how vpns help providing secure mobile workplaces
DESCRIPTION
Mobile workplaces are a trend and whether companies like it or not – employees demand this work concept. Do you also struggle making mobile yet highly secure workplaces come true? Download our latest e-book and see how VPNs can help you with this matter!TRANSCRIPT
How VPNs Help ProvidingSecure Mobile Workplaces
IT Security
Secure Business Connectivity
2
Wrestling with Mobile Workplaces: VPNs Provide the Foundation for Secure Networking 04
Benefits and Downsides of Mobile Workplaces 06
TheBenefitsofMobileWorkplaces 07
TheDownsidesofMobileWorkplaces 08
Security Issues 09
WhyisitthatEspeciallyMobileDevicesPresentSuchaBigIssuefortheCompanyIT? 11
AccesstoContentRepositories 15
App-Security 15
MobileDeviceManagement 16
MobileDataAccess 16
ApplicationPublishing 17
Developing a Strategy for Mobile Workplaces 18
TechnicalApproachtoaSuccessfulMobileWorkplaceRealization 21
DifferentVPNTypesforDifferentSituations 21
IPsecVPNs 22
SSLVPNs 23
SelectingtheOptimalVPNSolution 24
Secure Business Connectivity
3
Creating Best Practices that Will Maximize Employee Productivity 26
MaximizeEmployeeParticipation 28
EnsureEmployeesHavetheProductivityToolsTheyNeed 29
FreeUseofPersonalAppsandServices 29
OfferSelf-ServiceSupportforEverydayActivities 30
BroadChoiceofDevices 30
Avoiding the Security Pitfalls of a Mobile Workplace Deployment 31
IgnoringCommonThreats 32
TakingaOne-SizeFitsAllAproach 32
FailingtoEducateUsers 33
AssumingUsersWillFollowSecurityPolicies 33
Conclusion 34
Interested ? 35
Footnotes 36
Picture Sources 37
Secure Business Connectivity
4
Wrestling with Mobile Work-
places: VPNs Provide the Foun-
dation for Secure Networking
It’shardlyasecretthatmobileworkingis
the dominant trend among employees,
insmallandlargebusinessesalike.Gart-
ner predicts that by 2015, therewill be
nearly300million tabletsandtwobillion
smartphonesusedbyworkers.ITteams
have discovered that it is impossible to
buck this trendand theyare learning to
embrace and manage it. The emplo-
yees’mainmotivation toworkmobile is
boththecomfortlevelandanytime,any-
where access to information from their
organization’s databases and servers.
Often,mobileworking is referred to the
use of smartphones, only. However, it
comprises a lotmore of scenarios than
theuseof smartphones.Generally spo-
ken, mobile working just means using
any device for accessing corporate re-
sourcesfromanywhere.Thus,wearetal-
kingabout tablets,notebooksandeven
desktopPCs,aswell.
Secure Business Connectivity
5
This has to be considered when im-
plementing a mobile workplace strat-
egy within the company since different
devices and operating systems might
be used – with different implications
for IT security. Tobemost effective it is
advisabletonotonlyconsiderthedifferent
scenarios and associated peculiarities
butalsotodevelopastrategythatfitsthe
company´s needs across all kind of de-
vices.Tosupportthis,theuseofmodern
VPNtechnologysolutionsismostbenefi-
cialforcompanies–fromamanagement
aswellasasecurityperspective.Wewill
discuss the different types of VPNs as
wellascriticalaspectswhenchoosingan
appropriateVPNsolutionsubsequently.
To quantify the impact of mobile work-
places on organizations of all sizes, the
SoftwareAdviceblogsurveyedorganiza-
tionsranginginemployeecountfrom3to
morethan110,000.
Thesurveyalsorevealedthatemployees
use theirmobile devices (whether com-
pany or employee-owned) approximate-
lyequallyforbusinessandpersonaluse.
Forbusinesspurposes,67percentofem-
ployeesusedevicesforbusinessemails,
phone calls and other correspondence,
48 percent access corporate tools and
applicationsand44percentuseitforpro-
fessionalnetworking(1).Figure1:Morethan54%ofemployeesusebothcompany-issuedandpersonaldevices.
