What's the value in segmenting Hotel WiFi Networks?1st Oct 2017
We are currently witnessing a dramatic evolution in hotel WiFi – and by ‘we’ I mean both those of us in the wireless industry and all of us as travellers and users of public WiFi networks.
Hotels are in a somewhat unusual predicament. The necessity to provide guest WiFi has been, in many ways, thrust upon them, owing more to consumer habits and desires than to commercial opportunism.
It is for this reason that many independent hoteliers and hotel groups have struggled to avoid the all-too-damning bad review on the grounds that their WiFi did not meet the grade.
Is this unfair? Yes. Is this unavoidable? No.
Hotel WiFi as an asset
For the hospitality sector more broadly, the opportunities to simultaneously give guests the kind of wireless experience they want whilst benefitting from great reviews and even generating additional revenue through over-the-top, additional WiFi-based services, are beginning to stick.
The benefits of business-grade wireless are proving to far outweigh the cost-savings of consumers grade, PC-World-type, kit and the various payment models now available to hotels are rapidly reducing the stresses and strains of operational expenditure.
But! You knew there was a ‘But’ coming…
Although this is all sounding very positive - and it really is - the next challenge for hotels is not only to ensure that their guests enjoy a high-speed, unbroken WiFi experience, but one that is safe and secure for them and for their children too.
Protect your own
Leaving aside the guest experience for just a moment though, before hoteliers begin to look at the online privacy and security of their guests, they should first be prioritising the protection of their own, corporate systems.
What we have seen at a number of hotels is a lack of separation of guest and business traffic.
This is a major ‘no, no’.
We wouldn’t allow an individual to gain access to Ensign’s office networks and hotels should be no different.
Network security and bandwidth control
There are two reasons why a hotel might want to separate their corporate and guest networks.
1) Most obviously, for the maintenance of security. Ensuring that would-be-criminals ‘posing’ as hotel guests seeking to access private, business-related servers and files are kept completely segregated.
2) Protecting and ensuring hotel network bandwidth. Sharing guest and corporate networks can negatively impact upon business functions for staff members serving guests on connected devices as well as a host of critical business functions, which could be slowed or halted by bandwidth-hogging patrons.
How to enforce network segmentation
Although not common in our experience, segmentation of hotel networks is usually achieved in one of two ways - neither of which is perfect - but ‘Scenario 1’ is preferable to ‘Scenario 2’ as it creates a foundation for getting to the 'ideal' scenario.
Scenario 1 - The first is where one broadband network is shared between business and guest users, with segmentation implemented in terms of network access and maybe security, but not bandwidth usage. In this scenario, a guest WiFi user streaming content from a site such as Netflix, without the application of additional bandwidth controls, could create a bottleneck for a staff member using an important business application such as Office 365.
Scenario 2 - The second method of segmentation - network duplication - is the most simplistic in terms of the technical aspects and configuration, but can be more expensive, and can give rise to unnecessary interference, and ultimately, performance problems.
In this scenario, being that it is essentially a hardware rather than a software solution, the hotel would require separate network switches, access points and broadband connections – in short, a physically different network for corporate usage and guests.
The risks here, aside from the increased costs, are that these networks somehow become ‘bridged’ – through an accidental interconnection of switches for instance, which negates the security and control of having two different networks.
There are better ways
The sophistication with regards to network segmentation technology is developing all the time.
Business-grade technology from the likes of Aruba HPE, Ruckus Wireless and RG Nets facilitates dynamic VLANs (Virtual Local Area Networks) which give hotels and their staff the benefit of multiple private networks and the highest levels of network security.
In addition to this, the management of data flows can also be controlled through bandwidth controls on business-grade wireless access points, enabling hotels to guarantee the performance of their networks for business and guest usage. By setting network usage ‘rules’, hoteliers can control excessive data flows, mitigating any negative effects on corporate usage.
What about protecting Hotel guests from one another?
So, we have discussed protecting sensitive hotel business information by segmenting corporate and guest networks, but what about the security of hotel guests?
We could consider hotel WiFi security to exist at two distinct levels.
