devices that can't be trusted. 
    • deliver WLAN profiles to devices automatically.
    • use domain credentials to authorise our employees.
    • support VPN for teleworkers.

  • User Authorisation & Auditing  - We need to...
    • use AD security groups to authorise employees.
    • use certificates, but not our internal Root CA.
    • know who has authorised our third-party users.
    • prevent visitor accounts being created using dummy names.
    • be able to audit user sessions by IP address for 12 months.

  • Filtering & Prioritisation - We need to...
    • allow social media and personal mail
    • filter traffic without configuring a proxy server on the device.
    • enable multicast services for our business media services.
    • allow Facetime and Skype but not Internet TV.
    • enable VoWLAN for our SIP solution.
    • allocate better QoS and bandwidth profiles to our priority users. 
    • use Apple TV in meeting rooms and the conference centre.

  • Infrastructure & Endpoint Security  -  We need to... 
    • make sure the execs get guaranteed bandwidth for video streaming.
    • ensure our Internet uplink isn't saturated at peak times.
    • de-prioritise third-party user bandwidth.
    • perform antivirus and OS checks.
    • offer the ability to install AV software and upgrades.
    • block P2P connections unless the device passes posture validation.
    • use a DMZ for all of our BYOD devices

There are some design decisions that add significant cost and will need to be validated by strategy and backed by funding.  It may also dictate which vendor solution you choose.

Some requirements will conflict or be unachievable within budgets.  So be sure to set expectations on which requirements are more expensive to deliver than others.  Media based services will almost always add complexity and cost to the design.

A great example of an awkward media solution is Apple TV - execs want this in meeting rooms.  You'll need to support the Bonjour protocol which is peer-to-peer multicast via a L3 gateway.  Not all vendors can support this, and it can be a challenge for security and infrastructure design.

In the current environment some devices are more enterprise ready than others.  A wide variety of users and devices will mean different levels of authorisation and policing.   So the BYOD strategy may need to include several service types which are dictated by the security capabilities of the device (or the MDM vendor).  Consider that creating a 'preferred device' service for Apple iOS devices will potentially cause discontent with the owners of other devices who can't subscribe to the same level of service.

The message for part 1 of Building BYOD…
Spend some time gathering all of the requirements.  Understand what the possibilities are and which services and device types you want to support.

Part 2 - Secure Design