Secure Business Connectivity
6
Benefits and Downsides of Mobile Workplaces
Secure Business Connectivity
7
The Benefits of
Mobile Workplaces
Besidesthefactthatcompaniesallowing
their employees to work from anywhe-
re have a competitive advantage due
to increased agility, flexibility, and ability
to respond to changing circumstances,
it facilitates higher workforce produc-
tivity, too. One should not forget that
with mobile workplaces companies are
also able to decrease costs: less office
space is requiredandenergycostscan
be decreased if employees work from
a remote location; on the other hand,
companyITprocessescanbeoptimized
and require less administration effort.
From an employee perspective, higher
productivityespeciallycomesfromanin-
creasedmobilityaswellas theanytime/
anywhere access tobusiness-critical in-
formationandapplications.By this,em-
ployeeshavemorepowerandfreedomto
successfullyandquicklysatisfycustomer
demands and requests, thereby increa-
singemployeemotivation,too.
Secure Business Connectivity
8
The Downsides of
Mobile Workplaces
Downsidesorpotential riskshave tobe
equally considered when discussing a
mobile workforce strategy, of course.
However,althoughitisimportanttoknow
about these issues, it has to be stated
thatmostof the issuescanbecomple-
telysolvedbyapplyingtherightstrategy
andtechnology. Inthefollowingwepre-
sent the most common risks, followed
byguidelinesandtipshowtoovercome
theseobstacles.
Secure Business Connectivity
9
Security Issues
10
A recent survey conducted by Oster-
manResearchfoundthatduringatypical
month,4.3percentofnetworkendpoints
become infected with viruses or mal-
ware, which translates to 52.1 percent
of endpoints over the course of a year.
Secure Business Connectivity
The average time to remediate a single
endpointis72minutesand5.2percentof
ITstafftimeduringatypicalweekisspent
onemailsecuritymanagementalone,the
studyfound(2).
Secure Business Connectivity
11
Why is it that Especially Mobi-
le Devices Present Such a Big
Issue for the Company IT?
IT teams are unable to implement pre-
existing security policies across all de-
vices and platforms. New security po-
licies, which take this into account, are
available, but have to be implemented.
Innovativeremoteaccesssolutionsalrea-
dyresolvealargepartoftheproblemon
thetechnicallevel,sothattheuserneed
notbetoostronglyrestricted.
For small andmedium businesses, and
enterprisesalike,whereemployeesmust
connect to a local network, VPN is the
critical technology. Tunneling into LANs
across a VPN enables users to access
files and/or control the applications on
in-office equipment that are required
to complete daily projects regardless
of device or location. Only an Internet
connectionisrequired.
Secure Business Connectivity
12
Modernremoteaccesssolutionsprotect
the company network effectively. They
can,forexample,checkfilesforviruses,
andifnecessary,removethem,whilethe-
se files are being downloaded. Another
partofthisinitialstepisensuringthatem-
ployees can only connect to a network
via a VPN versus a direct connection,
evenwhen theuser isonsite. IT teams
canalsopreventauser fromopeninga
second, parallel Internet connection as
long as the user is connected with the
companynetwork.
Allowing employees to work from any-
where introduces vulnerabilities atmany
layers within the network, and as a re-
sult,therearemanywaysITteamsmust
addresstheserisks.Thefirststepistore-
ducetheriskofadevicebecominginfec-
tedandtransmittingthemalwareintothe
company network. Some organizations
require that adevicehas specificantivi-
rus and management software installed
before it is allowed to connect to
anetwork.
Secure Business Connectivity
13
VPNscanallowtheemployeetoaccess,
work on and store their content on the
localnetworkwithoutanydataeverbeing
storedontheusedenddevice.
It is interesting to note that in a recent
SANS Institute survey (3), fewer than50
percent of IT team respondents had a
“fairly”or lessconfident levelofknowing
what types of devices are accessing
theirnetworks:
This effectively prevents malware from
using this way to enter the company
network. The secure tunnel of aVPN is
a must since it prevents cyber thieves
from gaining access to any information
as it travels between locations. Emplo-
yees working with mobile devices may
betemptedtoemaildocuments,butthe
securityof thisemail canneverbegua-
ranteed.Emailingdocumentsalsorequi-
res employees to store content on the
device, exposing that material to theft.
