The IT team for a global enterprise technology company needed to update its bring-your-own-device (BYOD) infrastructure and policies. Like many organizations, the team already had a shared VPN and Wireless Access Points in place for employees to access internal resources from their personal devices. However, the bandwidth for the shared VPN was approaching 90% saturation, causing bottlenecks for remote employees despite having WAN optimization in place.
The IT team suspected that the BYOD traffic was congesting the VPN and also recognized that VPN access to these devices could lead to data loss. To solve both these problems, the team planned to open access to a segregated BYOD network at corporate headquarters with open access for non-critical resources and add additional access controls for critical resources.
In order to plan capacity and decide which applications and resources to secure, the team sought a simple non-invasive means to monitor and identify all devices connecting through the VPN and guest WLAN networks, the type of device, the resources accessed by device and user, the frequency of access, and the rate of data consumption.
- A non-invasive way to monitor and audit all BYOD devices and their activity.
- Visibility into VPN and BYOD usage for data-driven capacity planning.
- Faster resolution of VPN and WLAN access issues.
- An integrated security monitoring datastore to include BYOD device analysis.
Bandwidth for the VPN was approaching 90% saturation, often causing bottlenecks for employees in the field. To mitigate this problem, the team planned to open internal resources to a segregated corporate BYOD LAN. To reduce exposure of sensitive information, the team needed to identify resources that required additional access controls.
The SolutionWith the ExtraHop platform, the IT team tracked usage of internal resources and applications across their global VPNs. The team then mapped device type to the resources accessed, tracking specifically mobile devices, such as phones and tablets. Filtering these services according to bandwidth and request usage, the team then identified 10 applications most used by BYOD and remote users. Seven of the applications could safely be exposed on the BYOD network, but the other three required additional protections. The IT team added two-factor authentication to two of the applications and the third could only be accessed by an authorized corporate device.
With the ExtraHop, the team knew exactly the capacity required, the applications and services being utilized, and the consumption by BYOD type and location. They built the BYOD network based on actual network and application usage, focusing design and deployment efforts so that they delivered on-time and under budget. They also implemented better security controls for appropriate applications. After setting up the BYOD WLAN, the IT team saw global VPN saturation drop to below 60% during peak periods, providing a consistent end-user experience for remote employees.
With the ability to auto-discover new devices on the network, and track utilization and performance trends over time, the IT department could also plan for Wi-Fi and fixed-network capacity needs and future access control policies. Most importantly, the IT team had the continuous visibility to prove those policies were active and enforced. Audits became a simple process of scheduling an audit activity report in ExtraHop, streamlining and reducing audit costs by over 25%.