Blog
All articles
Why are your users (Guest, BYOD, and IoT) the Centerpiece and the weakest link simultaneously?
December 2, 2024
Author
(s):
Simranjeet Kahlon
Simranjeet Kahlon
Senior Network Engineer
Co-Author:
6 min

Why are your users (Guest, BYOD, and IoT) the Centerpiece and the weakest link simultaneously?

Understanding Layer 8: The Human Element in Cybersecurity

We have all heard at some point in our cybersecurity careers that the user is both the centerpiece and the weakest link from a security standpoint. To fully grasp this concept, we need to explore the idea of Layer 8.

We are familiar with the seven layers of the OSI model, where Layer 7—the Application Layer—is where all applications reside. It defines the methods and protocols for the different applications that we, as humans, use. Extending this model, humans themselves can be considered as Layer 8—the Human Layer. Therefore, we can say that humans are part of the OSI model in the form of Layer 8.

To apply appropriate security controls, we should answer the following questions:

Who is this Layer 8 user?

Which device is he or she using to connect to the network?

This process involves giving humans connecting to the network an “identity.” It’s akin to how governments issue passports to provide their citizens with an official identity. But why must we identify users and devices?

As mentioned at the beginning, the user is the centerpiece, and if enterprises have no visibility into the users connecting to their network:

Organizations cannot secure themselves.

They cannot secure the users.

Visibility is core to security; without it, there cannot be any security.

You cannot secure what is not visible.

You cannot secure data if there is no data discovery.

You cannot secure your assets if the users connecting to your network are not visible.

Most organizations have robust identity and security controls in place for their permanent employees. This is straightforward because enterprises have context behind every user through solutions like Active Directory, where login credentials are created and stored. Additionally, most enterprises issue corporate-owned devices like laptops and phones to their employees. These devices have a corporate footprint due to modern Mobile Device Management (MDM) solutions that bring them under enterprise control. So every time an employee connects to the network, the network is fully aware of context such as:

Who is the user connecting?

What type of device is initiating the connection?

Employee credentials are stored individually in the directory services to have context behind the employee auth requests.

However, for guest users and IoT devices, these controls fall short of providing true identity because the context is missing. There is no centralized identity management for guest users; there is no record of the guest user within the enterprise. The same applies to IoT/OT devices. Guest devices lack a corporate footprint since no MDM is installed on them. All of this makes it extremely difficult to assign an identity to guest users.

There is no context for guest users available

How can we Identify Guest Users?

To identify users, let’s first look at the Guest User Identity Framework, a system that adds login functionality for your users before they can access the internet. It provides features for user management, including registration and login through various personal IDs (like personal email, phone number, or social network IDs), and the capabilities are extensive.

Guest User Identity Framework:

This framework ensures secure, compliant, and user-friendly access to network resources by defining clear goals around authentication, access control, monitoring, and compliance. It establishes various user categories (e.g., guests, vendors, partners) with specific access levels, using authentication methods like captive portals, RADIUS, social media logins, SMS verification, self-registration, and sponsorship to validate guest identities. Access control policies—such as time-based limits, network segmentation, and bandwidth restrictions—help contain guest activities. Compliance is built in through data retention policies, audit trails, and user consent, ensuring alignment with regulations like GDPR and other local data protection laws, including those in China.

Additionally, real-time monitoring and anomaly detection strengthen security, while automatic expiration, easy renewal options, and a multi-language interface enhance user experience. This framework balances robust security with a seamless guest onboarding experience, scaling easily with organizational growth.

Guest user Identity Framework

Components of the Guest User Identity framework:

1. Guest Users: Individuals who need limited, internet-only access and do not require access to corporate resources or enterprise applications.

2. Authenticator: A tool, system, or device that helps identify the user. It acts as a barrier between the user and the internet, allowing only authenticated users to access the internet and forcing unauthenticated users to authenticate. This is generally your Access Point (AP). It’s important to note that strong integration should exist between the authenticator and the Identity Validator (IDV).

3. Captive Portal: A webpage that users are automatically directed to when they connect to a guest Wi-Fi network. It typically requires users to log in, accept terms of service, or enter credentials before they are allowed access to the internet.

4. Identity Validator (IDV): A system, typically cloud-based, that validates a user’s identity before allowing access to the internet. The IDV ensures the user is providing a compliant ID (e.g., a Facebook login) and then grants access to the internet by issuing an authentication token to the authenticator.

Connecting the Dots - The Cloudi-Fi Way:

Now let’s see how Cloudi-Fi brings these components together to perform seamless guest authentication and onboarding. Consider a coffee shop providing internet access to its customers. Here’s how a typical guest authentication and onboarding process works:

1. Connection to Wi-Fi: A guest arrives with their phone or laptop and connects to the guest Wi-Fi network. At this point, the user’s device is on the network and is assigned an IP address.

2. Attempt to Access the Internet: The user’s device attempts to access the internet but fails because the authenticator will not allow an unauthenticated user to access the internet.

3. Redirection to Captive Portal: The authenticator forces the user to authenticate by redirecting them to the captive portal generated by the Cloudi-Fi IDV.

4. Providing Identity: On the captive portal, the user is asked to provide their identity. This could be in the form of a social network login ID (Facebook, Instagram, X, Google), an SMS OTP through their mobile phone number, or self-registration through email.

5. Validation and Access Granted: The Cloudi-Fi IDV logs and records the identity provided by the user and ensures it’s valid. In exchange for the provided ID, the Cloudi-Fi IDV issues a token to the authenticator, effectively authenticating the user to access the internet.

Cloudi-Fi’s revolutionary IDV technology is at the helm of Guest user identity


It’s important to note that tight integration must exist between the authenticator and the IDV so that the authenticator can seamlessly redirect users to the IDV for captive portal authentication and understand the authentication token delivered by the IDV.

Why Choose Cloudi-Fi?

Cloudi-Fi solutions are at the forefront of the IDV revolution. Its cloud-based approach to captive portals and identity validation is effective and critical for the seamless onboarding of guest users. Its unique value proposition enables enterprises to identify and validate their guest users. Some key benefits include:

Authenticate all of your guest users regardless of device type.

Control your users’ access to the internet and provide a safe environment for web browsing.

Audit and monitor their online activities.

Ensure compliance with local data protection laws in any country.

Additionally, Cloudi-Fi’s vendor-agnostic value proposition makes it stand out in the world of guest user identity management systems. It has existing deployments worldwide with strong integrations with vendors like:

Zscaler

Fortinet

Netskope

Palo Alto

Aruba

Meraki

And the list goes on.

Conclusion:

In today’s interconnected digital landscape, the human element—Layer 8—is both the driving force and a potential vulnerability in cybersecurity. While technological defenses are essential, they are incomplete without considering the users who interact with these systems. Identifying and authenticating guest users is crucial for maintaining network security and ensuring compliance with data protection laws. Cloudi-Fi bridges this gap by seamlessly integrating user identity into the security framework, providing robust validation without compromising user experience.

Discover the Impact of Layer 8 Security in Action

See how Cloudi-Fi empowers businesses to seamlessly identify and authenticate users without compromising on security or user experience.

👉 Read this success story to learn how we revolutionized guest & IoT authentication and identification for one of our clients.

Related articles
7 Tips To Secure Your Wi-Fi Captive Portal
What is Zero Trust Wi-Fi?
How Cloud NAC enhance Zero Trust in Multi-Site Enterprises ?
All articles
Solutions
Technology
Ecosystem
About us
Ressources
  • Twitter
  • Youtube
  • LinkedIn
Confidentiality policy - © Cloudi-Fi 2023