Several years ago, I had a conversation with an IT manager about his company’s network security that I still remember today. He said: “We’re losing our battle over internal network security. We cannot keep up with our vendors and contractors who bring in all kinds of devices to our network. We may turn our internal network into a DMZ.” Turning an internal network into a DMZ was probably an extreme case at that time but it showed the underlying problem: if you don’t have control over what’s happening on your network, you’ll have an uphill battle in your hands.
Today, the challenge has intensified due to the bring-your-own-device (BYOD) trend. There are speculations that corporate networks may eventually turn out to be the equivalent of college networks where users routinely bring their own personal devices. Because personal devices generally do not have the same level of security as IT-owned assets, they tend to have more vulnerabilities and it’s harder to protect sensitive information and intellectual property on these devices. The adage, “security risks walk in the door with employees” is quickly becoming a reality that organizations must address.
You’ll need to strengthen your organization’s security mandate. Your internal security focus will evolve from just trying to secure and manage endpoint devices to re-evaluating your overall network access control, threat mitigation rules, and your approach to policy compliance.
As more and more smartphones, tablets and laptops show up on different segments of internal networks, policy consistency becomes a high priority. The industry is moving quickly to integrate network security policy management tools with mobile device management (MDM) tools. With a common set of policies, jailbroken iOS devices, rootkitted Android and free-range Windows devices, or any devices that do not meet policy requirements will be denied access to the network, thereby reducing risks to the enterprise.
While a central policy platform is critical for policy consistency, a distributed and end-to-end security enforcement infrastructure is equally important. Security capabilities should be built into the network, instead of being added on as an afterthought. In addition, policy enforcement should take place as close to the network edge as possible to minimize threats and impact. Using high quality switches with strong security features, the close-to-the-edge requirement can be met relatively easily for wired endpoints such as laptops. For wireless networks that support smartphones, tablets and wireless laptops many designs today depend on centralized enforcement provided by a small number of devices. Without careful planning and advanced technology support, such designs may have scalability challenges as more robust wireless technologies such as 802.11ac are being deployed.
Visit the Cisco Unified Access solution site to see how it provides the foundation for the Cisco BYOD Smart Solution with One Policy, One Management, One Network. You’ll find that Cisco One Policy offers a unified policy platform and distributed enforcement that we discussed above.
Expect more Cisco Unified Access excitement in the coming weeks.