Secure Business Connectivity
14
Figure2:InadditiontomanyITteamshavinglowawareness of the devices accessing their net-works, just52percentbelieve their securitypo-liciesare“thorough”or“verythorough,”while17percentbelievetheirpoliciesare“insufficientevenforbasics,”or that theyshouldgo “back to thedrawingboard.”
15
Access to Content Repositories
Within organizations of all sizes, emplo-
yees do not only store content on both
servers and other repositories but they
are increasingly accessing this content
on their smartphones, tablets andother
mobile devices, too. Security solutions
shouldenableemployees toaccess the
samecontentontheirmobiledevicesas
theycanontheirPCs.Theyshouldalso
beable tobegin toworkoncontenton
onedeviceand then laterfinishworking
onitonanotherdevice.
App-Security
Notall appsarealikewhen it comes to
security–Thereisahugeamountofapps
inseveralofficialAppStores,withhund-
redsaddeddaily.Justafewerrorsinthe
codeforanappcanmakeit,andtherest
ofthecontentonanemployee’sdevice,
andtherebytheentirecorporatenetwork,
vulnerable.Moreover, it has been found
outthatmanyappsunwantedlycatchall
contactdatafromthesmartphone.
Many related security issues are occurring with mobile devices as well. HOB notes a few of these subsequently.
Secure Business Connectivity
Secure Business Connectivity
16
Mobile Data Access
Emailingoropeningdocuments inother
applications – Allowing employees to
emailcontentoropentheminotherap-
plications can result in potential data
leakage.ITteamswrestlewiththedegree
of control they should exert, including
completelydisablingtheabilitytoemailor
opencontentinotherapplications,mark
certain folders as “allowed” or “disallo-
wed”tobeemailed,ormaintaininganau-
ditlogofwhichdocumentstheemployee
emailedandtowhom.
Mobile Device Management
Regulationofcontentondevicescanbe
tricky–Therecanbe limitedoptions for
corporate IT teams to manage content
locally(onadevice).Thisincludesmana-
gingfunctionssuchashavingtheoption
todisablecachingofalldataonadevice,
tomarkcertainfoldersas“permitted”or
“notpermitted”tobecached,ortodelete
documentsfromthecacheafteraspeci-
fictimeperiod.
Secure Business Connectivity
17
Application Publishing
Ifacompanywantstoprovideitsemplo-
yeeswithcertainapplications,thiswould
mean a huge effort.With amodern re-
moteaccesssolution,thiseffortcanbe-
comeobsolete:solutionsthatallowfora
browser-basedaccessmakeapplication
publishingveryeasyfortheITadministra-
tor.Itissufficienttoinstalltheapplication
onthecompanyserverandprovideem-
ployeeswiththelinkthroughwhichitcan
beremotelyaccessedviatheInternet.
Secure Business Connectivity
18
Developing a Strategy for Mobile Workplaces
Secure Business Connectivity
19
Inordertoproperlysolvethe issuesde-
scribedabove,itisnecessarytodevelop
astrategyofhowtocopewithmobilede-
vices,therebyalsotakingcompany indi-
vidual requirements and restrictions into
account.Inthefollowingweprovideyou
withsomeaspectsthatareessentialand
missioncritical.Forasuccessfulstrategy
firstofallobjectivesneedtobedefined.
It isimpossibletodevelopoptimalsecu-
rityprocesses toprotectcorporatedata
without knowingwhat should be achie-
ved with having employees accessing
companydataanywhereandatanytime.
Themosttypicalgoal is toboostoverall
productivityandworkermobility.
20
• Whatarethesecurityimplications
ofconnectingmobiledevicesto
thenetwork?
• Whatisthebestapproachfor
securelyconnectingmobilede-
vicestofileservers,theIntranet,
companyspecificapplicationsor
othercontentrepositories?
