Connecting the untethered employee
A white paper by F5 Networks
Meet Lerato, a Johannesburg-based sales rep. At home preparing for a customer visit, she opens her laptop to check e-mail and connect to her company's CRM system to make a few necessary updates. She lets the dog out, makes a cup of coffee, and before long realises she's already running late. She'll need to finish her CRM entry during the Uber ride using her mobile device.
Halfway across the country in Durban, Sam, an IT lead at the same company, is logging in at corporate head office. Managing mobile access and devices for over 500 employees, his job sometimes feels like a balancing act - making sure all the devices and data are secure, ensuring regulatory compliance, and providing employees with what they need, when they need it, wherever they are.
At the same time on the Western Cape, the company's CFO, Sibusiso, is leaving a hotel in Cape Town to catch a flight back to Durban for an investor's meeting. Constantly travelling, he uses his tablet to do prep work during his flight. He routinely needs to access sensitive financials, which makes him a bit uneasy - how secure is the connection, and what if he loses his tablet or it's stolen?
These scenarios are common in today's workplace. Employees are increasingly untethered from desks and more connected through smartphones or tablets. Demand for corporate access from their mobile devices is rising, and that's fuelling today's "bring your own technology" (BYOT) movement. A transformative force in today's modern enterprise, BYOT promises to deliver many benefits, yet it also introduces new considerations and complexities.
Benefits and risks of BYOT
How do organisations provide easy, secure access to virtual desktops, applications, and online services? How does IT simplify management while ensuring availability and security? Many enterprises are struggling to support the increasing mix of corporate-issued and personal computing devices and also ensure those workers have appropriate secure access to the resources they need to do their job while on the go. This includes e-mail, CRM, ERP, and any other sensitive internal resources that are critical to the day-to-day business operations. While these represent huge challenges for IT departments, ease of access also opens the door to new opportunities for increased employee productivity, improved client satisfaction, faster time to market - greater competiveness.
For mobile and remote employees like our Johannesburg-based sales rep, Lerato, a corporate-issued laptop and a personal smartphone are typically used for work. That requires traditional VPN access for the laptop and a mobile device management (MDM) or enterprise mobility solution for the smartphone. For users like our CFO, Sibusiso, sensitive data loss is a primary concern. On an IT-issued laptop or mobile device, a VPN client is typically provided so that a certificate, registration key, or some other digital identifier can be used to authorise access to appropriate systems. However, when Sibusiso uses a personal tablet, the security of the data, device, and applications become a chief consideration. Personal mobile apps must not have access to sensitive business information and, in case a device is lost or stolen, the ability to remotely secure or wipe data is critical. Add to all this, the need to access information on other systems, including cloud applications, which bring federated identity and SSO into the picture.
A key challenge with many BYOT implementations is that they impose enterprise controls over all applications and information - so, personal as well as work-related data. For instance, an employee leaves a company and his personal device is wiped by the organisation, so he loses family photos along with enterprise data and applications. In addition, there are privacy concerns when an employee uses the same mobile app, for example, e-mail, for both corporate and personal messages.
From an IT perspective, organisations agree, they don't want to concern themselves with personal data and applications. As soon as IT manages the entire device or simply connects that device to the corporate network via VPN, the personal traffic on that device becomes an IT problem. In Sibusiso's and Lerato's case, many personal items would be intermingled with corporate information. This can be a corporate risk if sensitive data is leaked and a personal risk if family pictures are deleted.
IT administrators like Sam are focused on controlling the devices - corporate-issued or personal - connecting to their network. This includes tracking the inventory, monitoring for threats and vulnerabilities, and protecting corporate information. At the same time, IT administrators must simplify the process of provisioning devices for Wi-Fi and VPN while also configuring access to e-mail, contacts, calendars, and other essential communication tools.
These IT administrators need to support multiple employees at multiple locations with multiple devices. They must also limit the burden associated with securing and controlling personal mobile use and data, and safely separate personal use and data from corporate oversight. This includes managing devices globally, by groups or individual devices, and pushing policies and configuration requirements to company divisions quickly and easily while enforcing compliance. IT administrators also require tools that interoperate with a heterogeneous device environment that includes platform as different as Android, iOS, Windows Phone, and others.
