Is 'Private' Enterprise WiFi Obsolete? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // IT Strategy
Commentary
11/10/2015
09:05 AM
Connect Directly
LinkedIn
Twitter
RSS
50%
50%

Is 'Private' Enterprise WiFi Obsolete?

Private enterprise WiFi arose during the time of strong network perimeters and weak internal security. It's now time to rethink.

7 Hot Advances In Email Security
7 Hot Advances In Email Security
(Click image for larger view and slideshow.)

This is going to be completely obvious to digital natives, and a gigantic ambush to about everybody else: Internal, private enterprise wireless is mostly irrelevant.

Here's why.

First, let me further define what I mean by "private" wireless. It's a WiFi network that allows authorized company employees to connect to the squishy, less-secured internal network instead of a DMZ or a public network.

Unfortunately, these private networks can be extremely insecure, resource-intensive, and possibly useless.

If you think that an "internal-only" wireless network is a secure network, think again. Yes, it's true that if you do it right, an enterprise wireless network is much more secure than a consumer-grade wireless network, for many reasons, including dynamic keying. However, these networks are often not done right for a number of reasons, including backward compatibility with WEP or WPA and, frankly, complexity.

WPA2 isn't truly secure thanks to parallel computing and graphics coprocessors. VLANs are frequently used as isolation mechanisms from less secure, public ESSID, but are all switches adequately protected from a VLAN hopping attack? Certificates help to prevent certain types of attacks, but not all enterprise wireless deploys certificates, the point being it is complex, expensive, and really hard to truly secure a private WiFi network.

Given the factors mentioned above, it should now be apparent why enterprise WiFi is also resource-intensive. Staff must be vigilant. Some sort of intrusion monitoring is needed. Plus, the gear and software needed for enterprise WiFi is expensive. 

None of this is actually necessary.

(Image: PashaIgnatov/iStockphoto)

(Image: PashaIgnatov/iStockphoto)

Here's the thing. Business leaders have already insisted that you have public wireless as a "curb appeal" amenity for your guests.

Most organizations no longer operate in a cocoon, a network where no devices ever leave the corporate network. Indeed, it is dangerous to pretend as if no malevolent intruder will ever connect to your LAN or wireless network.

The truth is, "borderless" networking is fairly entrenched at this point. The notion of a network perimeter doesn't really apply as much, particularly as we modernize our application infrastructure.

We use software-as-a-service (SaaS), which lives outside the perimeter. Employees demand remote access to everything. Mobility has created an insatiable demand for connectivity without the limits of a VPN.

Office 365 and Google Docs add fuel to the flame -- employees can access their most sensitive company documents from anywhere at any time. The borderless network is arguably more, not less secure than the perimeter network used to be. Cloud providers have stepped up and are using techniques like two-factor authentication, mobile verification of suspicious logins, geo-verification, and email confirmation of new devices to ensure that your users really are who they say they are.

Still, proponents of these internal, employee-only networks sometimes say that they are needed in order to provide accountability and logging for employees. 

Says who? If you're already issuing mobile devices, the provider probably is not giving IT detailed connection logs unless there is a suspected security breach. Asking the provider for those logs simply to make sure that you keep tabs on employee network connections is usually a request that goes unfulfilled.

[Missing a key ingredient in your recipe for IT success? See Secret To Enterprise IT Success: Reorganize.]

Sure, you can force proxies to an enterprise server that does keep track of net connects, but ultimately that doesn't keep employees from using their own devices and their own networks to avoid accountability. That ship has sailed. We are going to have to find other mechanisms besides network logging to keep employees engaged and accountable. 

So, what is the problem that we're trying to solve with enterprise WiFi?

Oftentimes in IT, there is a tendency to lead with solutions to solve problems that may not even exist anymore. The world has unarguably changed since the advent of these internal networks. Before you deploy new infrastructure or sign up for a new maintenance contract, a little analysis of your company's situation is definitely in order. 

I think that in many cases, unless you're in a highly, highly regulated industry, you may find that focusing on end-user device security, application security, and user education is what really pays off security-wise.

You also need to realize that digital companies must have digital employees, all of whom want hassle-free wireless, whether it's via a hotspot or on-premises. Most often, providing a reasonably secure, externally connected WiFi connection will work for guests and your digitally native employees.

Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RobertQ007
50%
50%
RobertQ007,
User Rank: Apprentice
12/11/2015 | 3:38:03 PM
Corollary: Should users ever get access to the corporate LAN?
In this age of mobility, SaaS, and cloud, the trend is eventually all users will be coming in from outside of the enterprise.  Does that mean we should be giving everyone access to the corporate LAN?

Whether via WiFi, VPN, or other means, giving outside users LAN access exposes every system on the network to potential attack.  Apart from a select few admins, users don't need access to the LAN.  They need access to applications.   

Cloud-based perimeters or DMZs, whether built in-house or delivered as a service, can deliver internal applications with enterprise-grade security to select users on the Internet with out exposing the internal network to the Internet.

When your internal applications can be accessed as easily as a SaaS application, the only access any user needs is to Internet.  
kstaron
50%
50%
kstaron,
User Rank: Ninja
11/24/2015 | 5:37:22 PM
But when it's done right?
I always assumed that the idea of private wifi was more about the data you were trying to secure. When you work on things for the government or military sometimes things need to be more secure than regular open wifi. If done right so it is more secure than the wild wild west scenario, would it still be obsolete or are most people just doing it wrong now? 
R. Anderson
50%
50%
R. Anderson,
User Rank: Apprentice
11/11/2015 | 11:37:50 AM
For a long time, in Higher Ed
Certainly at our large public university, we never subscribed to the "crispy shell/soft chewy center" model of network security. We have always had to secure from the center and work out; if students, visitors and researchers are regularly connecting to your network you had better treat it as the wild,wild west. So yes, time and money may be better spent on security awareness education and endpoint security coupled with a good monitoring program, versus trying to lock down wifi. 
JohnH01
50%
50%
JohnH01,
User Rank: Apprentice
11/11/2015 | 10:06:15 AM
VPN
Same issue with VPN
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll