Solution wp byod5thingsyouneedtoknow


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Solution wp byod5thingsyouneedtoknow

  1. 1. BYOD: 5 Things You Need to Know
  2. 2. BYOD: 5 Things You Need to Know Introduction “In fact, 59% of firms now officially support personally owned smartphones to some extent which can achieve financial and user satisfaction objectives simultaneously. On one hand, your C-level executives will like the cost savings benefits from personally owned devices. On the other, it will help retain and attract top job talent – especially those empowered workers who want and expect to use the devices they’re comfortable with to be productive.” BYOD or “bring your own device” is rapidly rising to the top of CIOs’ shopping lists. We live in a mobile and network-dependent world in which personal devices like smart phones and tablets have become a natural extension of how we live and work. Today’s tech-savvy workers have personal devices that they expect to be able to connect to the network. Moreover, employees who are able to choose the types of devices they use for work tend to be happier, more engaged and productive. They are even willing to contribute to the cost of purchasing the device of their choice, which can significantly reduce hardware provisioning and refresh costs. Forrester Research, “Market Overview: Cloud-Hosted Mobile Device Management Solutions and Managed Services,” January 3, 2012 Despite the benefits of BYOD, many IT departments have concerns about security and compliance, as well as the added IT effort involved in on-boarding and off-boarding devices. However, attempting to avoid these issues by putting in place a policy of “no BYOD here” only pushes employees to find other ways of getting their devices on the network – without the visibility and control of IT. In addition to empowering your employees to work faster and smarter, BYOD also has the potential to transform the way your business connects with consumers, trading partners, supply chain partners, contractors and consultants. This white paper looks at the role of self-service device registration in avoiding the risks of unmanaged BYOD, while providing a fast and efficient way to get thousands of new devices onto the network. BYOD users must be able to quickly and easily register a device anywhere anytime on a 24/7 basis. The only way to do this effectively without overwhelming your IT staff is by implementing a self-service device registration solution. Only once you have put a solution in place for this “first mile” of BYOD can you turn your attention to securing devices with an end-point Mobile Device Management (MDM) solution. The paper will outline the requirements for an effective BYOD solution and show how device registration complements MDM solutions by providing complete visibility and control of the network and devices. We will also take a brief look at the BlueCat Device Registration Portal, a self-service mobile security solution for simplifying and automating device registration, on-boarding and off-boarding. Powered by BlueCat Address Manager, an advanced IP Address Management (IPAM) solution, BlueCat Device Registration Portal effectively eliminates IT involvement in device registration, removing the barriers to successful BYOD adoption and protecting your organization from the risk of unknown devices. 2
  3. 3. BYOD: 5 Things You Need to Know Making BYOD Work BYOD by the Numbers: • One billion consumers will have smartphones by 2016. • In 2016, 350 million employees will use smartphones — 200 million will bring their own. • Employees pay for 70% of the tablets used for work. • Mobile spend will reach $1.3 trillion as the mobile apps market reaches $55 billion in 2016. • Business spending on mobile projects will grow 100% by 2015. To make BYOD work, you need to be able to view and control three key elements: the user, the device (its MAC address) and the IP address. In order to link these three key elements together within a single pane of glass, device registration must be tightly integrated with IP Address Management (IPAM) and DNS/DHCP core network services. User Forrester Research, “Mobile Is The New Face Of Engagement,” February 13, 2012 BYOD IP Address Device Figure 1: By linking the device, user and IP address, device registration, together with DNS, DHCP and IP Address Management, allows you to track all devices, users and IP activity on the network for security and compliance. 3
  4. 4. BYOD: 5 Things You Need to Know When device registration is integrated with IPAM and DNS/DHCP core services, devices can be tracked, managed and audited from the moment they are first on-boarded to when they are finally off-boarded to provide device control without gaps. Employee Devices (BYOD and Corporate) BlueCat BlueCat Mobile Device Management Device and User Auditing Network Management Frictionless Device Onboarding Device or User Offboarding & Blacklisting Date Center Devices (VMs, Servers, Cloud Assets, VoIP, Etc.) Figure 2: Device registration provides a way of provisioning and tracking all devices on the network – not just mobile devices, but also data center servers, virtual machines, cloud assets, etc. – for complete visibility and control without gaps. IT managers tend to focus on MDM solutions for BYOD security, but MDM alone can create gaps in device control. MDM solutions also focus solely on mobile devices, whereas device registration allows organizations to gain a more strategic and unified “big picture” view of all devices on the network. In the next section, we look at how device registration complements MDM by addressing five key challenges associated with BYOD. 4
