This presentation is a story of how one company started their journey 8 years ago with the CISO banning ALL Wi-Fi to today where it’s a major part of their strategy to maintain profitability
The changing landscape wireless technology being pervasive, being an anchor technology for lots of enterprise initiativesInthe path to a pervasive wireless network we’ll comparison 2 enterprise approaches looking at Architecture Best Practice & security postureSkills you need to support the serviceHow do define Access Policies – Guest, Corp user (mgd), Corp (BYOD)
My background is an an infrastructure guy with experience in large enterprise & financial services recently as a Director in IT at Credit Suisse.Fin Svc is a tough place to be at the moment and this led to my decision to leave the the financial services IT industry Earlier this year I formed my own consulting company offering strategy, product management & development and sales services to businesses in the STARTUP or early phase of their Life.
Employees, DesktopsLaptops,LAN ports, Content filtering,Wi-Fi architectureBarclaycard10,300Investment Bank 25,500Retail, wealth and business banking 100,000 (40% of retail have laptops, 10%in wealth, wealth total is only 7k)TODAY view but trend is an increasing number of devices today being used as secondary device but ROI is in desktop replacement .EAP-TLS mutual authentication– Linked into AD
So in our case study were things straight forward … wellThis is how bad it was. LESS THAN 8 years ago- Wireless was banned by CISO- laptop were custom ordered with the WLAN card removed from the standard product. - Corporate devices had drivers removed and the ethernet port locked down to "internal network" addresses- remote access limited to dial up
IT’S A PRETTY LOW BASE THAT we start our journey WITH but it’s more about Evolution that REVBut I’m going to take you through the transformation from the worried guy (CISO) , Through the frustrated one (the END USER) Through to a nirvana like momentChanging the view of Wi-Fi became more akin to religion that an orderly set of tasks and projects AND I’m glad to say I was a believer in the FAITH.
This lead to some pretty excessive perimiter security strategies being played outDILBERT§Well we stopped short of the DEFENSIVE WEDGIE SYSTEM But we did build a MAC based LAN access system , where each new workstation had to be registered into the DB before it could be assigned a DHCP address. I think our LAN MAC system was about as effective as DILBERTS.
Our NETWORK STRATEGY SAW THE Move away from SECURITY ON THE NETWORK to a model with SECURITY AT THE PERMITER , the NEW perimeter being DATACENTRE client networks become untrusted over time The On campus Wireless was treated as a dirty networkThis desire to deperimitise the network was a KEY part of our network strategy A term coined by the Jericho group.That strategy was a key aspect in allowing the Wi-Fi journey to start
THE WORRIED GUY … TYPICALLY AN INFO SECURITY TYPETerminating the wi-fi connections on the dirty side of the DMZ convinced the CISO that Wi-Fi could be provided with minimal risk to the companies data or network. BUT THE STATE WAS FAR FROM PERFECT Endpoint has to be corporate owned & managed or Guest.No employee personal devices allowed due to concerns over data leakage and liability.Guest provisioning processes were designed to be high touch (managed meeting locations) and therefore manual, costly and often took longer that the meeting to provision.CORE INFRALow coverage, contention and IT floors prioritzed above businessGlobal inconsistency – one specific country had a paid for Wi-Fi network from a local Telco which was completely open to employee’s
THIS IS OUR WIRELESS ARCHITECUTRE The access points connect to a local controller which backhauls to a DMZ located anchor controller via Ether over IP. Traffic from wireless clients egresses the DMZ controller Guest traffic would be send to A DMZbased captive portal managed devices VPN back into the corporate data centre
Consumerisation began to challenge thisThis company reduced the blackberry estate from 25,000 endpoints to less that 12,000 with GOOD mobile email on consumer devices followed by other containerised appsdriving the question “Why can’t I use the corporate Wi-Fi to sync my email”“Cellular coverage is so bad in my building and it’s crazy employee’s cant use the Corporate Wi-Fi on their personal devices”
A COUPL E OF YEAR ONReal estate and IT strategy mandated a flexible / smart working environment aiming to bring the 1:1 ratio of desks:staff down to 1:1.3 (that was 15,000 potential desks saved) AS A RESULTWi-fi shifted to a core technology as AND a business enabler upon which a BYOD and APP management platform was to be built..... IN 2011 (when the wireless standardisation project started) what was the landscape likeAmerica’s 40% WiFi coverage, APAC 71% and EMEA 45%802.11a/b/g , low contention, RF planned for occasional use, spotty coverage (not all floors, no canteen coverage or coffee areas). IT floors prioritized over business floors
How do you define Policies forGuest, Corp user (mgd), Corp (BYOD) Those policies effectArchitecture & security postureWhatSkills you need to support the service
When we get intor requirements analysis it’s important to remember who is the user? And ask them what they need, but clearly you cannot ask 65000 individuals in a firmBASICALLYdont get too complex in user needs analysis, we looked through these 3 viewsclient, Internal user - standard, Internal user - high needs e.g external facing M&A department).
As we look at these 3 user groups, let’s look at some of their key requirements and how they might differPERFORMANCE (guest and standard users – knowledge worker, voice/data mixed occasional use and for short period, employee 2 adds voice/video in high volume to the set)CONTROL (make sure the guest doesn’t damage the reputation of the firms ISP connectivity – but not much else, whereas the employees have the HR or regulators policies to consider)DEVICE TypeWhere they ALLOWED to use BYODFor BYOD what type of Security would we put in place….And FINALLY WOULD THERE browsing be content Filtered
Trusteer End Point Protection used by cReditsuisse
Clear business objectives are. Most firms have cost reduction programs Senior project stakeholders with regular briefings needed Mature requirements & early engagement necessary with IT suppliers Which flavour of device enterprise only/corporate owned, personally enabled , pure BYODThink about process &support design as well as the technologyTranslate the risk posture to required security controls (MDM, MAM, app vs. network security)Don’t compromise usability for security (impact of security discussions)
Add a slide at the end for Q&ADo organisations get over the top funding for Wi-Fi access IT driven vs. business driven