Reflections on the evolution of Mobile Access Control
It really was much simpler back in the days for IT departments… I’m talking, of course, about when blackberry ruled, and there was one single paradigm of mobile access to corporate data – the blackberry way. It was cool, and innovative, and therefore RIM reign was absolute. The BYOD term wasn’t coined until later, but the mobile productivity term has since been a sought-after goal for almost all large organizations, and today we see abundance of paradigms – from Bring-Your-Own (BYO) to Corporate-Owned-Personally-Enabled (COPE), from Choose-Your-Own (CYO) to Corporate-Own-Business-Only (the latter is closest to the traditional blackberry model), and Google’s latest addition to the pack – Company-Owned-Managed-Profile (COMP). This rich variety of paradigms is backed by many technologies evolved in recent years (to name a few – containers, MDM/MAM/MCM, device encryption, DLP, VPN and the list goes on) many of them require some device management capabilities, and some in lieu require no managed capabilities to support growing BYOD demand for unmanaged scenarios.
In my eyes, this rich variety of technologies and paradigms stresses an interesting, though obvious, observation – There is still no best practice to handle mobile productivity, nor industry standard for mobile security strategy. Yes, EMM solutions seem to take the higher ground on this challenge, but there are still many organizations who seek other approaches, and enough vendors who offer different methods.
This makes sense if you look at the evolution of enterprise IT and the constant challenge to gain endpoint control. Endpoints are a necessary part of the corporate infrastructure, and users often feel a sense of personal ownership over the devices they use at work. Visiting customers, partners, and the demand of BYO devices added to IT frustration with the problem of device ownership and management. Each of these scenarios creates a different use case, creating frustration for both IT and the device owners.
Traditionally, the approach to unmanaged devices trying to get access to organizational resources was denial of access. Then visitors entered the picture. IT had to decide how to hook up persistent LAN ports in the conference rooms contrary to corporate security policy. Then came Wi-Fi and the conversation turned a little with the answers, “yes, we can create a guest Wi-Fi” and “yes, it can be persistent.” That solved the issue for visitors. However, corporate-owned systems and BYOD are causing a bit more friction.
Corporate-owned devices still have the issue of personal attachment or perceived ownership; users want to download and install applications and use them like their own personal device. Added to this are the myriad users who, for one reason or another, have administrative-level control on their devices. This creates a situation where organizations have a less trustable device acting as an agent within its boundaries.
BYOD drives a similar problem, only worse. These devices are totally un-trustable and yet at a minimum, they demand access to email. From there they may move on to file share and other data repositories as well as key business applications. Business users, like visitors, generally do not allow the installation of an agent on their personal devices and not all organizations have a mobile device or mobile application management solution. This means many business admins have no control over and little visibility into these devices and are, in many cases, caught between a rock and a hard place when it comes to security.
Adaptive Access Control
From a traditional approach perspective, access has been all or nothing. However, this does not fit today’s business environments. Users and employees demand access from a plethora of devices on multiple operating systems and hardware platforms and the word NO is no longer in the business, productivity and management best interest.
This means that to meet the business and user requirements, a solution must allow for grades or levels of access based on the level of trust in the device. Flexible control requires that each device can be interrogated to determine if it meets organizational policy, which is different for each use case and probably has multiple levels within any or all the use cases. Owned and fully managed devices must meet the most stringent policy but are also granted the most open access. Devices that are owned but co-managed by IT may not require as stringent a policy but are somewhat limited in access; user-owned devices, depending on their management status, have other policies assigned to them and most likely the least amount of access. The key is that everyone gets some level of access per business risk tolerance and operating needs. If a device falls out of compliance, its access is revoked until it is back into compliance. The user is notified about why access was declined and in many cases, can be offered a solution to obtain renewed compliance, such as offering the latest application versions, patches, and other updates.
In today’s world where endpoints are under constant attack, they must also be under constant scrutiny to determine if they are eligible to access resources. Control is referring to control over corporate resources, not the devices. Like public hotspots where users have the option to accept the user agreements and connect or not accept and move on, users have the option to comply or not to comply with policies required by the business to gain access to the resources. The business must understand the use cases that apply to its environments, the level of access they are willing to provide, and the risks that those choices incur. Once those are defined, adaptive policy-based control allows network access based on device posture. The organization’s security policies can be automatically assessed, compliance can be remediated, and business will get done. On the contrary, failing to make those choices and decisions opens the business to higher risk (no controls) or work productivity impacts (control is too restrictive).
Contributed by Effi Goldstein, VP Product