This article originally appeared in the April 2011 issue of InfoTECH SPOTLIGHT
Who would have imagined back in 1973 when Martin Cooper (News - Alert) made the first cellular phone call, that one day we’d be booking airline tickets, paying bills, taking pictures, watching movies, getting directions and accomplishing real work on a device the size of a deck of cards?
Mobile devices are computers in their own right, with a huge array of applications, significant processing capacity, and the ability to handle high bandwidth connections. IT executives are looking to give employees access to internal business applications from their smartphones and mobile devices. Because these devices are so prevalent, however, identifying these as legitimate endpoints is a challenge for IT, especially when it comes to security and compliance. As more employee-owned mobile devices appear on the corporate network, mobile device management is going to be a key IT initiative to prevent the risk of insecure access inside the firewall.
Many organizations already allow employees to access business resources from their personal computers; giving them access from their personal mobile devices is the next hurdle. Technologies like SSL VPN have made it easier for organizations to inspect a client, know its security posture, and allow a certain level of access based on policy. With mobile platforms, however, it can be hard to determine if a device complies with corporate access policy.
Giving employees portal access to internal web applications such as intranet sites, wikis, and Microsoft (News - Alert) SharePoint is a good starting point. IT administrators should also create and manage access control lists (ACLs) to limit user access to certain resources. For instance, administrators can specifically create white lists or blacklists of sites and specify a particular path within a web application, such as /contractors or /partners. Based on the device check and the authenticated user group, that device would only be able to navigate to those assigned resource paths.
To safely allow network access from a mobile device, administrators must ensure that the organization’s authentication and authorization software is properly installed and configured. For example, administrators can configure a connection to be automatically triggered whenever a certain domain or hostname pattern is matched.
The network that a mobile device is connected to presents another challenge because of potential issues with latency and users roaming from one network to another. When there are network outages, when users are roaming, or when a device comes out of standby mode, features such as auto-reconnection enhance the user experience. Mobile SSL VPNs should be able to encrypt and accelerate client traffic between gateways and data centers, offering secure and optimized application access to mobile devices. If a user is on a high-latency mobile network, adaptable compression algorithms in some gateways can ensure downloads arrive quickly.
When a mobile device connects over a VPN tunnel, it’s even more critical to ensure that it adheres to ACL access restrictions. Even for trusted mobile devices, IT might still want to restrict user access to certain subnets within the infrastructure based on organization, role, or other criteria. If there are compliance requirements for corporate access, detailed logging and accounting is critical, especially when applications are accessed from unmanaged devices.
Policy and access management features are also important so administrators can quickly and easily create secure, granular access control policies on an individual or group basis. Flowchart-like GUIs give administrators point-and-click control to seamlessly add devices to an existing system or to create new macro policies exclusively for mobile devices.
With capable VPN gateways or controllers, users can get simple, streamlined access to web applications without needing full network access. This can simplify login for users and provide a new layer of control for administrators. When mobile devices have full VPN access, integrated optimization and acceleration technologies can enhance the mobile experience. Either way, administrators must maintain granular control; IT should not have to provision and manage multiple units simply to allow a new device type secure access to resources.