Blurring of the Lines of Networks (Enterprise Wi-Fi)

April 1, 2013

In a recent post, Blurring the Lines of Networks (Enterprise & Mobile), the enterprise’s trust boundary is proposed to move closer to the Data Center(s) as an enabler of adoption of mobile operator delivered network infrastructure and devices. To illustrate how moving the trust boundary can enable adoption, mobile operator delivered enterprise Wi-Fi will be explored.

Decomposing Enterprise Wi-Fi:

  • Enterprise Wi-Fi has traditionally been viewed as an authenticated SSID that grants you access to the internal network with two functional components of 802.1X authentication and transport access to the internal network (behind the firewall).
  • 802.1X authentication, via one of the EAP types, connects to an enterprise directory via RADIUS. This class of authentication is required to provide scalable authentication, logging, and ties identities to IP addresses for security and forensic purposes.
  • Transport access to internal network is just that, it’s the same internal network that the other computers in the enterprise use.

To illustrate the boundary diagram and the present situation, the simple drawing below will be used.

This is the model most widely deployed inside enterprise offices to allow an iPad to be attached to Wi-Fi as a full citizen and connect to business applications behind the firewall. This strategy assumes that the iPad (regardless of ownership: COPE or BYOD) is a managed part of the computing environment. If COPE is a new acronym to the reader, it’s philosophy and definition can be found at the EMF here.

For a mobile operator who wants to offer Wi-Fi as a Service, this approach subjects the operator to intense scrutiny about not only operating the Wi-Fi, but also data security. The enterprise will have concerns because the majority of the data traffic inside the network is unencrypted and the Wi-Fi attached devices, depending on network design, can have visibility to all other hosts and servers anywhere in the network and Data Center(s).

To illustrate the benefits of blurring the lines to the enterprise, the drawing below shows moving the trust boundary to the edge of the Data Center(s), and assuming the internal private networks are untrusted (like the Internet).

With this approach, the mobile operator’s Wi-Fi infrastructure can be easily joined to the enterprise because all managed devices use a remote access strategy where the devices behave the same at work, home, or coffee shop. The mobile operator doesn’t have an ability to see enterprise data, and 802.1X is reduced to a secure and scalable way to allow devices onto an enterprise network. Security and forensics teams will be happy because trust is not extended to the mobile operator and the RADIUS logs can still be saved and processed with processes developed for yesterday’s architecture.

How does this help Enterprise IT with the BYOD problem? 

  • It levels the playing field by keeping all mobile devices (laptop, tablet, or smartphone) on the outside of the Data Center(s) such that the BYOD problem space becomes a Mobile IT issue along with all company issued mobile devices.
  • IT has to solve for secure data and access, once, for all classes of devices.
  • Mobile devices behave consistently at work, home, or coffee shop.

For enterprise architects, consider extending this strategy to the wired network and desktop computers. The concerns of security people around hackers or employees with unknown machines and direct access to an enterprise Ethernet jack can also be mitigated.

Recommendation to Enterprise IT professionals (As a former Enterprise Infrastructure Architect for a global brand)

1. Move the trust boundary for Wi-Fi closer to the enterprise Data Center(s) with a long term solution that can address performance and capacity needs of your organization. There are a variety of technologies available that can solve for moving the trust boundary (contact me, if you’re interested in my candidates).

The opportunities exist for mobile operators to help address enterprise BYOD and mobility challenges for enterprise IT departments and cultivate value-added services beyond coverage and capacity in the Enterprise space — built upon strong customer relationships, and a proven technical foundation. Positive mindshare and perceptions in the eyes of the enterprise buyers will create invitations to future opportunities.

A new and more important role is emerging for mobile operators, where enterprise mobility and value-added IP services is part of the ‘package.’ Mobile is the heartbeat of any organization, and wireless is the digital oxygen that our devices breathe at home and on the road.