  5. 5. BYOD: 5 Things You Need to Know Five Ways to Enable BYOD “Forrester finds that 48% of today’s information workers already buy whatever smartphone they want and use it for work purposes. By 2020, the number of empowered employees will rise as the younger, more tech-savvy Millennial workers become 45% of your business’ workforce demographic. And their perception of enterprise IT is low to say the least, with 34% of Millennial employees claiming that they have better technology at home than at work.” Forrester Research, “TechRadar for I&O Professionals: IT Service Management Processes, Q1, 2012,” February 7, 2012 Self-service device registration is an essential first step to BYOD. Registering devices via a simple Web portal empowers users to easily self-register their own personal devices in order to get on the network, effectively eliminating IT involvement in the process. Connect Device Register Device Use Device Figure 3: Self-service device registration – users bring their own device, register their own device and connect their own device. It’s really that simple. Below we look at five ways device registration can enable BYOD by empowering users with instant network connectivity, while at the same time reducing the burden on IT of having to manually register, track and secure devices. 1. Reduce Demand on Network Operations with Self-Service The first challenge of BYOD is how to quickly and simply get devices onto the network without overburdening network operations, central IT and helpdesk staff with manual device provisioning requests. To succeed, BYOD must be “low touch” from an IT perspective. To simplify and automate BYOD registration and device on-boarding, and reduce the reliance of central IT, self-service and automation is a must. The key components of a self-service BYOD solution include: • • Support for workflow and task delegation allows support for the BYOD environment to be efficiently distributed to the appropriate groups, such as the help desk or local administrators, instead of those common tasks falling on highly paid senior resources in network operations. • An intuitive self-service portal for users or guests to register their own devices. With a lightweight registration mechanism, interaction from IT staff to provision personal devices is unnecessary. Users are authenticated based on their existing network credentials. Automatic device tracking and auditing with the ability to link devices users and IP activity for security, compliance and reporting. 5
  6. 6. BYOD: 5 Things You Need to Know BYOD users expect immediate access to the network. Manual processes simply cannot deliver the IT responsiveness that users and guests demand. A successful BYOD solution will allow users to quickly and easily selfregister their devices, which means that IT staff does not need to be involved with registering, on-boarding and tracking personal devices. 2. Secure and Audit BYOD On-boarding “Half of all global info workers are using three or more devices for work, but IT doesn’t see it.” Forrester Research, “Info Workers Using Mobile And Personal Devices For Work Will Transform Personal Tech Markets,” February 22, 2012 Many IT professionals fear that opening the network to BYOD will mean that anyone can bring a device onto the network and start accessing resources without proper verification and control. The concern is that IT staff will lose control of network security and unknown personal devices will put the organization and its sensitive data at risk. If you can’t see a device on the network, you can’t track it, which may expose an organization to significant liability. By implementing self-service device registration, organizations can require that users first self-register their devices before they can access the network. Users attempting to access the network with an unknown device are automatically redirected to a simple Web portal where they can quickly register the device using their existing credentials. Unknown users are simply not allowed to register their device. Once authenticated, the user is granted immediate access to the network and IT is able to track the device, and view the relationship between the device, its user and IP activity. By allowing organizations to allocate network access to personal devices and users in line with the authentication and usage policies configured by IT staff, device registration acts as a security and compliance watchdog – and it does it automatically with minimal IT involvement or effort. When device registration is integrated with IP Address Management, IT organizations can gain access to an even richer repository of device and IP data that can be used in a number of different reporting and auditing functions: • • Live and historical IP tracking allows administrators to determine whether users are complying with the organization’s code of conduct. If they are not, users and devices can be removed or blacklisted from the network with a single click. • Auditing allows administrators to track IP address, user name, and MAC address for security and compliance. A searchable audit trail enables administrators to quickly and efficiently find offending user or devices to protect the network. • Each user on the network is tracked along with all registered devices associated with that user. This means users are tied to IP addresses to show how devices are interacting with the network and which users are accessing which resources. Detailed device information such as device type and operating systems can be captured and used to plan future projects or improve services. Device and usage statistics and trends can be viewed and analyzed through reports. 6
