Designing BYOD Security Policies with Network Access Control

Throughwave Team•5/8/2013•

BYODNACsecurity policynetwork access controlMDM

Many organizations in Thailand today are facing challenges in managing security for devices that employees bring into the workplace — whether notebooks, tablets, or smartphones from various brands. Some organizations struggle with insufficient wireless LAN infrastructure, while others may face challenges in policy enforcement for personal devices. Collectively, these challenges are known as BYOD or Bring Your Own Device. This article summarizes approaches for designing BYOD security policies using Network Access Control (NAC).

1. Understanding Key Terms

For securing devices used within organizations, several keywords frequently appear:

1.1 Network Access Control – NAC

NAC is a network security system focused on controlling access to all client devices and network equipment with MAC addresses and IP addresses, allowing different usage levels based on each device's security posture. For example:

Internal organization users may have different server access privileges depending on their department, while external users cannot access any servers.
Client devices with required antivirus software installed and updated may have higher protocol access privileges or system access compared to devices without required software or outdated antivirus.
Client devices exhibiting network attack behavior or infected with viruses may have risky protocols such as FTP blocked, with notifications sent to users about virus infections and antivirus software triggered to scan and eliminate threats immediately.

Generally, NAC can inspect all client devices at the network level and includes software agents for standard client devices such as Windows, Mac, and Linux. This allows each organization to design security policies independently and enforce deep inspection at the application and process level in real time. NAC plays a critical role in securing both wired and wireless networks, enhancing overall network security while reducing the burden of multiple authentication systems.

Additionally, most NAC solutions today include built-in BYOD capabilities — some available at no additional cost, while others require paid options — and can integrate with various MDM solutions.

1.2 Bring Your Own Device – BYOD

BYOD refers to situations where organizations have significant usage of personal devices within their networks. In some organizations abroad, employees may receive additional compensation when bringing their own notebooks or smartphones, reducing the need for the organization to provide these devices. However, personal devices brought into the workplace must still be configured and enforced with appropriate security measures.

In Thailand, BYOD primarily focuses on securing personal devices such as notebooks, smartphones, and tablets by limiting network access through authentication requirements and granting lower network access privileges compared to corporate-owned devices. Some organizations also classify devices by type — such as Apple iPhone, Google Android, or Microsoft Windows Phone — and assign different access levels accordingly, or may prohibit high-risk device types entirely.

1.3 Mobile Device Management – MDM

MDM refers to the practice of deeply controlling smartphones and tablets, such as inspecting installed and running applications, detecting jailbreaking or rooting, prohibiting certain software types, checking device locations, enforcing secure device configuration, and enforcing deletion of critical organizational data. MDM typically incurs per-device licensing costs and can control devices through public internet or 3G networks. MDM is particularly suitable for managing corporate-owned smartphones and tablets distributed to employees. Applying MDM to personal devices requires the organization to pay licensing fees for each personal device used, with costs increasing as employees add or replace devices without notifying administrators.

2. Security Policy Options for BYOD

Each organization has different security requirements. The following examples illustrate common approaches:

2.1 General BYOD Security Policy

For general BYOD security, the approach includes:

Corporate PC/Notebook – High-level security with NAC and agent installation, granting access to organizational systems according to department and external internet access after authentication.
Personal Notebook – Network-level security with NAC, optionally with temporary agent installation for deep inspection, granting access to basic organizational systems and external internet after authentication, such as email, internal websites, or chat systems.
Corporate Smartphone/Tablet – Security with NAC and MDM agent for deep inspection and control, granting access to organizational systems according to department after authentication.
Personal Smartphone/Tablet – Network-level security with NAC, granting access to basic organizational systems and external internet after authentication, such as email, internal websites, or chat systems.

Advantages

High system security by initially limiting personal device privileges.
Easy for employees to understand that personal devices cannot access critical organizational data, with no MDM software intruding on personal privacy.
Cost-effective with NAC infrastructure costs and MDM licensing only for corporate assets.

Disadvantages

Employees cannot use personal devices at full productivity capacity.

2.2 Strict BYOD Security Policy

For strict BYOD security, the approach includes:

Corporate PC/Notebook – High-level security with NAC and agent installation, granting access to organizational systems according to department and external internet access after authentication.
Personal Notebook – High security with NAC, enforcing temporary agent installation for deep inspection or prohibiting personal notebook usage entirely, granting access to basic organizational systems, some departmental systems, and external internet after authentication, such as email, internal websites, or chat systems.
Corporate Smartphone/Tablet – Security with NAC and MDM agent for deep inspection and control, granting access to organizational systems according to department after authentication.
Personal Smartphone/Tablet – Security with NAC and MDM agent for deep inspection and control, granting access to basic organizational systems, some departmental systems according to department, and external internet after authentication, such as email, internal websites, or chat systems.

Advantages

Very high system security with rigorous device inspection and access control based on device ownership.
Employees can use personal devices at higher productivity levels.

Disadvantages

High costs as organizations must pay MDM agent licensing for each personal device employees bring, with increasing costs as employees add or replace devices without notifying administrators.
Complex operations as administrators bear additional burden of troubleshooting highly diverse personal devices, including adding and removing personal devices from the system.
Reduced privacy as personal devices must install MDM software that enforces and limits software usage on personal devices.

3. Summary

Each organization should weigh security requirements, operational burdens, and costs appropriately to their needs and select security policies that match their requirements.

For organizations interested in BYOD and MDM solutions, Throughwave Thailand Co., Ltd. offers ForeScout's Automated Security Control solution, which provides NAC, BYOD, and MDM capabilities simultaneously, including PC management, network monitoring, inventory management, and network threat detection and prevention (IPS and Advanced Threat Prevention). Contact info@throughwave.co.th or call +66 2-210-0969 for more information and to schedule a system demonstration.

———

Source: https://www.throughwave.co.th