Is your corporate Wi-Fi SSID secure?
Natarajan Manthiramoorthy, Director of Solution Engineering at WiteSand
As a common practice, most enterprises separate their corporate SSID from their guest SSID in each of their offices, branches, campuses, clinics, distribution or retail centers. Some may even create more SSIDs for headless IoT devices or to protect various corporate assets.
Yet, it may surprise you that many organizations have not fully addressed corporate SSID security.
Security compliance for your organization, such as SOC 2, may require enforcing security of your corporate Wi-Fi as one of the critical controls.
A Common Mistake: Using a Pre-Shared Key (PSK)
Does the facility utilize a common password which is shared with all employees, referred to as a PSK (Pre-Shared Key), to connect? If so, there are potential security issues to be considered.
- If the password is known by an outsider, it can connect to corporate Wi-Fi from the parking lot
- If an employee leaves the company, he/she still knows the password and can access the network freely or, worse yet, share it with someone else
- The PSK may be easy to crack by passively sniffing for it over the air using easily obtained tools
- The administrative task of rotating shared passwords periodically or when an employee leaves is often skipped, making an attacker’s job easier
Authentication of Employees against corporate Active Directory or LDAP
The correct way to secure your corporate SSID is to have employees authenticated with the corporate Active Directory or LDAP to make sure only legitimate current active employees have access to the network. This method of authentication is commonly known as WPA1/2/3 Enterprise.
This is done at the lowest communication level with the key dynamically derived from the secure EAP exchanges based on unique per-user credentials.
Authentication of Employees against Google Workspace or equivalent
If your organization uses Google Workspace or something similar, you can connect with a shared PSK and then use a wireless access point-provided WebAuth to authenticate against that platform.
You can increase the security by changing to per-client PSK instead of common shared PSK among all employees. Or, you may consider upgrading your Google Workspace package to include secure LDAP authentication, which does not require PSK at all.
WiteSand’s SaaS Solution to Secure your Corporate SSID
WiteSand SaaS enforces security of your corporate SSID with any of the secure methods above. You can define your policy once and use the power of templates to enforce it consistently across your worldwide locations.
And here is the good news: With WiteSand there is nothing to install. It’s all delivered via SaaS. Implementation is simple, quick, and secure.
The WiteSand solution works with any type of deployment, be it on-prem AD, Azure AD, any LDAP, Google Workspace, or other.
WiteSand’s Zero Trust Intent-Based Network Access Control
If you’re looking into a complete zero trust solution for your organization, you might consider WiteSand’s NAC for the following capabilities:
- Securing wired wall jacks, as well as wireless SSIDs
- Securing authentication, authorization, and accounting for access of network devices and firewalls
- Implementing segmentation, isolation, and access policies for employees, guests, BYOD, and headless IoT
- Gaining 360° visibility of the network, all activity, and the health of all endpoints
To learn more about WiteSand’s solutions, schedule a demo today.