Creating Trusted Guest Internet Identity Management for Mobile Business Tom S. Hope May 18, 2005

1
Creating Trusted Guest Internet Identity
Management for Mobile Business Tom S. HopeMay
18, 2005
2
Business Needs to Connect Where Business Meets
Your partnersand you need to know
How quickly your off-shore manufacturing partner
can ramp?
Does the drop in Yen improve or hurt the business?
What are you shipping options by date and rate?
Development schedules for each of your component
vendors?
And the answers dont reside on your LAN but you
still need to know
3
Mobile Internet is Both Wireless and Broadband
Business Wi-Fi
Hotspots
Low Bandwidth Cellular
Low Bandwidth Dial Up
70Million notebooks, tablets, PDA and hybrid
Wi-Fi cell phones all driving change
4
Typical Businesss Guest Internet Access
Requirements

• Fairly unrestricted access to the Internet
• Service is needed between 6AM and 10PM on
  weekdays
• Outbound access only, ingress traffic can be
  blocked or controlled
• Need wired and wireless connectivity
• Self serve and simple to administer
• Available at all meeting rooms
• Access to some resources if appropriate
• Cost effective and agnostic

5
You Have An Obligation to Know

• Who is on your network?
• What they are doing?
• Are they putting your company at risk?

6
Add Legal Risks and Requirements

• Specific risks due to liabilities from abuse or
  risk to enterprises reputation.
• All access should be limited to need
• All users should be able to be identified from
  logfiles or userid's
• (Who / What / Where) if there is a reason to
  find this information
• (i.e. Accusation or lawsuit) and all logs must be
  retained for 90 days (Sarbanne-Oxley issues)
• Restrictions/Controls on direction of traffic
  (outgoing only)
• Mitigation
• Legal Agreement accepted by all guests
• Association of WHO has physical access to
  environment via site security process
• Outgoing access limited to business need.
• Network Controls exist (No access until legal
  agreement is accepted)

7
Do Not Compromise your Brand!
8
Add IT Security Risks and Requirements

• General Risks
• Unmanaged systems present a risk to business
  intranet
• More often infected by worms or compromised by
  Trojans.
• More often they tend not to be properly patched.
• Mitigation
• Accomplished by limiting communication to from
  these systems.
• Outgoing Access to Internet must be restricted to
  business need and to non-blacklisted protocols.
• Visitors on-site must be protected from intranet
• Intranet business resources must be protected
  from visitors

9
Productivity vs. Legal and Security The Conundrum

• How can enterprises give free but controlled
  guest internet access?
• Yet provide this access without impacting network
  security, exposing the brand or creating other
  legal risks ?

10
A Tough Nut To Crack
Broadband wireless connectivity changes
everything! IT now has a prime directive to
secure the brand.
11
Wi-Fi Security Model

• Internal Security Model
• Secure the channel
• Separate network traffic
• Protect each packet
• Authenticate the individual
• Security Model for Guest Access
• Permit unplanned, but authenticated access
• Simple to administer
• Low cost
• Complements existing methods for securing
  employees

12
What is Needed for Visitors ?

• Instantly available, self-serve, and traceable ID
  Single simultaneous login per session
• Only one physical device (MAC) address permitted
  per IP address
• Session automatically terminated when device
  removed
• periodic re-authentication
• Each session tracked by MAC, IP address, and
  Traceable ID
• Complete session detail records maintained in
  case of inquiry
• Low Cost approach that doesnt dictate changes to
  LAN infrastructure or drive IT costs

Access with Accountability
13
Third Party Identity Management Solution
Traceable Identity Management provides the
Security Perimeter for the location that grants
access
14
Identity Management Technology
Identity Management Technology unlocks wireless
broadband for mobile enterprise
15
A major consulting firm
Case Study

• Many permanent consultants per site
• Multiple meetings that included
• Clients
• Visiting employees
• Auditors visiting consultants
• Recognized the risk involved
• Unauthorized access to private data
• Exposure to potential embarrassment
• Potential legal liability

16
Case Study

• Existing Solutions were
• Too Costly or did not eliminate Risks
• Wireline Solutions
• Separate wired connection
• Guest PCs
• Temporary Guest IDs
• Dial up access
• Wireless Solutions
• Open Wi-Fi
• AAA authenticated Wi-Fi
• Rotating WEP Keys

17
Case Study

• 3rd Party IDM Solution
• Access with Accountability via
• Self-Serve Traceable Identity
• Corporate intranet isolation
• Access is controlled monitored
• End user self-serve
• IDs instantly available
• IT overhead minimized
• Full records and traceability
• Access customization
• No exposure to embarrassment
• or potential liability

18
Guest Security at the Right Cost

• Employee
• AAA Radius Server
• VPN Protection
• IEEE 802.1x
• WEP/TKIP/AES
• Complex administration
• Guest
• Intranet Isolation
• Traceable Identity
• Offsite Records
• Selectable Policy
• Simple administration

19
Wireless Broadband is the Future

• Enterprises need to provide a trusted and
  controlled guest Internet access solution
• Any solution must protect the corporation and the
  IT infrastructure
• Limit impact in terms of IT resources and cost

Third party Identity Management is the solution
20
Thank You

• Questions ?
• Tom Hope
• Sesame Networks Inc
• 613 722 9201
• tom.hope_at_sesamenetworks.com