empowering a mobile workforce by jeromy markwort for nlit2011
DESCRIPTION
Empowering a mobile workforce: Making personally owned as well as corporate devices effective in an increasingly mobile world. Markwort JM. 2011. "Empowering a mobile workforce: Making personally owned as well as corporate devices effective in an increasingly mobile world." Abstract submitted to NLIT, Vail, CO. PNNL-SA-78310.TRANSCRIPT
Empowering a mobile workforce Making personally owned as well as corporate devices effective in
an increasingly mobile world
Jeromy Markwort
Service ManagerWireless and Remote Access
Pacific Northwest National Laboratory
1
PNNL-SA-78310
Outline
HistoryRemote Access strategy workshop
Key pain points from researchers
Changes to Remote AccessAnyConnect pilot (Win7)Web Portal (proxy for all clients)
Wireless changesEmail on SmartPhones
2
HistoryWireless Pilot (Cir. 2001)
Wireless viewed as insecure and therefore outside the firewall
VPN required to reach internal PNNL resources
Persistent ideology, but changing
Red-Team (2009)Led to significant change in security and requirement to check client health prior to access from VPN
Until fall 2010 - BlackBerry only supported email option for mobile devices.
3
Access options as of Fall 2010
Ownership Device Option Access
PNNL Laptop VPNFull tunnel with full access after Cisco NAC posture
assessment
Personal Laptop VPNLimited Access – RDP, SSH,
VNC, NO WEB
PNNLLaptop/
SmartPhoneWireless
Internet access, but required VPN for internal access
PersonalLaptop/
SmartPhoneWireless None
PNNL SmartPhone Email BlackBerry
Personal SmartPhone Email None
4
Red-Team event reaction and need for “unsupported” collaboration tools (Skype, Gmail, etc) led to staff using personal devices to “get work done.”
More and more wireless devices (viewed as insecure/external) entering our environment and staff desire for mobility.
How we got here (lowering the waterline)
5
6
Mobile internet users to surpass PC
http://www.morganstanley.com/institutional/techresearch/pdfs/Internet_Trends_041210.pdf
Has mobile “jumped the shark?”
Not even close!
7
Trend: Personally owned
*http://www3.ipass.com/about/mobile-workforce-report/archive/mwr-2010-review/top-5-trends/
Outline
HistoryRemote Access strategy workshop
Key pain points from researchers
Changes to Remote AccessAnyConnect pilot (Win7)Web Portal (proxy for all clients)
Wireless changesEmail on SmartPhones
8
How is PNNL responding to support these trends?
Change NAC methodology (#1 staff pain-point: Remote Access Strategy 2010 – No local Admin)Move full tunnel IPSec VPN to Cisco AnyConnect SSL VPN
Integrated posture assessment vs. separate VPN client and agentAppropriate access based on:
User (what user should have access to)OS and patch levelMachine (PNNL vs. Personally owned)Machine health (proper patches, AV, AV defs)
Very flexibleGood reporting
9
Reporting: full Vs. limited access
10
0
200
400
600
800
1000
1200
1400
1600
LimitedAccess
FullAccess
11
Reporting: access by OS
20110203-1302 20110204-1502 20110205-1702 20110206-1902 20110207-2102 20110208-2302 20110210-0102 20110211-03020
20
40
60
80
100
120
140
LinuxLim
LinuxFull
iPhoneLim
iPhoneFull
MacintoshLim
MacintoshFull
Windows7Lim
Windows7Full
WindowsVistaLim
WindowsVistaFull
WindowsXPLim
WindowsXPFull
12
Reporting: access by OS unique per day
0
100
200
300
400
500
600
700
800
LinuxLim
LinuxFull
iPhoneLim
iPhoneFull
MacintoshLim
MacintoshFull
Windows7Lim
Windows7Full
WindowsVistaLim
WindowsVistaFull
WindowsXPLim
WindowsXPFull
13
Reporting: Unique OS per day
0
100
200
300
400
500
600
700
800
Linux
iPhone
Macintosh
Windows7
WindowsVista
WindowsXP
14
Reporting: data moved
15
What’s it worth?
Remote Access = Average ~3100 connected hrs/day$100/hr * 3100 = $310,000/day of productivity
16
Web Portal
Access to internal websites for any machine. Clientless (no app to install) and no admin rights required.Advanced application access
Browser or Smart-Tunnel access for RDP (others possible)
Access Options Current
Ownership
Device Option Previous Access Current Access
PNNL Laptop VPNFull tunnel with full access after Cisco NAC posture
assessment
Full access with better user experience.
Personal Laptop VPNLimited Access – RDP, SSH,
VNC, NO WEBSame +Web Portal
PNNLLaptop/
SmartPhoneWireles
sWeb access, but required VPN for internal access
PersonalLaptop/
SmartPhoneWireles
sNone
PNNL SmartPhone Email BlackBerry
Personal SmartPhone Email None
17
Outline
HistoryRemote Access strategy workshop
Key pain points from researchers
Changes to Remote AccessAnyConnect pilot (Win7)Web Portal (proxy for all clients)
Wireless changesEmail on SmartPhones
18
Wireless for PNNL staff personal devices
Spring 2010 changed policy to allow staff’s personally owned devices to join our visitor wireless network
This was a paradigm shift. Previously, though not against policy, staff where uncomfortable bringing in personally owned devices. - iPhones changed this! Opened the doorInternet access only – VPN required and only option for business use.
19
20
Wireless improvements
Implemented advanced certificate based wireless network with internal access (EAP-TLS).
Paradigm shift – trusted wireless networkPreviously ~50 users VPN in from on campus wireless at peak of the day (probably easily hundreds of unique users).
Big productivity boostLicense/Cost savings (no VPN)
Used as carrot to move users to current OS (Win7, Snow Leopard only).
Win7 managed through Group PolicySnow Leopard through custom script
$$
21
Wireless usage is growing…
Access Options Current
Ownership
Device Option Previous Access Current Access
PNNL Laptop VPNFull tunnel with full access after Cisco NAC posture
assessment
Full access with better user experience.
Personal Laptop VPNLimited Access – RDP, SSH,
VNC, NO WEBSame +Web Portal
PNNLLaptop/
SmartPhoneWireles
sWeb access, but required VPN for internal access
Internal access
PersonalLaptop/
SmartPhoneWireles
sNone Internet
PNNL SmartPhone Email BlackBerry
Personal SmartPhone Email None
22
Outline
HistoryRemote Access strategy workshop
Key pain points from researchers
Changes to Remote AccessAnyConnect pilot (Win7)Web Portal (proxy for all clients)
Wireless changesEmail on SmartPhones
23
24
Email on mobile phones
BlackBerry 722
PNNL 427
Personal 295
Good 613
Android 185
IOS 419
iPad 22
iPad2 3
iPhone 368
iPhone CDMA 25
1335 total mobile devices
25
26
27
28
29
Mobile device increase
Access Options Current
Ownership
Device Option Previous Access Current Access
PNNL Laptop VPNFull tunnel with full access after Cisco NAC posture
assessment
Full access with better user experience.
Personal Laptop VPNLimited Access – RDP, SSH,
VNC, NO WEBSame +Web Portal
PNNLLaptop/
SmartPhoneWireles
sWeb access, but required VPN for internal access
Internal access
PersonalLaptop/
SmartPhoneWireles
sNone Internet
PNNL SmartPhone Email BlackBerry Same
Personal SmartPhone Email None +Good Technologies
30
32
Future
Better support for iPad (maybe Android)Easier access to portal for devices that can’t join advanced wireless network on campus.
33