BYOD: How to provide secure access to network resources

IT organizations have little or no choice when it comes to Bring Your Own Device (BYOD) programs. Employees want to access the network with their personally owned devices, and in today’s landscape where employers compete for skilled employees, companies want to be known for giving employees the privilege of doing so. That leaves IT organizations to determine how to provide secure access to network resources. They have three choices: Network Access Control, Software-Defined Perimeter – or both.

How NAC works

Network access control (NAC) technology consists of client software that runs on the user’s device and a piece of hardware that sits on the network. When the device attempts to connect to the network, the client-side agent connects to an access point through which the NAC appliance performs authentication. If the user is successfully authenticated and the device passes the appropriate checks, the access point allows the user to access one or more virtual LANs (VLANs).

There are several challenges with the way NAC operates. To start, NAC requires you to define VLANs ahead of time. They’re static and, in some cases, require network configuration changes or hardware upgrades to support. What’s more, most organizations only have a few VLANs. For example, they may have a guest VLAN, employee VLAN and a production VLAN. A network switch either allows or disallows access to the VLAN. There are no fine grained controls to further limit user access.

NAC also addresses a narrow set of use cases. It cannot extend to resources that are running in a cloud, for example. Nor does it encrypt traffic or support remote users. Additional solutions – and separate policies and processes – are required to provide secure access to cloud-based resources or to enable secure remote user access to the corporate network.

How an SDP works

A Software-Defined Perimeter (SDP) solution dynamically creates an individualized network segment of one for each user. Client software runs on the user’s device and authenticates to a controller using multi-factor authentication or through integration with the organization’s identity management system. Once authenticated, the gateway establishes an encrypted tunnel from the user’s device to the network gateway, which protects server resources.

A digital identity is then built for the user based on the attributes of the device being used, the user’s role and permissions, as well as environmental conditions, such as geolocation, time of day, etc.. An individual perimeter is created based on this digital identity. Unlike a NAC, which maps users to every service and port on a VLAN, an SDP maps users to only those services to which they have explicit access. Through a series of gateways, the SDP protects each of the resources and allows or disallows user access.

There are a couple interesting factors to note about SDPs. Individual perimeters can be overlapping. Multiple users can access the same server or services, as well as different services on the network. The perimeters also adjust to changes in the infrastructure. For example, as new server instances are created or instantiated on-premises or in the cloud, the attributes are taken into consideration and users are granted or denied access appropriately.

A good way to compare access on a VLAN versus an SDP is to consider what a network port scanner would reveal for each. On a VLAN, a port scan identifies every single network port and service available for every server on that VLAN. However, if the network is protected by SDP, the only ports and services a port scan will reveal are the ones you have explicit rights to via the digital identity. Everything else on the network is invisible. An SDP reduces attack surfaces by only exposing services to authorized users who are validated through authentication.

The best choice for BYOD

When it comes to BYOD, IT organizations must address several challenges. Let’s look at how NAC and SDP address each of them:

User authentication – The first challenge is ensuring that only authorized users access network resources. NAC authenticates users through the 802.1X standard. The benefit to using 802.1X is that it enables IT organizations to successfully deploy a NAC solution in a heterogeneous network. However, it often requires network hardware upgrades, and requires considerable effort to deploy and operate.

In contrast, an SDP is built to be extensible and integrate with both on-premises identity systems and standards systems loosely based on SAML. This allows an SDP to connect not only to the enterprise’s identity management system but also to third-party or cloud-based identity systems. For example, you can validate a contractor by authenticating them against their organization’s identity management system.

Validating devices – You must also ensure that only permitted devices access network resources. Both NAC and SDP provide validation of the device profile. The question is how much. NACs are known for their ability to validate and report on basic attributes. An SDP also does this, and more – including the ability to incorporate not only device attributes but also user attributes, as well as a broader picture of the user from directory sources and other environmental systems.

Access control – Granularity of control is a challenge with BYOD. As we previously discussed, access is either all or nothing with NAC, granting or denying access to the full VLAN. An SDP on the other hand, provides fine-grained policies that determine which services users can access running on various servers. The policies are based on attributes and descriptions as opposed to hard-coded onto resources.

Device visibility – IT organizations also need visibility of the devices on the network. Both NAC and SDP provide visibility, but to varying degrees. NAC works at the network layer, so it only effectively gives IP addresses to approved devices. As a result, NAC only allows you to see what devices are attached to the network. An SDP, on the other hand, operates one layer up in the network. Once a device is on the network, it communicates with the SDP infrastructure and only after it’s validated and authenticated is the device able to access network resources. Thus, an SDP allows you to see the resources the devices are accessing. Unauthorized devices can’t access resources because they are protected by an SDP.

The verdict – So, which do you use to enable BYOD in your organization? If you already have a NAC solution, there’s no reason why you can’t also deploy an SDP. You can continue to use the NAC for existing use cases while leveraging an SDP for BYOD. On the other hand, if you don’t have a NAC, an SDP can help you solve BYOD challenges as well as other network security challenges. An SDP will provide a lower cost of ownership and additional flexibility through secure, user-defined environments.