The flipside to the convenience and flexibility of BYOT is the risk that is introduced to the corporate infrastructure when allowing unmanaged and potentially unsecured personal devices to access sensitive, proprietary information. Applying security across multiple vendors' devices that all run on different platforms is becoming increasingly difficult.
To solve these types of challenges, organisations need dynamic policy enforcement to govern the way they now lock down data and applications. As is the case with laptops, if an employee logs in to the corporate data centre from a compromised mobile device that harbours rootkits, key loggers, or other forms of malware, then that employee, who has direct access to the corporate data centre, becomes as much of a risk as a hacker.
While Bring Your Own Device/Technology is a hot topic, it is only one part of an overall secure mobility strategy. As seen in the above scenarios, from our sales rep to our IT lead and CFO, today's corporations need to support a mix of managed and unmanaged devices on their network. The question is, where to start?
Several considerations, one unified solution
Organisations looking to get a handle on their enterprise mobility challenges often seek multiple solutions to solve pieces of the puzzle since building an end-to-end solution often requires a multi-vendor approach. An organisation could use a classic remote access solution to allow VPN access from corporate and personal computers, laptops, and mobile devices. It could also use a mobility device management (MDM) solution. Both solutions need to easily integrate with an organisation's existing infrastructure, especially the directory services.
F5 and VMware have thoroughly tested and documented the benefits of using F5 Application Delivery Networking (ADN) solutions with the VMware End User Computing (EUC) platform to address needs for secure access, a single namespace, load balancing, server health monitoring, and more. Let's explore this collaboration in more detail.
VMware's EUC platform addresses three core areas:
• Application and desktop virtualisation. Deliver virtual or remote desktops and applications on demand through a single platform.
• Mobile management. Manage and protect mobile devices, applications, e-mail, and content while accelerating the mobile strategy.
• Content and collaboration. Enable colleagues to have secure mobile access to documents and private social networking anytime, anywhere.
Collectively, the VMWare suite of solutions, VMware Workspace Portal, VMware Horizon, and AirWatch by VMware, combines application, device, and data management with centralised identity management and policy enforcement.
Both Horizon and Workspace Portal enable secure, streamlined, and simple access to applications across a variety of devices, helping drive anywhere productivity and collaboration from a centralised web portal. The VMware Workspace Portal itself works as a service aggregator, which lessens the burden on Sam, and provides Lerato with centralised delivery and management for all her corporate apps across multiple devices. Together with an F5 BIG-IP solution, VMware Workspace Portal delivers all the critical business services Lerato needs, more reliably and with greater performance. VMWare Horizon enables Sam to protect corporate information and ensure regulatory requirements by delivering secure remote access across mobile devices.
To support workforce mobility, AirWatch by VMware provides a simplified, efficient way to view and manage all devices from the central admin console.
Sam can manage, monitor, and secure all the mobile devices requesting access, pushing VPN, e-mail, and Wi-Fi settings to devices and also locking, tracking, and wiping devices as needed. Auto enrolment for Lerato ensures her devices are compliant with corporate policies. Additionally, Sam can choose to manage just the corporate information being accessed from devices and leave the personal data alone.
BYOT minus the compromise
There's no denying that Bring Your Own Technology has the potential to drive great benefits, from significant cost savings to improved employee productivity, but it's certainly not without some risk. Implementing BYOT requires strategic points of control in the IT infrastructure to realise the promised benefits without compromised security and availability. The advantages of deploying a virtualised solution like VMware End User Computing solutions throughout the enterprise are unquestionable. When deploying the F5 BIG-IP system alongside it, organisations can achieve the higher security, availability, and scalability necessary to protect their investments and their users, all while driving a strong user experience. With straightforward deployment options from F5 and VMware, organisations have the strategic control points they need for mobile applications from the endpoint to the data centre and to the cloud.
Authorised F5 Networks distribution partner, Networks Unlimited, sells F5 systems and solutions throughout Africa. Please contact Alexa Gerber, product manager: F5 at Networks Unlimited, at alexa.gerber@nu.co.za for more information.