  7. 7. BYOD: 5 Things You Need to Know Device registration allows an organization to implement BYOD and still have the necessary controls in place to ensure that the network – and the business – is protected. Because device registration enables organizations to track devices from the moment they are on-boarded to the moment they are off-boarded (either by the user via a self-service portal or by an administrator), IT can rest assured that they have a solution in place to help manage lost or stolen personal devices, and devices belonging to employees who have left the company. 3. Track Users, Devices and Network Activity for Compliance Most organizations have internal security policies that require compliance reporting and auditing. Many industries are also heavily regulated and require auditing to demonstrate compliance with external regulations. The ability to track and audit devices and users on the network is essential in the event of a security incident where reporting and auditing can be used to determine who was responsible for an issue. Device registration addresses the compliance challenges of BYOD by requiring users of personal devices to first register their device via a self-service portal before they can gain network access. The device registration solution should: • Leverage open-standard directory technology (LDAP) to perform user lookups against well-known and authoritative sources of user data (including Microsoft Active Directory). • Reduce user permission management by eliminating the need to replicate user data to the device registration solution. • Employ encryption to ensure the authentication process is secure. In addition to ensuring only valid users are allowed to register devices, administrators have the ability to control user/device interactions: • Limit the number of devices a user can register to conserve bandwidth. • Blacklist users for improper or malicious conduct or behavior, such as a failure to comply with your usage policies or code of conduct. • In the event of improper or malicious activity, all device registrations associated with a user can be rapidly removed with a single click. Device registration provides the essential link between registered devices, known users and network activity to answer questions such as who did what and when. Once this link between personal devices, users and network activity is in place, control over BYOD can be achieved and internal or external compliance can be easily demonstrated. 7
  8. 8. BYOD: 5 Things You Need to Know 4. Integrate Device Registration with DNS, DHCP and IPAM Any BYOD initiative must be built on a solid foundation of IP Address Management and core network services. Opening the network to personal devices can dramatically increase IP address provisioning and network administration tasks, placing additional strain on the network infrastructure and on IT staff who are already overworked and stretched thin. Every personal device requires an IP address to access the network. Manual processes and homegrown solutions simply cannot keep pace with the network demands of BYOD. Core network services including DNS and DHCP are also impacted by the influx of personal devices. Simply starting up an Apple iPhone or iPad not only requires an IP address, but may also require over 30 different DNS queries. To prepare your network infrastructure for BYOD and the explosion of personal and corporate devices, BYOD registration must be tightly integrated with DNS, DHCP and IP Address Management. With an IPAM solution, basic network configuration tasks critical to support BYOD can either be automated or completed with a few clicks of the mouse from a single pane of glass: • Rapidly configure and provision a new network to support BYOD. • Add a new range of IP addresses to accommodate increased BYOD demand. • Allow users to self-register their own devices to gain access to the network with zero IT intervention. • Delegate administration and support of BYOD issues to the helpdesk or other groups within your IT organization with full accountability. • Effortlessly create dedicated environments for the various device types to drive both connectivity (wired, Wi-Fi, etc.) and access (Internet only, corporate servers, etc.) based on the devices’ capabilities, corporate policies and user profiles. • Monitor and dynamically adjust IP address pools to ensure that employee and guest devices can consistently and reliably connect to the infrastructure. Direct integration with DNS, DHCP and IPAM provides a number of benefits including: • • Restricted access to the network using core services to prevent unknown and unregistered devices from gaining access to critical resources. Automatic access to the network once a device has been registered. 8