• HowshouldITteamsdetermineif
employeescanstoredata
locally,andifallowed,whattypes
ofdata?
• Doesjailbreakingamobiledevice
affectsecurity?
• ShouldtheITteampreventem-
ployeesfromemailingcorporate
documentsontheirremotede-
vicesand/oropeningthedocu-
mentsinotherapplications?
• Doessupportexistformulti-
factorauthenticationthatdoes
notrequirepasscodeentryevery
timeadevice“wakesup?”
As IT teams review their current security processes, they must answer the following questions.
Secure Business Connectivity
Secure Business Connectivity
21
Technical Approach
to a Successful Mobile Work-
place Realization
Afterhavingdefinedastrategy,theques-
tion arises which technical solution fits
all these needs and requirements best.
Generallyspoken, it ismostcommonto
deploy any kind of VPN technology for
thispurpose.However,thereareseveral
approaches of VPN solutionswhich are
describedinthefollowing.
Different VPN Types for
Different Situations
Different VPN types exist that fit to dif-
ferent network architectures and user
needs. Each has benefits and weak-
nesses IT teamsshouldconsiderbefore
selectionanddeployment.
Secure Business Connectivity
22
IPsecVPNs
IPsecVPNsolutionsareverywidelyused
and for many years were the standard
remote access solution. They are espe-
cially well suited for fixed connections,
forexample,fromtheenterprisenetwork
to branch offices or suppliers and cus-
tomers. They allow complete network
access and are considered to be secu-
re and reliable. When using IPsec VPN
technology in combination with mobi-
le devices, this technology exhibits a
majordrawback:
an IPsec VPN client has to be installed
oneveryenddevice.Iftheemployeeisto
setuptheclienthimself,thenhecouldbe
faced with complex configuration work,
e.g., thetargetnetworks,whichmaybe
morethanhecanhandle.Thisiswhythe
installation of the VPN client has to be
done by the IT administrator, causing a
lotofextraworkforhim.
Secure Business Connectivity
23
takentoacompanyindividualWebpage
includingseveraloptionsfornetworkac-
cess or company applications. An SSL
VPN allows full network connectivity, as
doesanIPsecVPN,butcanbedeployed
moreeasilytoremoteuserssinceneither
installationnoradministratorrightsonthe
clientareneeded.ThismakesSSL-VPN
solutions,especiallyasregardstomobile
devices,attractiveforenterprises.
SSLVPNs
Secure Socket Layer (SSL) VPNs have
gained in popularity because they
are “clientless,” meaning the remo-
te device doesn’t need to have a client
pre-installedtoconnecttothecorporate
network.Inmanysituations,anSSLVPN
tunnel is created when a remote user
opensaWebbrowserandconnectstoa
pre-definedURL.TheVPNthenprompts
theuserforausernameandpassword.
Once authenticated, the user is often
Secure Business Connectivity
24
Selecting the Optimal VPN Solution
Forthemostpart,whichsolutionITteams
select depends on the needs remote
accessmustaddress. If it isamatterof
afixedconnectiontobranchoffices,then
an IPsecVPNwouldbethefirstchoice.
Thetechnologyistriedandproven.There
areappropriategatewaysforallpossible
amounts of users and requirements.
The only prerequisite: an experienced
ITadministratormustbeonsite tocon-
figure the connections andmanage the
devices. Access rights and installations
ontheemployees’devicescanbeagreed
upon and company-specific solutions
canbeimplemented.Ifemployeesdon’t
give their approval for access to their
devices or if IT teams want greater
flexibility,thenSSL-VPNsarethepreferred
choice. As only central administration
is required and no installation or
administratorrightsontheenddeviceare
necessary,thetimeandexpenseforITis
greatlyreduced.
Secure Business Connectivity
25
Thisisaneffectthatbecomesclearlyvi-
siblewheneachuserworkswithdifferent
devices to access centrally stored data
and applications. These devices don’t
havetobemanagedanymore.Accessis
available from any device, regardless of
theclient’sOS,(e.g.,Windows,OSX,Li-
nux,UNIX,etc.)toanytargetintheenter-
prise,fromWindowsServerwithRemote
Desktop Services (RDS) to legacy sys-
tems.AlltheuserneedsisaJava-capa-
blebrowserandanInternetconnection.
