Jun 27, 2015

Is machine certificate (PKI) based authentication a good approach for allowing BYOD enrolled devices to connect to the Enterprise Network?

Is machine certificate (PKI) based authentication a good approach for allowing BYOD enrolled devices to connect to the Enterprise Network? Does that make the infrastructure more secure?
It makes the network more secure in that only machines you have pre-authorized are allowed on the network. This works fine as long as everyone is cool with going through a (potentially tedious) enrollment process to get the cert in the first place. This isn't something you could do on a network where ad-hoc connections are the norm (Starbucks, for example).

Keep in mind that this is just one measure. BYO usually means there's no security profile, nor any kind of filtering for the BYODevice. Users can bring any kind of malware they want and now you trust them.

For comprehensive security you have to add some things:
- Some lightweight device management such as prohibiting jailbroken devices, running a vulnerability scan or malware scan before devices join the network.
- Restrict BYOD devices from parts of the network that contain sensitive data.
- Prevent BYOD devices from connecting to shared storage.
- Isolate BYOD devices so they can't share files directly.
- Add geotracking so you can disallow connections from devices that aren't actually local. Or you could ban remote connections outright if that fits your organization. So there's a lot more to it.
Public key infrastructure

"A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates[1] and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.[2]

In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The third-party validation authority (VA) can provide this information on behalf of the CA. The binding is established through the registration and issuance process. Depending on the assurance level of the binding, this may be carried out by software at a CA or under human supervision. The PKI role that assures this binding is called the registration authority (RA). The RA is responsible for accepting requests for digital certificates and authenticating the person or organization making the request.[3] In a Microsoft PKI, a registration authority is usually called a subordinate CA.[4]"
Answer this