  9. 9. BYOD: 5 Things You Need to Know • As devices are on-boarded via the device registration portal, the IPAM system is automatically populated with all the necessary information to tie a user to a device (or group of devices) and to an IP address (or group of IP addresses). When these three key pieces of information are linked together, any network traffic, especially DNS queries, can easily be tied back to a user on a given device for accountability and compliance monitoring. By integrating device registration with DNS, DHCP and IPAM, organizations can achieve powerful centralized management of “everything IP” on the network including devices, users, activity and core services. 5. Minimize Wireless Costs and Accommodate Growth The ability to track devices as they move through the network or among different physical locations, networks and wireless access points can be leveraged to monitor wireless usage and minimize costs. A device can only use one IP address at a time. If a device moves from one network to another, it receives a new IP address and the old IP address is abandoned. The abandoned IP address can then be reclaimed for reuse. With the visibility and control afforded by device registration and IPAM, network administrators can make more efficient use of their network resources by: • Limiting the number of devices a user can register • Identifying devices on the network that may be using more than their share of bandwidth and linking these devices back to users • Reclaiming abandoned IP addresses and stale or expired leases so that they can be put back in the pool of available IP addresses for reuse • Tracking all IP addresses used by a particular device as it moves about the network IP addresses are a limited and valuable business resource. The ability to effectively manage and reclaim IP address space is essential in order to cost-effectively enable BYOD. Even with effective management, the rapid growth of mobile devices can increase wireless costs – and many network administrators underestimate the pace of BYOD growth. Users don’t have just one device but many. A typical employee will most likely look to on-board a laptop, smartphone and tablet, which means that three devices per user is rapidly becoming the standard. The addition of at least three personal devices for each employee will effectively triple the number of IP leases required on your network. In some industries, the number of personal devices per user can be much higher. For example, a leading higher education institution currently allows ten devices per user to connect to the network; however they anticipate that this limit is too low to accommodate the growing desire of students, faculty and staff to connect multiple IP devices. 9
  10. 10. BYOD: 5 Things You Need to Know How many personal consumer devices do you currently have? A smart phone, a tablet, a laptop? And how often do you change those devices? Once a year? Once every two years? It’s easy to see how the work associated with onboarding and offboarding those devices can quickly pile up and spell long nights for IT teams that attempt to solve the problem manually. The nature of personal devices also differs from corporate devices. Corporate-owned devices tend to be refreshed every 3-5 years, whereas the refresh cycle for personal consumer devices is much more rapid – users tend to replace their personal devices every 1-2 years. This means that even if an organization’s employee headcount does not grow, users will add new personal devices to connect to the network at a much faster rate than corporate devices. Self-service device registration makes it easy for users to unregister an old device and register a new replacement device with zero IT involvement. The self-service device registration solution that organizations choose must be scalable and robust enough to accommodate exponential growth without requiring costly upgrades or re-architecting. As discussed above, your underlying network infrastructure and core network services must also be scalable and resilient to bear the increased burden of IP address provisioning that comes with growing BYOD usage. In the next section, we look briefly at how the BlueCat Device Registration Portal provides a purpose-built solution to address current and future BYOD requirements. BlueCat Device Registration Portal The BlueCat Device Registration Portal is an easy to use self-service Web portal that allows users to register their own devices in order to gain access to the network. This self-service solution empowers employees and guests to connect their personal consumer devices to the network without compromising security and compliance or overwhelming IT staff. Easy to deploy and maintain, BlueCat Device Registration Portal provides everything your organization needs to manage BYOD registration within a single solution. Online Help | Welcome username | Logout Device Registration Brand the portal with your own look and feel (customizable header, footer and CSS styles). The information below reflects the IP and MAC address of the machine you are currently using. To register this machine, please click the "Register" button. If you wish to register a different device, please enter the MAC address of that machine and click register. MAC Address Detect Clear 01-23-45-67-89-ab Description Auto-detect the connecting device’s MAC information. Personal Laptop Operating System Windows Manually enter information to register devices without browser access (printers, consoles, etc.) Type of Registration Dynamic Reserved Provide help to guide users Register Copyright © 2011 BlueCat Networks. All rights reserved. Gather data specific to your oganization Figure 4: With a fully customizable front end, BlueCat Device Registration Portal easily integrates with an organization’s existing Web site and brand. Users attempting to connect an unknown device to your network are automatically redirected to the secure self-service portal where they must first register their device. 10
