Here at Ruckus Networks, we have a lot of discussions with customers and prospective customers around secure onboarding. We’ve come to realize that it’s a term that is not universally understood. The thing that it describes is a thing, but people don’t always use that term to describe it. We need to do some work to familiarize the IT world with the term in a networking context. So what exactly do we mean when we say “secure onboarding”?
Let’s Start by Defining “Onboarding”
You have probably heard the term onboarding used to refer to a human resources process that’s about getting new employees integrated into an organization. When someone starts a new job, they fill out some paperwork (or these days, online forms), go through an orientation, get a tour of their new office building and so on. That’s not the kind of onboarding we’re talking about in the context of network infrastructure and connectivity, which might be a source of confusion.
Actually, though, it’s tangentially related because when new employees arrive, one of their first questions is likely to be “How do I connect to the Wi-Fi with my tablet?” Or their phone or their personal laptop. The same thing happens on move-in day at college campuses, where the range of devices that need to connect is often much broader. It also occurs in primary and secondary schools where students are allowed to connect with personal devices.
Precision matters here, and what we are really talking about is network onboarding. Simply stated, in a networking context, onboarding means the process by which a BYOD or guest user gains access to the network for the first time with a device (or an IT-owned device connects to the network, for that matter). Every environment is different, but users in a variety of organizations often struggle with this process. This can lead to user frustration and excess trouble tickets for the IT team.
User Expectations Are Set by Experiences with the Carrier Network and Home Wi-Fi
What creates this frustration with network onboarding? Why do organizations find this process such a challenge? It originates in the gap between user expectations and user experience. When someone activates a new cell phone, the service desk at the carrier retail outlet plugs in a SIM and you’re good to go. It’s a set-it-and-forget-it experience.
User experience with your home Wi-Fi network is also simple. They look for the name of their Wi-Fi source and enter the password, or pre-shared key (PSK). They don’t roam between different sources of connectivity within the home, always connecting to the same home router. The device always seems to connect without problems when they return after going out. Users control their own Wi-Fi password—when it changes, and whether it changes at all. Or their roommate or spouse can easily give them a heads up when that person changes the PSK, so no big deal. Between their experience with the carrier network and home Wi-Fi, users are conditioned to expect easy connectivity without having to think much about it.
Things get much more complicated in an enterprise office environment, and in schools and colleges. But those expectations for a set-it-and-forget-it experience remain. We’ve blogged before about the user experience issues with default methods of network onboarding and authentication. Historically, organizations have often relied on default methods of network onboarding, but more and more they are adopting systems to streamline this process.
Secure Network Onboarding Plugs Wireless Security Holes
There’s one aspect of the secure onboarding challenge that we haven’t addressed yet, and that’s the security piece. Secure network access is an often-overlooked area within the IT security domain. It’s a challenge because too many IT organizations rely on the default methods for network onboarding and authentication that are built into their networking infrastructure.
The risks inherent in unsecured Wi-Fi don’t get as much attention as some other threats, but they are very real. Prying eyes can spy on unencrypted data traffic, and undifferentiated access can leave sensitive data exposed to unauthorized users. The latter is an issue even over a wired connection. Insecure devices can bring malware, ransomware and other bad things into your environment. For more detail on these and other potential security holes related to network access, please refer to our previous blog on this topic.
Network onboarding alone isn’t enough—secure network onboarding is essential to plug these security holes. Adding on to our previous definition, secure network onboarding means the process by which a BYOD or guest user securely gain access to the network for the first time with a device. And those security holes must stay plugged on subsequent connections, too.
Often there are trade-offs between user experience and security. We’d all be a lot safer if we just unplugged our computers from the internet—but no one could get any work done that way. Or users and devices would be safer if IT locked down every computer so that no new software could be installed. That’s at best impractical (for IT-owned devices) and at worst impossible (for unmanaged BYOD devices).
Secure network onboarding is that rare product category where the usual trade-offs between user experience and security do not apply. You can have your cake and eat it too—better user experience and increased security for users, devices, data and the network. If this sounds intriguing, now is a great time to consider Cloudpath Enrollment System, the Ruckus Networks offering in this corner of the security taxonomy. Our new product overview video encapsulates the value it provides in less than two and a half minutes.