The first one being that which we have already covered – protecting the proprietors network – and the second being the security and protection of guests whilst they are using what is essentially a public network.
The obvious questions to ask at this stage would be particular to incentives.
Why would hotel owners and hotel IT managers want to protect their guest WiFi users?
Doing so could potentially add unrecoverable costs to the design and ongoing network management whilst generating little, if any, return or business advantage. Someone will inevitably have to pay!
This may sound a little glib, but the reality of public networks is that, regardless of whether they are in a public space, such as a town centre, or on a private premises, such as a hotel, they are ‘open’ and thus are not secure. The risk and responsibility sits solely with the individual users…for the time being at least.
GDPR is always looming large
Where this line of conversation becomes highly relevant is when we begin to consider GDPR (General Data Protection Regulation).
Although the changes in GDPR regulations – especially those specific to hotels – are still unclear, it could well be the case that offering guest WiFi will require a commitment to GDPR compliance, forcing hotels to take their responsibility to their ‘public’ very seriously.
A business case for Next Generation Firewalling?
Should hoteliers suddenly have a requirement for robust ‘duty-of-care’ and GDPR compliance, the technology available from products such as Palo Alto Networks’ Next Generation Firewalls can remedy the situation very effectively.
With Hotels essentially acting as Internet Service Providers (ISPs), blocking access to pornography or hacking websites, for instance, will be an absolute priority, and will be especially prevalent for larger hotel operators who are more likely to have a brand and a public image to uphold.
For smaller hotels, the consequences of a non-segmented network are increasingly complex and could potentially lead owners and operators into some unpleasant legal wormholes.
Suppose a hotel guest makes use of the un-segmented guest network to illegally download a movie via a bit torrent website. In much the same way as can happen on domestic networks, the ISP could flag this to the media owner – 21st Century Fox for instance – who are well within their rights to pursue legal action against the network owner. For them, the fact that ‘Mr Hotel Owner’ may or may not have downloaded the movie is moot.
Imagine a similar scenario in which the movie download is replaced by the download of explicit imagery – highly uncomfortable for the unassuming hotelier, I think you’d agree.
But hotels don’t want to act as ‘sensors’?
Here we come ‘full circle’ back to the beginning of this article – with hotels finding themselves in a somewhat unusual and potentially tricky situation.
Although there are some clearly defined lines between what is legal and what is illegal in terms of online content, there is another category which is could more accurately be described as ‘distasteful’ yet in legal terms is perfectly fine.
Do hotel owners spend their valuable time and resources to monitor and sensor this behaviour (an activity which has no direct returns)?
“No”. As Simon Casson, President of Operations at the Four Seasons Hotels and Resorts, told us in a recent interview.
“I don’t think Hotels ought to be a viewed as a ‘content controllers’, and, in a similar vein, we are not pushing our own content to WiFi users as we find this to be counterproductive.”
He went on to suggest that, “In fact, you could suggest that it is the country-wide, or even government-level, responsibility to manage content that is acceptable or available in any particular country. So, if you are in the UK and you can access something then that should be fine. The situation where I am based, in Dubai, is a little different in that, should a user wish to access, say, pornography, they simply can’t as this type of content is blocked on a broader level.”
Of course, the easiest way to mitigate these types of risks are to enforce terms and conditions at the point of access – something which is not always available with ‘consumer’ grade network solutions.
Hotels need WiFi expertise, fast!
All of the above - alongside the numerous other hotel WiFi articles we have written previously - points to a situation in which a high level of expertise is required to remedy many of the pain points currently being experienced by hotels with regards to technology.
What becomes quite apparent when we discuss these issues with our hospitality customers is that the investment required to create a truly business-grade WiFi estate is often too high. And, this, combined with hoteliers having been able to provide WiFi services with consumer-grade kit for years previous, only serves to add to the growing burden.
So what’s the solution to this ‘burden’? Hotel WiFi as a Service (H-WaaS). Contact our team to talk about our WiFi-as-a-Service model.
For advice on designing or upgrading your hotel WiFi network and associated systems, to the deployment of security solutions like Next Generation Firewalls and Endpoint Network Security, please contact Ensign Communications for a chat with our technical team.