Innovation in mobile, and the increasing need for IT to deliver against more mobile requirements while reducing cost and complexities, and move items from the Capex side to the Opex side of the budget, is blurring the lines between mobile and Enterprise networks, and creating value on both sides.

– Art King, SpiderCloud Wireless, Director of Enterprise Services & Technologies

Twitter: @EMobilityInside
Visit our Enterprise IT site @ http://SpiderCloud.com/EInsider


Blurring the Lines of Networks (Enterprise & Mobile)

March 25, 2013

There is opportunity to adapt to wholesale changes in the enterprise environment due to the increasing capabilities of mobile network infrastructure and devices.

But first, some context:

  • Comment by Banking CIO: “I would buy Wireless LAN from a 3rd party and be comfortable because we don’t extend trust to networks.”
  • Comment by Telecom Security CTO: “The perimeter security model is broken due to how it evolved. Enterprises must focus on selective protection of important business computing platforms.”
  • “For three in four IT security professionals, bring your own device (BYOD) is one of the greatest inhibitors to effective cloud security”. Article: Is BYOD the cloud evangelist’s worst nightmare?

There are two main themes that this surfaces:

  • The notion of trusted networks that end user devices connect to, is no longer valid.
  • Strategies that rely on precision control of end user devices and networks have been defeated by the end user community.

While applications developers, network security, and data center operations teams adapt to this crazy new world where they have lost control of their internal customers, there is an opportunity for the CIO to be positioned to blur the lines between traditional IT and service providers, and benefit both financially and operationally.

To set the stage, imagine in the drawing below that the trust boundary is moved towards the data center(s), and that internal private networks are treated like public networks, but with richer features and additional control.

With this approach, the infrastructure is now open to network services acquisition from mobile operators without the level of security concern that existed in the past. This can be transformational to innovation economics in the enterprise by removing the need for capital funding for every activity on the network, and allowing the acquisition of fully operationalized services as an incremental cost on the monthly device bill, instead of the traditional buy/build/run model where the enterprise is wholly responsible for the service. As IT staff dollars and capital requests for infrastructure get struck from the budget in favor of business software improvements, having the infrastructure be positioned to easily adopt services that blur the lines between the enterprise and their trusted service providers becomes more important than ever.

How does this help Enterprise IT with the BYOD problem?
It levels the playing field by keeping all devices on the outside of the Data Center’s such that the BYOD problem space becomes a Mobile IT issue along with all company issued mobile devices. IT has to solve for secure data and access, once, for all classes of devices. For cloud computing, the data center(s) can securely federate the cloud back-end infrastructure, and the Mobile IT access strategy must accommodate the front-end access method. A solid strategy will provide protection for device resident enterprise data and access, such that mobile devices are not a jump-off point to break into the enterprise from a remote point on the globe.

Recommendation to Enterprise IT Professionals (As a former Enterprise Infrastructure Architect for a global brand)
Consider positioning the IT architecture so when the compelling services are offered to the CIO by service providers, IT can “blur the lines” between infrastructures with less resistance than the current trust boundaries.

The opportunities exist for mobile operators to help address enterprise BYOD and mobility challenges for enterprise IT departments, and cultivate value-added services beyond coverage and capacity in the Enterprise space – built upon strong customer relationships and a proven technical foundation. Positive mindshare and perceptions in the eyes of the enterprise buyers will create invitations to future opportunities.

A new and more important role is emerging for mobile operators, where enterprise mobility and value-added IP services is part of the ‘package.’ Mobile is the heartbeat of any organization, and wireless is the digital oxygen that our devices breathe at home and on the road.

Innovation in mobile, and the increasing need for IT to deal with more mobile requirements, while reducing cost and complexities, and move items from the Capex side to the Opex side of the budget, is blurring the lines between mobile and Enterprise networks, and creating value on both sides.

– Art King, SpiderCloud Wireless, Director of Enterprise Services & Technologies

Twitter: @EMobilityInside
Visit our Enterprise IT site @ http://SpiderCloud.com/EInsider