Deployment Timeline
The company first spoke with SecureW2’s sales team at the beginning of the summer of 2022. As a burgeoning biotech company that had just received funding, they were in the early stages of establishing their structure – including their network and its security.
SecureW2 played a key role in guiding them through their security growing pains. Once the company had decided on which solutions worked best for them, deployment was complete within three weeks.
Challenges
Like many other organizations initially setting up their Wi-Fi, this company started with PSKs. Unfortunately, pre-shared keys – Wi-Fi passwords – are vulnerable to credential theft. Hackers have an array of attacks designed to harvest these credentials, and once they get on your network, they can begin to target sensitive data for their own ends.
Our customer quickly discarded the idea of using PSKs long-term. They wanted to move on to something more reliable and secure.
The biotech company had already begun establishing access control policies in their identity providers, Azure and Okta. Having put so much time into building these directories, they hoped to extend the policies they had already constructed to their Wi-Fi and VPN security.
However, identity providers weren’t the only infrastructure elements they were concerned about integrating with any solution. They were also using MDMs – specifically, Jamf for their Apple devices and Intune for their Windows devices. It was crucial that any solution they purchased be able to integrate with their MDMs, as well.
Solution
Moving away from PSKs is a topic SecureW2 is very familiar with. We knew the solution the customer was looking for was digital certificates. Fortunately, our PKI is turnkey and is designed to deploy very quickly.
Deploying certificates to all the company’s managed Apple and Windows devices was another challenge that we could easily solve. With our SCEP and WSTEP gateways, certificate enrollment and Wi-Fi profiles can automatically be pushed to all managed devices through the MDMs. The best part is that there is absolutely no effort from the end-user; their access to the network is uninterrupted by the enrollment process entirely.
Of course, something needs to authenticate the certificates. To provide robust authentication, we deployed our powerful Cloud RADIUS service for the company. Cloud RADIUS was built to be used for passwordless authentication.
What’s more, Cloud RADIUS can communicate directly with identity providers in real-time. When an employee attempts to access the Wi-Fi, Cloud RADIUS can verify directly that the employee exists in either Azure or Okta. The company was excited to find that there was no need for an additional LDAP server directory; Okta can remain their source of truth when it comes to network access policies enforced by Cloud RADIUS.
Evaluating Success
These days, the biotech company continues to enjoy the increased security that comes with certificates backed by Cloud RADIUS for authentication. Employees access both the VPN and Wi-Fi with certificates instead of passwords. Not only is this more convenient for them, since they don’t have to remember or change passwords, but it’s much more secure as there are no credentials to be stolen.
Best of all, these certificates are easy to deploy to each device, whether it’s Apple or Windows. New employees don’t need to worry about configuring their own devices; the certificates can be issued automatically to them through gateway APIs. Our auto-revocation feature even allows certificates to be automatically removed from specific devices placed in Jamf smart groups.
Perhaps their favorite aspect of the solutions we implemented, however, is how seamlessly everything integrated with their infrastructure. Cloud RADIUS is able to look up users at the time of authentication, ensuring the most up-to-date policies are applied. Our gateway APIs can automatically push configuration profiles through Jamf or Intune.
In the future, the company plans to consider using Okta CBA, as well. We’ll be there to help them keep their network secure every step of the way.