The Move To WiFi: What It Means For Identity Management

By Rajat Bhargava Posted July 28, 2016

Networks are changing.

It was only a decade ago that companies built out their networks on-premises with routers, switches, wired cabling, and even land lines for their phones.

While this is rare in companies today, it once was the standard. At minimum, the network required a server closet where this equipment would live or, for larger organizations, an on-premises data center.

This article is about the ways that modern organizations are saving time, money, and office space by avoiding the old infrastructure altogether. This has been achieved by enacting major changes in how to manage user access to critical infrastructure.

I’ll explain how below, but before we get to the innovations, here’s a short history lesson.

Legacy Network Infrastructure for Identity Management

pasted image 0

Switches, routers, and servers were often considered the land of privileged accounts.

Few people had access and, due to the critical nature of the equipment, IT organizations wanted to maintain tight control over access. This meant a whole new category of identity management solutions called privileged account management.

These solutions would often be leveraged separately from other solutions to manage access to critical infrastructure. Accounts could be ‘checked in’ and ‘checked out’ so that changes made to the infrastructure platforms would be tightly controlled. For instance, a sys admin needing to make configuration changes on switches would check out credentials to log into the switch infrastructure.

Changes would be made and tracked on the switches and then the sys admin would check those credentials back in. The result of these systems would be that only the specified users would be able to login and all of those changes would be tracked.

This all worked, but it was certainly not efficient. So while large scale enterprises still may have this level of infrastructure and still require privileged account management solutions, the vast majority of organizations today are decreasing their network infrastructure.

Looking Ahead: Streamlining Network Infrastructure

Hard_to_manage-01-adfcee2c40f3d1c0dc568eac1ab70e86

Most organizations have been migrating more and more infrastructure to the cloud in the last decade.

Their switches are morphing into wireless access points. Their heavy duty routers are turning into lightweight routers connected to their ISPs. Servers are no longer on-premises, but located in the cloud or in their colocation facility.

Critical infrastructure has a new meaning on-premises. Wireless access points that provide a conduit to the Internet aren’t necessarily viewed in the same way as switches or routers were before.

Wireless Identity Management

2000px-Wi-Fi_Logo.svg

As organizations move to wireless networks, their requirements and needs for identity management change. Privileged account management becomes less critical, but controlling access to the wireless network becomes more important.

IT admins now shift their thinking to keeping rogue users off of their WiFi, and only admitting their users.

Because IT organizations can no longer control their Internet access physically, new approaches to securing the on-premises network are required.

Even though modern organizations aren’t deploying critical infrastructure, their endpoint devices (desktops, laptops, and mobile devices) are the access vehicles to their AWS infrastructure, their Git repository, or their critical SaaS applications. A hacker that can be on the same network as your key users via WiFi creates more potential risk for you.

While it may seem like this problem can be solved through networking, a simple, yet incredibly powerful approach to this problem is to uniquely authenticate user access to the network. Each user must have a valid username and password to join the network.

The benefit of this approach is that organizations can still leverage WiFi throughout their office campus and not worry about the hacker in the parking lot sniffing the connection. That’s because in order to gain network access end users must have a valid SSID and passphrase as well as credentials. Those credentials are the login credentials to the network or a user’s device which are stored within the corporate directory service.

Cloud-Based Solutions for WiFi and Identity Management  

identity management RADIUS-as-a-Service

Executing on this approach, unfortunately, can be tricky. Wireless access points need to be connected to RADIUS servers which then connect to a user directory.

RADIUS infrastructure is notoriously difficult to manage and connecting to the directory can be time consuming to set up. But the benefits of this approach are worth putting in a little extra effort. With RADIUS linked to their directory, IT organizations can freely leverage WiFi networks, avoiding the hassle and costs of wired networks, but at the same time feel secure doing so.

The secondary benefit to this approach is that organizations can often skip the expensive privileged account management solutions, and instead tie their WiFi infrastructure to their directory.

Better Wireless Identity Management on the Cloud

identity management

Modern networks are very different than those of even a decade ago. Organizations aren’t implementing the traditional on-premises network that was historically put in place.

New approaches are saving money, increasing security, and enabling greater productivity.

If you’re interested in linking RADIUS to your directory, but don’t want to start from scratch all by yourself, then you’re an ideal candidate for RADIUS-as-a-Service (RaaS). This is also known as virtual RADIUS, cloud RADIUS, or SaaS-based RADIUS.

A virtual RADIUS service provides organizations with pre-built, pre-configured, scalable, and fully managed and maintained RADIUS servers. You get a global bank of RADIUS servers, using them to control WiFi access, VPN authentication, and authentication for network devices, servers, and applications as appropriate.

When it comes to controlling access to WiFi networks, a cloud RADIUS service can accomplish exactly what we laid out above as ideal: authenticating and monitoring individual user access to the network. It’s actually even possible to control WiFi access by city, office, or floor. Temporary access control can be granted to vendors, contractors, and traveling employees.

JumpCloud’s cloud RADIUS offering is held to the highest standards of security, leveraging TLS encryption to protect all information in transit.

If you would like to learn more about how RADIUS-as-a-Service can revolutionize the way your organization manages identities and wireless networks, you can read more here or contact us directly.

RADIUS-as-a-Service is free to try forever for your first ten users. Get started now.

Rajat Bhargava

Rajat Bhargava is co-founder and CEO of JumpCloud, the first Directory-as-a-Service (DaaS). JumpCloud securely connects and manages employees, their devices and IT applications. An MIT graduate with two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.

Recent Posts