  11. 11. BYOD: 5 Things You Need to Know BlueCat Device Registration Portal allows organizations to securely manage the explosive growth of personal consumer devices without increasing IT staff levels. The solution allows easy registration and tracking of all devices connecting to your network, regardless of who owns them. Before they can access your network, users must first register their devices using the intuitive self-service Web portal. The fully automated solution effectively eliminates IT involvement in device registration. Bring Your Own Device BlueCat Device Registration Portal Self-Service Device Registration Users can register any device, whether personal or company-issued, via the self-service BlueCat Device Registration Portal in order to gain immediate network access with no IT involvement. Once devices are registered, administrators can capture, manage and track device, user and IP information for all registered devices. An administrator portal allows helpdesk staff or departmental administrators to register devices on behalf of users, review, create or modify device registrations and register non-Web capable corporate devices such as scanners, printers and copiers. Empower your users and guests to use the devices of their choice, whether personal or company-owned, to access the network. BlueCat Address Manager Register Your Device Quickly and easily self-register and onboard your personal or corporate device with zero IT intervention. Connect Your Device IP Address Management Device registration is tightly integrated with IP Address Management to allow IT administrators to view and centrally manage devices, users and IP activity. IPAM integration allows administrators to track, audit, report and control MAC addresses and IP assignments for all mobile devices and users on the network BlueCat DNS/DHCP Server Core Network Services Devices registered through the portal are automatically integrated with DNS and DHCP core services to provide users with instant access to the network with no DHCP setup required. DHCP leasing allows mobile device users to seamless move among different physical locations, networks and wireless access points. Once your device has been registered and onboarded, DNS, DHCP and IP Address Management services are automatically updated, granting you immediate access to the network and all available services. Figure 5: BlueCat Device Registration Portal is tightly integrated with DNS, DHCP and IP Address Management (IPAM) to simplify BYOD registration, on-boarding and off-boarding. IPAM integration links devices, users and IP activity for complete visibility and control of all devices. BlueCat Device Registration Portal is much more than a simple BYOD Web portal. Under the hood, the portal is powered by BlueCat Address Manager, an advanced IP Address Management (IPAM) solution that acts as the “Network Authority,” providing rich management capabilities and a complete span of control for the entire BYOD infrastructure. IPAM integration provides centralized visibility and control of users, devices and IP addresses. Only by integrating device registration with IPAM, DNS and DHCP can the process of on-boarding and controlling a device be frictionless, easy and transparent to the user. Organizations are also able to leverage powerful IPAM capabilities like network reconciliation, network discovery and IPv4/IPv6 support to ensure that their BYOD infrastructure is easy to manage, efficient, scalable and future-ready. 11
  12. 12. BYOD: 5 Things You Need to Know BYOD Registration and Mobile Device Management (MDM) Organizations seeking to implement BYOD often focus on a mobile device management (MDM) solution to deliver end-point security, while overlooking the importance of the first step in BYOD – how to securely get personal devices onto the network without involving IT. Device registration is necessary to on-board any device in a reliable, efficient and frictionless manner. By frictionless, we mean that the device on-boarding process should be fast, intuitive and transparent to the end user. By tying device registration to DNS, DHCP and IPAM, organizations can achieve truly frictionless on-boarding, in which the user is insulated from the backend complexities of IP address allocation and DHCP. Only once personal devices are registered, on-boarded and allocated an IP address can MDM solutions start performing their functions, such as connecting to the mobile device, enabling diagnostics, backup/restore, policy application or remote locking/wiping. Using MDM alone for BYOD can also create a gap in time between when an unknown device comes onto the network and when you can begin to control it with MDM. This is because MDM solutions have no way to immediately know when a new device has accessed the network. There is no telling what a user might do in the time between when an unknown device is able to access the network and when it can begin to be tracked. To use an analogy, using MDM alone to secure BYOD is a bit like installing an alarm system in your kitchen, as opposed to at the front door. Employee Devices (BYOD and Corporate) BlueCat Mobile Device Management Breadth of Control All Devices Are Controlled and Visible BlueCat Device and User Auditing Network Management Frictionless Device On-boarding Device or User Off-boarding & Blacklisting Data Center Devices (VMs, Servers, Cloud Assets, VoIP, Etc.) Control and Visibility from End-to-End and in Real Time All Devices Are Controlled and Visible Figure 6: A complimentary technology to end-point security solutions like MDM, self-service device registration provides the first and last mile of a BYOD solution by enabling easy and frictionless device on-boarding and off-boarding, as well as the ability to view and control all devices on the network. This span of control and visibility is not possible with MDM alone. 12
