Some key considerations for businesses exploring Adaptive Trust:
1. Differing levels of engagement
Users who are not technically adept require helpdesks assistance when connecting to a corporate network or with performance and other application issues, oftentimes overwhelming the workload of these helpdesks.
On the other end of the spectrum are employees who realize that they can use the same network credentials to gain access to the corporate network for their personal device. These unmanaged mobile devices can expose corporate data and services to intrusion.
The most important tasks for networks is the differentiation of employee-owned devices and IT-supplied hardware. Most networks have two portals: one for personal devices (guests) and one for corporate use. If personal devices are to log in as guest users only, it would be cumbersome as this would probably mean daily re-authentication.
To solve this, an identification method that distinguishes between personal (not guests) and corporate devices should be implemented, allowing automated authentication and classification of devices for various access levels. IT administrators are then able to keep track and manage the proliferation of devices and has the ability to quickly respond if an unwanted network intrusion occurs.
2. A self-configuration model
Another challenge is the configuration of personal devices where security measures often differ from the standard IT-supplied devices. Many personal mobile devices are live, with no password required for access to the device. Credentials are already stored on the device for automatic authentication when the corporate network is detected. This creates difficulties as there is no guarantee that the personal devices are in the hands of their owners.
Additionally, having configuration for inside-the-firewall access increases the risk of corporate server penetration, especially with malware and Trojans being increasingly common on devices. Corporate data is significantly at risk, especially if these unwanted viruses enter the corporate network.
While it is possible to allow self-configuration of employee-owned devices by publishing guidelines and instructions for correction and authentication of corporate networks, most IT groups prefer a more controlled approach.
For instance, an authentication portal for employees' easy reference when connecting a new device to the corporate network would be helpful. The network prepares a unique self-install configuration profile for a particular user's device and the user is offered a single button to click for execution.
This approach accomplishes a number of goals: It is easy for the user, reduces the risk of errors during manual configuration, allows secure self-registration and incorporates mutual authentication which allows the network to confirm the user's identity. It also allows the device to use the EAP-TLS authentication protocol, avoiding repeated entry of username and password while maintaining full security. The certificate enables IT staff to track and audit logs to follow the device's history through the network. IT can also disable corporate network access for any device that is reported lost or stolen.
Sign up for CIO Asia eNewsletters.