The Do’s and Don’ts of Open Wi-Fi for BYOD

This is a guest post by Brian Fielder, general manager in the Information Security Management Organization within Microsoft IT. Brian and team create a repeatable model for Microsoft IT to assess, mobilize and prioritize our resources across the Information Security domain, with a focus on emerging technologies and trends.
As you read in January [here], Microsoft IT focuses on managing four primary categories of consumer technology:
  • Social computing and social media
  • Consumer services and applications
  • Consumer identity providers
  • Personal devices
While each of these categories has its own plan (interconnected with the others), we hear from customers that personal devices drive the dialogue. To be sure, Microsoft employees love their personal and work devices, and expect to use either at any given time of day. The same holds true for the 370,000+ registered visitors to Microsoft’s headquarters each year.
So how can CIOs support use of a broad set of devices without presenting excessive risk to the corporate domain? What are some of the ramifications involved in offering an open wireless network? This blog post shares learnings and experiences from the introduction of a new, open wireless network to Microsoft’s offices to support non-domain joined, consumer devices.
Mobile Enterprise
Microsoft corporate network has been inundated with consumer devices during the past 10 months. We anticipated this fact, and knew we needed to provide an easy way for employees and guests to get Internet access, create and reply to email, and view Microsoft Office documents and PDFs. Otherwise, all the consumer devices would dilute the security boundaries of our corporate network.
As the chart shows, Microsoft employees have a high demand for productivity using their smartphones and tablets. The survey showed:
  • More than 50% of Microsoft employees use a tablet to support work-related activities.
  • Nearly 30% of Microsoft employees use a tablet 5-10 hours per week.
  • Nearly 100% of Microsoft employees use their mobile phones at work to access the Internet.
  • The survey didn’t ask about using phones for social networking.
So what’d we do?
In the past several months, Microsoft IT installed a new open wireless network in Microsoft offices, starting in the U.S. and continuing throughout North America. This new Wi-Fi network operates alongside a corporate wireless network, and was designed to make it easy for employees and the 370,000+ registered guests each year to connect their personal devices to the Internet without presenting additional security risk to the corporate network.
Challenges and risks of an open Wi-Fi network
We started the project with a legacy wireless network that could be described as an under-invested utility because so many employees use wireless instead of wired connections to our corporate network. This legacy infrastructure didn’t have guaranteed delivery (i.e., Quality of Service), so the millions of Lync calls per month wouldn’t be prioritized over traffic for things like YouTube videos. The IT team also had concerns that thousands of devices joining the open network would take it down or lead to excessive help desk calls.
The IT team worked across business groups, Microsoft’s security governance council and the legal affairs team to address a number of challenges and risks along the way. They can be viewed in the following three areas:
Legal. Microsoft IT first engaged with the company's legal affairs team to understand if regulations would allow us to offer open Wi-Fi service. Telecom regulations vary state-by-state and country-by-country with regards to offering open wireless access to employees and on-campus guests without being viewed as an Internet service provider or a telecom company. So we structured the open network in a way to avoid becoming a regulated telecom provider or ISP. The other important legal aspect to the open network was balancing an efficient user experience to access the network as well as user understanding and compliance with the terms of use and acceptable use policy for the open network. In the U.S. and select other countries, we decided to only make the user accept the terms for use of the open network once every two weeks.
Security. There is always a security concern when people are accessing a corporate network. From one perspective, offering an open network is a good means to allow Internet access while ensuring that non-domain-joined devices are kept off of the corporate network. However, we also wanted to ensure that the guest Internet solution was not being used for malicious or inappropriate actions. To ensure appropriate use, Microsoft IT uses strong monitoring controls, and restrictions of traffic from the Internet to our open Wi-Fi service. In addition, Microsoft IT designed a captive portal system with Microsoft components to identify each unique device and ensure that it only had to register itself once every 14 days.
Operations. The IT operations team was focused on providing a great user experience for the new open network. For them, the deployment of new wireless controllers was kind of like the game Tetris in that as the team upgraded the controllers they had to re-position existing ones to buildings that had heavy traffic. The new network gear includes a built-in captive portal to splash the terms of use to the end user. However, the built-in captive portal was based on Linux and was cost prohibitive to deploy. The team also had challenges forecasting traffic in different buildings. Along the way, the team started pilots to watch egress traffic so that routing infrastructure could be optimized and traffic accurately monitored.
Learnings and results
Broad teamwork enabled Microsoft IT to launch Microsoft Open network and maintain a positive user experience with no degradation to the wireless network.
Some of the team’s key learnings were:
  • If you’re open Wi-Fi deployment will be global, U.S. regulations make it a good place to pilot.
  • Standards, processes and user experience should be established during your pilot.
  • You may need to modify standards by country due to local requirements and regulations, but try to limit the number of permutations around the globe. For Microsoft IT, we won’t offer open Wi-Fi service in some countries, and instead will continue our Microsoft guest wireless network.
  • Be sure each local deployment starts with a statement of legal, security and operational risk and acceptance of that by the CIO.
  • We built a captive portal using IIS and SQL Server, and within a week had a proof of concept running. Our captive portal solution was 20x less expensive than purchasing a captive portal solution from a hardware provider.
  • When users experience the captive portal (in the U.S), we give them some core information and the ability to read all the details of the terms of use.
Microsoft IT is in the midst of completing the North American deployment, and have begun similar work in France, Germany, Ireland, Israel, Russia and the UK. We’re evaluating other countries.
End user surveys (Puget Sound headquarters; February 2013) have shown positive results so far:
  • 86% of the users rated Microsoft Open network experience as equal to or better than the wireless experience in a Starbucks café.
  • The open wireless network is used for public Internet (36%); Outlook (33%); and Lync mobile (16%).
  • The device types accessing the open network are 72% Windows (Windows Phone, Surface with Windows RT, Windows PC) and 28% other (including Android devices, iPhone, iPad, Mac PC, Kindle, Nook, other Windows RT device).