There’s a common misconception that the management of Bring Your Own Devices (BYOD) is just by Mobile Device Management (MDM) products. In fact, a complete and holistic BYOD management solution must start with a Network Identity and Access Management (IAM) solution that is capable of integrating with Mobile Device Management (MDM) and other complementary security & management products.
This column will describe the functions of Network IAM, MDM and other complementary BYOD products like Virtual Desktop Infrastructure (VDI).
Network Identity and Access Management (IAM)
Network IAM extends the traditional Network Access Control (NAC) solution by implementing BYOD functions – such as easy onboarding and a secure guest portal necessary to handle the variety of personal mobile devices being brought to the enterprise, schools, healthcare organizations and other institutions. The other attribute of Network IAM solution is that it integrates with MDM, and other complementary solutions like Virtual Desktop Infrastructure (VDI) and Web-Filtering / Firewall Servers.
All devices that want to access the corporate network must first have a way to easily onboard the network, and then be authenticated, assessed, profiled, authorized and managed. The onboarding process will automatically detect the devices, allow the users to register, if new, and determine what type of authentication (802.1X, MAC, Web based, etc) should be applied. Once they’re authenticated, and optionally assessed and profiled, they are then connected to the network.
The next step is authorization, based on user / device settings and other parameters that may include location and time of day. At this point, network access and resource usage will be provided based on pre-established role-based policies that are centrally visible and controlled. For example, a user’s network bandwidth, what printers, URL and applications they can access can all be controlled and authorized based on their device type, location, time of day, etc.
This whole process must be applied for all devices – wired and wireless, corporate-owned, employee-owned or guest-owned.
The devices that connect to the network are not just PCs, smartphones, iPads and other tablets; they also include the plethora of other mobile devices such as security cameras, e-books, medical equipment, cash registers and numerous other devices that are receiving and sending data over the network. Therefore, all these devices, their statuses, their locations, the Apps running in them, and the role of the users, should now be factored into the equation of deciding who, what, where and when to provide access – and the management and reporting should be centralized for the whole network.
A hospital, for example, may decide that only iPads used within the boundaries of the hospital may access patient information, or jail-broken devices may not be allowed to connect to the network. The network administrator should be able to centrally set these policies and have visibility to the whole network (wired and wireless) with the click of a mouse.
This is why all organizations need Network Identity and Access Management (IAM) solutions like the Enterasys Mobile IAM solution.
Mobile Device Management (MDM)
A robust Mobile Device Management (MDM) solution is about managing the health, the applications and content on the devices. It’s about protecting data, controlling what applications can be downloaded, when to remotely wipe the content of the device, and reporting on the inventory of the number and types of mobile devices, phone numbers, Apps installed/running, etc.
The use of MDM is necessary for certain institutions and organizations, such as government agencies and hospitals that require stricter management of their mobile devices. For example, a hospital may require e-mail data residing on mobile devices to be encrypted, and that the data on a lost device be remotely wiped, potentially saving the hospital from a breach of HIPAA regulations. The drawback is that it can also affect the personal information on a device. If IT wipes a lost or stolen device, the user will lose everything – not just sensitive hospital data.
For most organizations, MDM is not required. Higher education and K-12 institutions, for instance, should not need MDM for their students. As a matter of fact, most users will refuse the installation of MDM because of the fear that their activities will be monitored or that their personal data may get remotely wiped.
Even when an MDM solution is deployed, there’s a still a need for network-level management as well, to enable functions such as the onboarding of devices, guest access management, enforcement of device integrity before connecting, and the protection and management of network resources. An MDM can’t provide these functions because these are functions performed at the network level, rather than in the devices.
In fact, an MDM becomes more effective when used in conjunction with Network IAM. If the user decides to uninstall the MDM in the device, a network administrator will typically not know about it until the user attempts to connect to the network, and assuming a Network IAM is properly installed and integrated, it will detect this breach, deny or restrict the device and inform the network administrator.
Or, if a device is reported as stolen or lost, instead of immediately sending a remote wipe command through the MDM, a Network IAM will be able to physically locate the device within the network.
Virtual Desktop Infrastructure (VDI)
Some organization may choose to allow business data only on corporate-own devices, or on devices with installed MDM software, or they may want to deny or restrict jail-broken iPads – in these cases the organization may decide that access to the business data can only be provided though a Virtual Desktop Infrastructure (VDI). VDI provides "virtualized" desktop and data on a remote central server, instead of on the local storage of a remote client. Therefore, when users work from their local machine, all of the programs, applications, processes and data used are kept on the central server and run in a virtual machine.
This allows users to access these applications and data from a smartphone, tablet or thin client without requiring them to physically reside on these devices, thus providing increased security as well as improved service to the user, and reduced operational cost for the support organization.
Web Filtering, Firewall and other management elements
Beyond IAM, MDM and VDI some organizations may also choose to deploy Web Content Filtering and Firewall solutions. These solutions allow or restrict access to resources such as applications in public or private clouds, and also websites based on users’ devices, location and time of the day. For example, a K-12 school would block access to all inappropriate websites, and may choose to allow access to Facebook only during lunchtime in the school cafeteria.
Holistic Management - BYOD Done Right
In summary, a holistic BYOD management solution should always start with a Network Identity and Access Management (IAM) solution. This solution should provide complete BYOD management that includes easy onboarding, authentication, assessment, profiling, authorization and end-to-end visibility and control for all network devices – with centralized and unified (wired/wireless) management. But for those organizations that may also need MDM, VDI and/or Web-filtering/firewall for reasons stated above, the IAM solution should also provide easy and open integration to these products.
When these solutions are seamlessly integrated, it enables simplicity, tighter security, and a higher quality user experience for all. This is holistic BYOD management. This is BYOD Done Right.
Ali Kafel is the Director of Product Marketing for Enterasys Networks, and a contributor to MobilityTechzone. Please follow him on Twitter @akafel for more thoughts on this and similar topics.
Edited by
Braden Becker
QUICK LINKS 