  13. 13. BYOD: 5 Things You Need to Know When a self-service device registration portal is used in tandem with MDM, there are no gaps in visibility and control. A BYOD user simply cannot access the network without first registering his or her device, and immediately upon registration, the device is instantly and automatically tracked – from the moment it is on the network to the moment it is off. This makes device registration a valuable first line of defense in securing the network and devices. BYOD and Beyond – A Big Picture View of Devices There is a growing awareness that a BYOD initiative should not be planned in isolation, but must be undertaken in the context of a broader device strategy. This big picture view of devices includes not only personal consumer devices, but also corporate-owned mobile devices, peripherals such as wireless printers, VoIP phones, data center servers, virtual machines (VMs) and cloud assets – essentially anything that has an IP address may be classified a device and can be tracking using device registration. While MDM solutions focus on mobile devices and end-point security, a device registration portal can be used by network administrators and IT staff to register all devices on the network whether they are mobile, fixed or have a Web browser or not. The ability to register, view and track all devices on the network from a single pane of glass has tremendous advantages in simplifying network management, increasing IT agility and eliminating gaps in device visibility and control that can put businesses at risk. 13
  14. 14. BYOD: 5 Things You Need to Know Summing Up BYOD is unstoppable. Much more than an IT trend, BYOD is rapidly becoming the new standard for “always-on” business connectivity. To be successful, BYOD must be “low-touch,” frictionless, automated and secure. The security process must be as simple and familiar as connecting a device to a hotel Wi-Fi network. Successful BYOD initiatives begin with self-service device registration. By simplifying and automating the on-boarding and off-boarding of personal devices, and making the process frictionless and transparent to users, self-service device registration provides the first and last mile of any BYOD solution. With device registration, organizations can prepare their network infrastructure for BYOD and beyond, and better control the explosive growth of devices. A self-service device registration solution makes BYOD a reality by allowing users to quickly and easily self-register their devices in order to access the network with zero IT intervention. Once a device has been registered, IT can immediately track and link the device to its user and network activity for security and compliance without any gaps in visibility and control. Device registration is also invaluable in helping businesses gain a strategic view of all devices, whether they are mobile, in the data center or in the cloud. We are just at the beginning of the BYOD revolution. As the technology evolves and new business models emerge, device registration will play an increasingly important role. For example, mobile wallet initiatives and locationbased mobile services are already demonstrating the power of reaching consumers where they are and on their own devices. To enable current and future BYOD initiatives, and connect with consumers, partners and employees in new ways, organizations need to make it fast, simple and secure for users to on-board their own devices in order to access services and do business. BYOD is all about empowerment. An effective self-service device registration solution empowers users with quick and painless BYOD connectivity, while also empowering IT with an automated solution for controlling all devices that saves time, effort and costs. By enabling self-service device registration and the ability to control all devices on the network, regardless of the device type or who owns them, device registration provides the simplest and fastest way to BYOD. 14
  15. 15. At BlueCat, we believe the explosive growth of connected devices requires a more intelligent network to ensure reliable, secure, always-on application access and connectivity. BlueCat IP Address Management (IPAM) solutions provide a smarter way to connect mobile devices, applications, virtual environments and clouds. With unified mobile security, address management, automation and self-service, BlueCat offers a rich source of network intelligence that can be put into action to protect your network, reduce IT costs and ensure reliable service delivery. Enterprises and government agencies worldwide trust BlueCat to manage millions of devices and solve real business and IT challenges – from secure, risk-free BYOD to virtualization and cloud automation. Our innovative solutions and expertise enable organizations to build a network infrastructure that is more scalable, reliable and secure, as well as simplify the transition to next-generation technologies including IPv6, DNSSEC, M2M and SDN. © 2013 BlueCat Networks. All rights reserved. The BlueCat logo and IPAM Intelligence are trademarks of BlueCat Networks, Inc. All other product and company names are trademarks or registered trademarks of their respective holders. BlueCat assumes no responsibility for any inaccuracies in this document. BlueCat reserves the right to change, modify, transfer or otherwise revise this publication without notice.