Mobile Security in the Office or at Home
In August 2016, Navin Shenoy at Intel’s Client Computing Group (CCG) predicted that – “…the average household has ten connected devices. This will explode to 50 [devices per household] by 2020.” According to Juniper Research, as of 2021 we have more than 46 billion devices, a 200% increase since 2016, curiously coinciding with the rapid adoption of the Bring-Your-Own-Device (BYOD) enterprise policies.
This growing prevalence of BYOD policies at work presents an important question - how do companies secure the influx of personal devices entering the workplace or when working from home? This includes employee laptops, mobile phones, tablets, smart speakers, wearables, and Internet-of-Things (IoT) devices distributed throughout the office or at home.
Your IT admins have two crucial tools in their arsenal - mobile device management (MDM) software and 802.1X remote authentication dial-in user service (RADIUS) networking. MDM enables mobile device orchestration and monitoring, while the RADIUS allows seamless connectivity and network traffic encryption on corporate local area networks (LANs) and wireless local area networks (WLANs).
Let’s explore how you can apply the best practices from these technologies to improve mobile device security in the workplace.
Mobile Device Management
MDM involves overseeing computing devices that are not permanently installed at a desk but instead move around with employees to enable mobile working.
While this improves workforce flexibility and agility, these mobile endpoints pose security risks, acting as an easy entry gate for attackers. An unsecured mobile phone left on the subway, a laptop with unencrypted hard drive contents - sensitive data can be lost in moments, leading to data breaches.
This is where an MDM solution can create an administrative policy that governs device capabilities on both iOS and Android devices. It could enforce setting passwords, defining password complexity rules, limiting application installations, blocking network connectivity on open Wi-Fi networks, or erasing the device contents with a remote command. It’s similar to Group Policy on Windows OS devices and Apple Configurator 2 on macOS.
Let’s use our previous example of the unsecured mobile phone left on a subway. When MDM enforces password setting on personal devices through admin policy. The IT department can be alerted if the user chooses not to create a password. This would prevent unauthorized access, with remote access to GPS location data enabling device tracking when lost.
Laptops present more significant risks as unencrypted hard drive contents can be easily copied and shared. A laptop MDM policy could enforce BitLocker on Windows or FileVault on macOS, a form of full-disk encryption (FDE) where a password can decrypt the disk contents on boot by performing a handshake with a trusted platform module (TPM). As a result, any encrypted content on the hard drive is inaccessible to attackers, making the laptop nothing more than an electronic paperweight.
It is clear from these examples that MDM software tools act as a connecting layer to the device itself. IT administrators can easily control device settings remotely, track device locations using GPS, disable devices entirely if an employee reports it as missing, and control what is permitted to install or run on the device.
With hundreds of devices distributed across the workforce, mobile device management is an essential tool for IT administrators when performing IT asset management (ITAM) workflows.
802.1X RADIUS Enterprise Networking
The remote authentication dial-in user service (RADIUS) networking protocol allows users to dial into an enterprise LAN or WLAN by remotely authenticating with a network access server (NAS). This process itself is automatic - users enter the network signal catchment area, their device authenticates, logs in, and is granted full access to the enterprise LAN or WLAN.
However, the premise of automated network authentication may sound worrisome. Can unauthorized devices automatically connect to our network? Simply put, no. RADIUS uses multiple “handshake” stages to verify the identity of the connecting device, username, and password credentials and prevent packet spoofing in transit.
Here’s how it works:
First, the user device tries to authenticate with the NAS using a username and password.
When the user sends an access request, the NAS cross-references the device MAC address, IMEI number, or other identifiable fields in a central asset registry. If the device is not in the asset registry, the request is ignored. Otherwise, the RADIUS authentication continues. This step prevents any device with a username or password from connecting to a RADIUS network.
Next, RADIUS checks the client’s authentication method. Your IT administrators can choose which authentication method to use.
Password Authentication Protocol (PAP) is the least secure as it uses the legacy MD5 hashing algorithm, easily crackable by attackers.
Extensible Authentication Protocol-Tunneled Transport Layer Security-Password Authentication Protocol (EAP-TTLS-PAP) is the most popular method, adding another layer to PAP through TLS encryption (much like HTTPS on a webpage) to improve security.
Extensible Authentication Protocol Transport Layer Security (EAP-TLS) is a zero-trust RADIUS authentication method that uses client certificates from a central NAS certificate authority (CA) for authenticating devices. However, this method may come with a more significant administrative burden.
Next RADIUS will match user credentials to entries in the user database and check for access policies or account profiles associated with the user account. If no matching policies are found, or the policy forbids access to the user account, an Access-Reject message is sent to the client. Otherwise, another Access-Accept message is sent containing a shared secret value, and a Filter ID attribute which is used to compartmentalize devices on the RADIUS network.
The shared secret value must match on both the NAS server, and the client device. If the shared secret value matches, the device can then read the filter ID attribute to assign and connect itself to a RADIUS group. Now, the device is fully connected.
In short, RADIUS acts as an obfuscation layer, much like the reverse proxy Cloudflare that prevents Distributed-Denial-of-Service (DDOS) attacks. The computer connects to the access point (AP) and the AP connects to a RADIUS client. Only the RADIUS client has access to the actual LAN or WLAN and sits in the middle to check packets sent from computers to servers.
RADIUS and MDM: A Dynamic Duo
By integrating RADIUS network authentication with mobile device management software, enterprises can easily secure and monitor their mobile device fleet in the cloud. Let’s see how by using Microsoft Azure as an example.
Microsoft Endpoint Manager is a cloud-based mobile device management and mobile application management (MAM) solution. It uses the Azure Active Directory (Azure AD) service to facilitate identity access management (IAM) for user accounts and user devices, including single-sign-on (SSO) and multi-factor authentication (MFA).
Using Windows Server 2019, enterprises can configure a Network Policy Server(NPS) to function as a RADIUS authentication server for their corporate LAN or WLAN. They can control data and server access using Group Policy Objects (GPOs) through Azure AD and reset passwords or disable user accounts for employees. Devices can be enrolled directly through Microsoft Endpoint Manager, centrally logging device IDs like IMEI or MAC addresses for the RADIUS server to use during authentication.
Additionally, IT departments can wrap RADIUS authentication requests with Azure AD MFA to add multi-factor authentication and further increase LAN/WLAN security. Finally, lost or stolen devices can be locked, erased, and removed from Azure AD to cleanse the asset registry and keep the active asset list up to date.
