Federal Insights

New Users and Devices on the Network? How to Maintain Security & Productivity

by bwright on ‎06-06-2017 08:14 AM - last edited on ‎06-15-2017 01:49 PM by Community Manager (8,203 Views)

You are a network administrator, responsible for running a campus area network spanning several buildings within a business park. Your company, Widget Inc., runs a portion of its manufacturing, all shipping and receiving, sales, support, admin and HR out of the buildings in the office park. At the same time, you provide support for the remote sales reps and a few overseas employees that offer oversight to an off-shore manufacturer of some of your Widget components.

 

Fortunately for Widget Inc., the buildings in use are close together, sharing parking lots and allowing for direct cable runs between each. This makes for an easier to build, deploy and maintain campus network infrastructure. However, the diverse nature of the operations that Widget Inc. maintains requires a robust network infrastructure providing wired and wireless access to employees, and wireless access to guests and visitors. With all business functions of Widget Inc. accessing the same network, security concerns have arisen.

 

As the network administrator, you must identify what your requirements are for a secure means of network access, both for internal and external users and for wired and wireless. For years, you’ve run an Active Directory (AD) server with LDAP and some type of NAT for your Windows-based desktops. However, several new employees have stated that they prefer to use Mac OS-based computers, all staff use smartphones now and warehouse staff use tablets to facilitate a new inventory application that you have been testing. At the same time, the devices brought in by your suppliers and visitors run all sorts of operating systems, from Linux-based laptops to Google Chromebooks. All of these devices need access to the guest network.

 

Reviewing the requirements you have and the architecture you currently deploy has led to a search for a single integrated system that will provide a means of identifying users and their devices, authenticating them to the network, tracking their devices and finally enabling the network to support those devices. The ability to tie into existing applications such as AD and Radius are important, but at the same time, if those features also exist as integrated operations within the framework of the security component, all the better. You need the ability to bring new devices on the network as your users bring them into the workplace. As network requirements increase, BYOD expands on the network and the IoT grows daily in Widget’s office spaces, the need to provide a better means of secure access to the network becomes more critical.

 

End station security is a must-have for network administrators and how to secure that component of the network is an ever-evolving process with many different applications, vendors and/or supplicants necessary to fulfill the requirement. With the clear majority of these deployments, administrators are using OS-specific applications or supplicants tied to known users and devices that are managed or owned by the corporate IT staff. What about the BYOD market, the IoT or the IoT brought in by users?

 

Questions that must be asked are: Is the solution you are using specific to your location? Is there a different method for wired or wireless users and devices? Is it specific to the access your IT group has direct control over, or that they have blessed by pre-authentication? What does your organization do about guest access to the network? Do you have a means of providing a secure method for onboarding new devices and/or users to the network?

 

What if that solution you were looking for could be deployed, either as an on-prem virtual machine or in a cloud-based environment that would provide a means of authentication and authorization for any device and user, regardless of connection method. What if that application had an integrated Certificate Authority, on-board Radius and a built-in user database? Or, you could use the existing Radius server, corporate CA mechanism, and AD & LDAP services?

 

One solution is in the means new devices are given access to the network. Onboarding of new devices can be simplified by using a portal-based self-service application, enabling users to certify and authorize their devices without IT staff intervention. Security doesn’t need to impact productivity, administrators that control device access management can institute policies and ensure devices that join have the proper application, firewall, patches and anti-virus software enabled. In addition to granting access to locally-connected devices, an external web page can be accessed outside of the corporate network that allows pre-boarding of users and devices prior to their arrival and enables the immediate network access upon reaching the network vicinity. The diagram below charts how the device configuration process works, as devices access the network, locally or remotely.

Untitled.jpg

Click Here for Large Image

 

The Cloudpath Enrollment System provides these features and more. Local certificate management via the built-in CA and Radius server and the user database means the installation and setup is an easy process for the IT team. However, simple APIs allow the Cloudpath software to integrate with the existing corporate authentication methods.

 

Cloudpath supports all major operating systems, including Google Chrome, wired users, wireless devices, policy and device management, as well as authentication and authorization. Look today and see what Cloudpath can do for you and your team.

 

Using an application such as Cloudpath on the Widget network would provide the ability to identify devices as they accessed the network as well as offer authentication and authorization for users as they log onto the network. Now, when a supplier from Texas comes to provide a product presentation on a new component that can be added to Widget’s products, they can access the network from any device they bring, without having to call the IT shop to come in and scan their machine, approve that machine and add it to the guest access list. They can do this simply by opening their web browser and registering. In addition, as employees replace their smartphones, tablets or bring their own laptop to work, they can follow a similar process and receive access to the network without calling IT.

 

Would you like to hear how the Widget Inc. IT staff improved their productivity by implementing a system that facilitated an easier, and more secure means of network access? Hit me up and I’d be happy to go over any questions you have on how you too can improve security, all while making it easier for your users and guests.

 

Labels