In a recent post, Blurring the Lines of Networks (Enterprise & Mobile), the enterprise’s trust boundary is proposed to move closer to the Data Center(s) as an enabler of adoption of mobile operator delivered network infrastructure and devices. To illustrate how moving the trust boundary can enable adoption, mobile operator delivered enterprise Wi-Fi will be explored.
Decomposing Enterprise Wi-Fi:
- Enterprise Wi-Fi has traditionally been viewed as an authenticated SSID that grants you access to the internal network with two functional components of 802.1X authentication and transport access to the internal network (behind the firewall).
- 802.1X authentication, via one of the EAP types, connects to an enterprise directory via RADIUS. This class of authentication is required to provide scalable authentication, logging, and ties identities to IP addresses for security and forensic purposes.
- Transport access to internal network is just that, it’s the same internal network that the other computers in the enterprise use.
To illustrate the boundary diagram and the present situation, the simple drawing below will be used.
This is the model most widely deployed inside enterprise offices to allow an iPad to be attached to Wi-Fi as a full citizen and connect to business applications behind the firewall. This strategy assumes that the iPad (regardless of ownership: COPE or BYOD) is a managed part of the computing environment. If COPE is a new acronym to the reader, it’s philosophy and definition can be found at the EMF here.
For a mobile operator who wants to offer Wi-Fi as a Service, this approach subjects the operator to intense scrutiny about not only operating the Wi-Fi, but also data security. The enterprise will have concerns because the majority of the data traffic inside the network is unencrypted and the Wi-Fi attached devices, depending on network design, can have visibility to all other hosts and servers anywhere in the network and Data Center(s).
To illustrate the benefits of blurring the lines to the enterprise, the drawing below shows moving the trust boundary to the edge of the Data Center(s), and assuming the internal private networks are untrusted (like the Internet).
With this approach, the mobile operator’s Wi-Fi infrastructure can be easily joined to the enterprise because all managed devices use a remote access strategy where the devices behave the same at work, home, or coffee shop. The mobile operator doesn’t have an ability to see enterprise data, and 802.1X is reduced to a secure and scalable way to allow devices onto an enterprise network. Security and forensics teams will be happy because trust is not extended to the mobile operator and the RADIUS logs can still be saved and processed with processes developed for yesterday’s architecture.
How does this help Enterprise IT with the BYOD problem?
- It levels the playing field by keeping all mobile devices (laptop, tablet, or smartphone) on the outside of the Data Center(s) such that the BYOD problem space becomes a Mobile IT issue along with all company issued mobile devices.
- IT has to solve for secure data and access, once, for all classes of devices.
- Mobile devices behave consistently at work, home, or coffee shop.
For enterprise architects, consider extending this strategy to the wired network and desktop computers. The concerns of security people around hackers or employees with unknown machines and direct access to an enterprise Ethernet jack can also be mitigated.
Recommendation to Enterprise IT professionals (As a former Enterprise Infrastructure Architect for a global brand)
1. Move the trust boundary for Wi-Fi closer to the enterprise Data Center(s) with a long term solution that can address performance and capacity needs of your organization. There are a variety of technologies available that can solve for moving the trust boundary (contact me, if you’re interested in my candidates).
The opportunities exist for mobile operators to help address enterprise BYOD and mobility challenges for enterprise IT departments and cultivate value-added services beyond coverage and capacity in the Enterprise space — built upon strong customer relationships, and a proven technical foundation. Positive mindshare and perceptions in the eyes of the enterprise buyers will create invitations to future opportunities.
A new and more important role is emerging for mobile operators, where enterprise mobility and value-added IP services is part of the ‘package.’ Mobile is the heartbeat of any organization, and wireless is the digital oxygen that our devices breathe at home and on the road.
Innovation in mobile, and the increasing need for IT to deliver against more mobile requirements while reducing cost and complexities, and move items from the Capex side to the Opex side of the budget, is blurring the lines between mobile and Enterprise networks, and creating value on both sides.
– Art King, SpiderCloud Wireless, Director of Enterprise Services & Technologies