College and university IT departments today contend with thousands of devices, most of them student-owned, which create a huge demand for network services.
"You can't treat unknown users who walk onto campus with foreign devices the same way that you treat a faculty member or student using a college-approved device," says Scott McCollum, CIO at Dayton, Ohio's Sinclair Community College.
McCollum must balance the assumption that he will provide reliable network access to the college's 23,000-plus students with guaranteeing the network is secure.
His team works with a suite of Enterasys products — including Enterasys Network Access Control and Enterasys Policy Manager — to ensure that faculty, students and guests don't just gain access, but that they gain the proper access.
Mobile access management (MAM) — or, often, mobile identity and access management (IAM), so as not to be confused with mobile application management — helps to ensure network security in part by identifying devices, users and operating systems.
McCollum says he uses the technology to "dynamically assign a policy that limits the kind of communication users can have on the network."
He credits the college's early implementation of network access control (NAC) procedures prior to the explosion of wireless access demand with Sinclair's current success.
"If we had not done that work, I would not sleep very well at night."
Taking Mobility Beyond Access
"There was a realization a few years ago that, without a campuswide wireless network, any given college could not compete for students," says Craig Mathias, a principal at Farpoint Group, which specializes in wireless and mobile technologies, products, services and systems.
The BYOD atmosphere comes with a distinct series of challenges for university network administrators. Security is one, but Mathias cites network integrity and capacity as equally important, especially when one student may have as many as four devices on the network at a given time. MAM/IAM solutions address those concerns in an integrated way. "You will be managing identity," Mathias says. "These are systems that grew out of the guest access space."
A complete solution addresses security, integrity and capacity by giving IT departments the ability to determine class of service, class of user and class of device, and to prioritize network traffic in accordance with preset policies while meeting requirements for logging, reporting and analysis.
Zero to Managed
Seton Hill University, a private Catholic institution with about 2,500 students in Greensburg, Pa., dealt with a major access deficit in 2009.
When CIO Philip Komarny came onboard that year, the university had only two or three classrooms with wireless capability, and he was tasked with creating a mobile-friendly learning environment.
He chose Enterasys solutions to create an environment capable of supporting a bring-your-own-device (BYOD) program by the time students returned that fall.
While security was important, his primary focus was on the user experience. With MAM/IAM, however, these concerns dovetail under the paradigm of identification. Enterasys' fingerprinting technology is key to the approach.
"We're able to say, 'This is a tablet,' and we're able to put it on a specific tablet VLAN, then figure out what type of person it is — student, staff or faculty — and then put it on the correct [user-based] VLAN," Komarny says.
Not only is the device identified for security purposes, but its user gets access that is optimized for his or her operating system. Komarny employs Enterasys NetSight as a key piece of his mobile access management solution.
He credits its "one pane of glass" functionality for allowing his three IT staff members to manage 10,000 to 12,000 devices and a complex traffic flow. It's a customizable and scalable solution that lets administrators track network use with real-time heat maps and shift resources to adapt to demand signals. Seton Hill also employs Enterasys' Isaac,which allows network admins to interface directly with the network via social media.
Building for the Future
Mathias urges those just entering the space not to get hung up on finding a perfect solution for ensuring simple, reliable and secure BYOD access to a wireless network.
"What you want in the early days is a workable solution that respects your requirements," he says. "The whole field, from the technology to operations, is still in flux."
As vendors add new capabilities, institutions will continue to improve their mobile management.
"We're still on the road to where we're going."
Configuring for success
"It's always good to have a list of requirements" when in the market for a wireless access management solution, Farpoint Group's Craig Mathias says. "Unfortunately, most organizations don't have enough experience to know what questions to ask."
Mathias recommends universities begin by consulting with their wireless LAN vendor to see what's offered and choosing a product with features that meet their requirements in terms of network security, integrity and capacity.
Some elements to consider include:
- Administration — "One pane of glass" control center design allows for management of a large, dynamic wireless network without a large staff.
- Classification — Solutions that identify users by user type, operating system and device allow for appropriate allocation of network assets and, ultimately, a better user experience.
- User friendliness — Administrators must balance access control with ensuring a simple process for students and faculty to connect to the network, because the fewer hoops to jump through, the better.