In August 2016, Navin Shenoy at Intel’s Client Computing Group (CCG) predicted that – “…the average household has ten connected devices. This will explode to 50 [devices per household] by 2020.” According to Juniper Research, as of 2021 we have more than 46 billion devices, a 200% increase since 2016, curiously coinciding with the rapid adoption of the Bring-Your-Own-Device (BYOD) enterprise policies.
This growing prevalence of BYOD policies at work presents an important question - how do companies secure the influx of personal devices entering the workplace or when working from home? This includes employee laptops, mobile phones, tablets, smart speakers, wearables, and Internet-of-Things (IoT) devices distributed throughout the office or at home.
Your IT admins have two crucial tools in their arsenal - mobile device management (MDM) software and 802.1X remote authentication dial-in user service (RADIUS) networking. MDM enables mobile device orchestration and monitoring, while the RADIUS allows seamless connectivity and network traffic encryption on corporate local area networks (LANs) and wireless local area networks (WLANs).
Let’s explore how you can apply the best practices from these technologies to improve mobile device security in the workplace.
MDM involves overseeing computing devices that are not permanently installed at a desk but instead move around with employees to enable mobile working.
While this improves workforce flexibility and agility, these mobile endpoints pose security risks, acting as an easy entry gate for attackers. An unsecured mobile phone left on the subway, a laptop with unencrypted hard drive contents - sensitive data can be lost in moments, leading to data breaches.
This is where an MDM solution can create an administrative policy that governs device capabilities on both iOS and Android devices. It could enforce setting passwords, defining password complexity rules, limiting application installations, blocking network connectivity on open Wi-Fi networks, or erasing the device contents with a remote command. It’s similar to Group Policy on Windows OS devices and Apple Configurator 2 on macOS.
Let’s use our previous example of the unsecured mobile phone left on a subway. When MDM enforces password setting on personal devices through admin policy. The IT department can be alerted if the user chooses not to create a password. This would prevent unauthorized access, with remote access to GPS location data enabling device tracking when lost.
Laptops present more significant risks as unencrypted hard drive contents can be easily copied and shared. A laptop MDM policy could enforce BitLocker on Windows or FileVault on macOS, a form of full-disk encryption (FDE) where a password can decrypt the disk contents on boot by performing a handshake with a trusted platform module (TPM). As a result, any encrypted content on the hard drive is inaccessible to attackers, making the laptop nothing more than an electronic paperweight.
It is clear from these examples that MDM software tools act as a connecting layer to the device itself. IT administrators can easily control device settings remotely, track device locations using GPS, disable devices entirely if an employee reports it as missing, and control what is permitted to install or run on the device.
With hundreds of devices distributed across the workforce, mobile device management is an essential tool for IT administrators when performing IT asset management (ITAM) workflows.
The remote authentication dial-in user service (RADIUS) networking protocol allows users to dial into an enterprise LAN or WLAN by remotely authenticating with a network access server (NAS). This process itself is automatic - users enter the network signal catchment area, their device authenticates, logs in, and is granted full access to the enterprise LAN or WLAN.
However, the premise of automated network authentication may sound worrisome. Can unauthorized devices automatically connect to our network? Simply put, no. RADIUS uses multiple “handshake” stages to verify the identity of the connecting device, username, and password credentials and prevent packet spoofing in transit.
Here’s how it works:
First, the user device tries to authenticate with the NAS using a username and password.
When the user sends an access request, the NAS cross-references the device MAC address, IMEI number, or other identifiable fields in a central asset registry. If the device is not in the asset registry, the request is ignored. Otherwise, the RADIUS authentication continues. This step prevents any device with a username or password from connecting to a RADIUS network.
Next, RADIUS checks the client’s authentication method. Your IT administrators can choose which authentication method to use.
Password Authentication Protocol (PAP) is the least secure as it uses the legacy MD5 hashing algorithm, easily crackable by attackers.
Extensible Authentication Protocol-Tunneled Transport Layer Security-Password Authentication Protocol (EAP-TTLS-PAP) is the most popular method, adding another layer to PAP through TLS encryption (much like HTTPS on a webpage) to improve security.
Extensible Authentication Protocol Transport Layer Security (EAP-TLS) is a zero-trust RADIUS authentication method that uses client certificates from a central NAS certificate authority (CA) for authenticating devices. However, this method may come with a more significant administrative burden.
Next RADIUS will match user credentials to entries in the user database and check for access policies or account profiles associated with the user account. If no matching policies are found, or the policy forbids access to the user account, an Access-Reject message is sent to the client. Otherwise, another Access-Accept message is sent containing a shared secret value, and a Filter ID attribute which is used to compartmentalize devices on the RADIUS network.
The shared secret value must match on both the NAS server, and the client device. If the shared secret value matches, the device can then read the filter ID attribute to assign and connect itself to a RADIUS group. Now, the device is fully connected.
In short, RADIUS acts as an obfuscation layer, much like the reverse proxy Cloudflare that prevents Distributed-Denial-of-Service (DDOS) attacks. The computer connects to the access point (AP) and the AP connects to a RADIUS client. Only the RADIUS client has access to the actual LAN or WLAN and sits in the middle to check packets sent from computers to servers.
By integrating RADIUS network authentication with mobile device management software, enterprises can easily secure and monitor their mobile device fleet in the cloud. Let’s see how by using Microsoft Azure as an example.
Microsoft Endpoint Manager is a cloud-based mobile device management and mobile application management (MAM) solution. It uses the Azure Active Directory (Azure AD) service to facilitate identity access management (IAM) for user accounts and user devices, including single-sign-on (SSO) and multi-factor authentication (MFA).
Using Windows Server 2019, enterprises can configure a Network Policy Server(NPS) to function as a RADIUS authentication server for their corporate LAN or WLAN. They can control data and server access using Group Policy Objects (GPOs) through Azure AD and reset passwords or disable user accounts for employees. Devices can be enrolled directly through Microsoft Endpoint Manager, centrally logging device IDs like IMEI or MAC addresses for the RADIUS server to use during authentication.
Additionally, IT departments can wrap RADIUS authentication requests with Azure AD MFA to add multi-factor authentication and further increase LAN/WLAN security. Finally, lost or stolen devices can be locked, erased, and removed from Azure AD to cleanse the asset registry and keep the active asset list up to date.
Finding Hidden Patterns and Correlations Innovative technologies such as artificial intelligence (AI), machine learning (ML) and natural language processing (NLP) are transforming the way we approach data analytics. AI, ML and NLP are categorized under the umbrella term of “cognitive analytics,” which is an approach that leverages human-like computer intelligence to identify hidden patterns and correlations in data.Explore
The Rise in Big Data Analytics According to Internet World Stats, global internet usage increased by 1,339.6% between 2000-2021. With nearly thirteen times as many people using the internet, this has resulted in a massive increase in the amount of data being processed daily. Our increased sharing and consumption of digital media also compounds this increased usage to create an enormous pool of data for big data analytics firms to process.Explore
What Is an SQL Query Engine? SQL query engine architecture was designed to allow users to query a variety of data sources within a single query. While early SQL-based query engines such as Apache Hive allowed analysts to cut through the clutter of analytical data, they found running SQL analytics on multi-petabyte data warehouses to be a time-intensive process that was difficult to visualize and hard to scale.Explore
The Cloud is the Key to Transformation Success… Transitioning your applications to the cloud is undeniably a critical factor to a successful digital transformation endeavor. It’s more than just a lift-and-shift, however. Let’s explore several things that you need to consider before migrating your applications to the cloud, including: Readiness of your application portfolio Where to begin – the right business case and migration strategy Technology requirements and considerationsExplore