With
that in mind, the decision to move to BYOD will be significant for any
organisation. Taking business systems from Windows to a multi-OS mobile
environment is a massive challenge in terms of security, user experience,
infrastructure readiness and support.
This
blog will be delivered in a few parts. The idea to is to highlight the
design decisions that will help build the right BYOD service for your
organisation.
Step 1 -
Gather the requirements, here are some examples;
- Connecting & Profiling Users - We need to...
- provide a quick and simple on-boarding process.
- offer self-registration for staff, but not all staff.
- offer long-term accounts for employees and contractors but not visitors.
- pre-authorise third-party users.
- support any device type, but restrict devices that can't be trusted.
- deliver WLAN profiles to devices automatically.
- use domain credentials to authorise our employees.
- support VPN for teleworkers.
- User Authorisation & Auditing - We need to...
- use AD security groups to authorise employees.
- use certificates, but not our internal Root CA.
- know who has authorised our third-party users.
- prevent visitor accounts being created using dummy names.
- be able to audit user sessions by IP address for 12 months.
- Filtering & Prioritisation - We need to...
- allow social media and personal mail
- filter traffic without configuring a proxy server on the device.
- enable multicast services for our business media services.
- allow Facetime and Skype but not Internet TV.
- enable VoWLAN for our SIP solution.
- allocate better QoS and bandwidth profiles to our priority users.
- use Apple TV in meeting rooms and the conference centre.
- Infrastructure & Endpoint Security - We need to...
- make sure the execs get guaranteed bandwidth for video streaming.
- ensure our Internet uplink isn't saturated at peak times.
- de-prioritise third-party user bandwidth.
- perform antivirus and OS checks.
- offer the ability to install AV software and upgrades.
- block P2P connections unless the device passes posture validation.
- use a DMZ for all of our BYOD devices
There
are some design decisions that add significant cost and will need to be
validated by strategy and backed by funding. It may also dictate
which vendor solution you choose.
Some
requirements will conflict or be unachievable within budgets. So be sure
to set expectations on which requirements are more expensive to deliver than
others. Media based services will almost always add complexity and
cost to the design.
A great
example of an awkward media solution is Apple TV - execs want this in
meeting rooms. You'll need to support the Bonjour protocol which is
peer-to-peer multicast via a L3 gateway. Not all vendors can support
this, and it can be a challenge for security and infrastructure design.
In the
current environment some devices are more enterprise ready than
others. A wide variety of users and devices will mean different
levels of authorisation and policing. So the BYOD strategy may
need to include several service types which are dictated by the security
capabilities of the device (or the MDM vendor). Consider that
creating a 'preferred device' service for Apple iOS devices will potentially
cause discontent with the owners of other devices who can't subscribe to the
same level of service.
The
message for part 1 of Building BYOD…
Spend some time gathering all of the
requirements. Understand what the possibilities are and which
services and device types you want to support.
Part 2 - Secure Design
http://uk-wireless.blogspot.co.uk/2012/07/building-byod-pt-2-secure-design.html
Part 2 - Secure Design
http://uk-wireless.blogspot.co.uk/2012/07/building-byod-pt-2-secure-design.html
