Title: Creating Trusted Guest Internet Identity Management for Mobile Business Tom S. Hope May 18, 2005
1Creating Trusted Guest Internet Identity
Management for Mobile Business Tom S. HopeMay
18, 2005
2 Business Needs to Connect Where Business Meets
Your partnersand you need to know
How quickly your off-shore manufacturing partner
can ramp?
Does the drop in Yen improve or hurt the business?
What are you shipping options by date and rate?
Development schedules for each of your component
vendors?
And the answers dont reside on your LAN but you
still need to know
3Mobile Internet is Both Wireless and Broadband
Business Wi-Fi
Hotspots
Low Bandwidth Cellular
Low Bandwidth Dial Up
70Million notebooks, tablets, PDA and hybrid
Wi-Fi cell phones all driving change
4Typical Businesss Guest Internet Access
Requirements
- Fairly unrestricted access to the Internet
- Service is needed between 6AM and 10PM on
weekdays - Outbound access only, ingress traffic can be
blocked or controlled - Need wired and wireless connectivity
- Self serve and simple to administer
- Available at all meeting rooms
- Access to some resources if appropriate
- Cost effective and agnostic
5You Have An Obligation to Know
- Who is on your network?
- What they are doing?
- Are they putting your company at risk?
6Add Legal Risks and Requirements
- Specific risks due to liabilities from abuse or
risk to enterprises reputation. - All access should be limited to need
- All users should be able to be identified from
logfiles or userid's - (Who / What / Where) if there is a reason to
find this information - (i.e. Accusation or lawsuit) and all logs must be
retained for 90 days (Sarbanne-Oxley issues) - Restrictions/Controls on direction of traffic
(outgoing only) - Mitigation
- Legal Agreement accepted by all guests
- Association of WHO has physical access to
environment via site security process - Outgoing access limited to business need.
- Network Controls exist (No access until legal
agreement is accepted)
7Do Not Compromise your Brand!
8Add IT Security Risks and Requirements
- General Risks
- Unmanaged systems present a risk to business
intranet - More often infected by worms or compromised by
Trojans. - More often they tend not to be properly patched.
- Mitigation
- Accomplished by limiting communication to from
these systems. - Outgoing Access to Internet must be restricted to
business need and to non-blacklisted protocols. - Visitors on-site must be protected from intranet
- Intranet business resources must be protected
from visitors
9Productivity vs. Legal and Security The Conundrum
- How can enterprises give free but controlled
guest internet access? - Yet provide this access without impacting network
security, exposing the brand or creating other
legal risks ?
10A Tough Nut To Crack
Broadband wireless connectivity changes
everything! IT now has a prime directive to
secure the brand.
11Wi-Fi Security Model
- Internal Security Model
- Secure the channel
- Separate network traffic
- Protect each packet
- Authenticate the individual
- Security Model for Guest Access
- Permit unplanned, but authenticated access
- Simple to administer
- Low cost
- Complements existing methods for securing
employees
12What is Needed for Visitors ?
- Instantly available, self-serve, and traceable ID
Single simultaneous login per session - Only one physical device (MAC) address permitted
per IP address - Session automatically terminated when device
removed - periodic re-authentication
- Each session tracked by MAC, IP address, and
Traceable ID - Complete session detail records maintained in
case of inquiry - Low Cost approach that doesnt dictate changes to
LAN infrastructure or drive IT costs
Access with Accountability
13Third Party Identity Management Solution
Traceable Identity Management provides the
Security Perimeter for the location that grants
access
14Identity Management Technology
Identity Management Technology unlocks wireless
broadband for mobile enterprise
15A major consulting firm
Case Study
- Many permanent consultants per site
- Multiple meetings that included
- Clients
- Visiting employees
- Auditors visiting consultants
- Recognized the risk involved
- Unauthorized access to private data
- Exposure to potential embarrassment
- Potential legal liability
16Case Study
- Existing Solutions were
- Too Costly or did not eliminate Risks
- Wireline Solutions
- Separate wired connection
- Guest PCs
- Temporary Guest IDs
- Dial up access
- Wireless Solutions
- Open Wi-Fi
- AAA authenticated Wi-Fi
- Rotating WEP Keys
17Case Study
- 3rd Party IDM Solution
- Access with Accountability via
- Self-Serve Traceable Identity
- Corporate intranet isolation
- Access is controlled monitored
- End user self-serve
- IDs instantly available
- IT overhead minimized
- Full records and traceability
- Access customization
- No exposure to embarrassment
- or potential liability
18Guest Security at the Right Cost
- Employee
- AAA Radius Server
- VPN Protection
- IEEE 802.1x
- WEP/TKIP/AES
- Complex administration
- Guest
- Intranet Isolation
- Traceable Identity
- Offsite Records
- Selectable Policy
- Simple administration
19 Wireless Broadband is the Future
- Enterprises need to provide a trusted and
controlled guest Internet access solution - Any solution must protect the corporation and the
IT infrastructure - Limit impact in terms of IT resources and cost
Third party Identity Management is the solution
20Thank You
-
- Questions ?
- Tom Hope
- Sesame Networks Inc
- 613 722 9201
- tom.hope_at_sesamenetworks.com