I’ve found myself in this conversation a few times recently, about what determines that a device on the network is “unapproved.” The fact is, the only unapproved devices on your network are those that defeated your security measures to get on it. If you build the network correctly, then you have lists of monitored and unmonitored devices, but not unapproved.
The issue at hand is how to identify and account for your monitored and unmonitored devices. With that accomplished, it’s much easier to spot an anomaly that could lead to a breach.
Security begins with segmentation.
The first step in security is to segment your critical systems away from those that aren’t. While smartphones are convenient, they are also rarely critical like workstations and servers are; they simply provide a convenient means to reach out to critical systems for information, such as email. Therefore, in most organizations, smartphones are not (or at least not closely) monitored.
Smartphones may not be the only example of unmonitored devices, however. There’s an onslaught of IoT devices that could fall into the same category, depending on the business requirements of your network.
So how do we get to a monitored and unmonitored environment?
In every environment ControlScan protects, the operational goal is to have both monitored and unmonitored segments. We accomplish this with segmentation, both on the LAN and WLAN side. The most common areas of concern are with the WLAN and WiFi access points. To accomplish monitored and unmonitored segments within WiFi, we implement private and public SSIDs.
On the private side, we whitelist any MAC addresses that are deemed to be critical to business, and install apps on those devices that will monitor them. For those devices like smartphones, where employees are simply checking their email and Facebook feeds, we force them on to a “guest” network.
And here’s one very important point: If your users can share the password for your secure WiFi and use it for their own personal devices, then those are actually unapproved devices and a compromise to your network security.
You must have some mechanism, such as whitelisting, that requires management and/or IT approval for a device to join the network. Only then can you enforce a network that’s monitored and unmonitored, to move away from having unapproved devices in secure places that you can’t track.
Cyber criminals are very sophisticated and organized. When you set up your network, you should think like they do. Don’t let improper segmentation give them a back door.
Read more network security posts on the ControlScan blog.