Modern solutions performmany securi-
ty-relevant actions centrally, which then
don’thavetobeimplementedonthecli-
ent.Mobileworkplacesandthebestpos-
sible protection for enterprise data are
thusnolongermutuallyexclusive.
Secure Business Connectivity
26
Creating Best Practices that Will Maximize
Employee Productivity
Secure Business Connectivity
27
Craftingandimplementinganorganizati-
on-widemobileworkplaceapproachwill
ensure managers and employees alike
enjoyapositiveexperience.Belowaresix
practicesthataretypicallyeffective.
Secure Business Connectivity
28
Maximize Employee
Participation
For a company where the goal is
to maximize employee productivity,
maximizing employee participation first
is critical. As previous experience with
earlier productivity tools, such as email
and IM, it isclear that limitingaccessto
these solutions also limits their value.
While not every employee benefits
equally from productivity solutions such
asmobile workplaces, without a critical
massofusers,thebenefitwillbelimited.
It isperplexingsometimesthat IT teams
want to limit solutions such as mobile
workplaces only to those supposedly
need it. Ifemployeesarewilling towork
remotely and this will allow them to
respond to colleagues and customers
faster,wouldn’t IT teamsandmanagers
wantasmanyemployeesaspossibleto
workfromanywhereandatanytime?
Secure Business Connectivity
29
Free Use of Personal Apps
and Services
Employees should be able to use their
personal apps and services, even if the
deviceisownedbythecompany.There’s
asignificantdifferencebetweenblocking
anemployee fromstoring theirpersonal
informationonacloudserviceandensu-
ringcorporatedatadoesn’tendupinthe
publiccloud. ITteamsneedtofocuson
controllingdata,notdevices.
Ensure Employees Have the
Productivity Tools They Need
Employeesareeagertouseawholeran-
ge of productivity tools, that add to the
ITteam’sworriesaboutsecuringthenet-
work. Unsure how to handle such em-
ployee requests, IT teams often either
donothingandletemployeesusethese
toolswithoutprovidingadequatesecurity,
orblockuseofthetoolsentirely.Security
solutions exist thatwill allow employees
toutilize toolswhileconcurrentlypreser-
vingthesecurityofthenetwork.
Secure Business Connectivity
30
Broad Choice of Devices
The mobile workplace program should
support a wide range of devices,
or the program will not be popular.
There can be challenges, especially
due to, e.g., Android’s variability regar-
ding support for on-device encryption
and other enterprise-level security and
managementcontrols.
Offer Self-Service Support for
Everyday Activities
Thereisoftenaconcernthatmobilede-
viceswillincreasesupportcosts.Thisis
typically not the case. And, if IT teams
offer a self-service capability, especially
forroutineactivities,itcanoftenresultin
decreasedsupportcosts.ITteamsneed
to know where to draw the line. They
should always offer to assist with sup-
portingbusinessapps,butneverofferto
supportpersonalappsandservices.
Secure Business Connectivity
31
Avoiding the Security Pitfalls of a Mobile
Workplace Deployment
Secure Business Connectivity
32
Thereareseveralcommonproblemsthat
occur with mobile workplace deploy-
ments and it’s important that IT teams
stay in front of these to protect their
organization’sresources.Theseinclude:
Ignoring Common Threats
Most of the focus on mobile security
to date has been onmalware,which is
important, but a more common threat
today is mobile phishing. It’s harder on
a mobile device for the user to identify
phonyURLs,makingitmorelikelytheywill
succumbtoaphishingscam.
Taking a One-Size Fits
All Approach
Therearea fewoptions for the IT team
to manage mobile device security, but
thesecomewithalevelofinconvenience
forusers.Forexample,mobilevirtualiza-
tion can enable users to work remotely
withoutanydataontheirdevices,butthis
maybeoverkillfortheemployeewhojust
wantsaccesstoemail.
Secure Business Connectivity
33
Assuming Users Will Follow
Security Policies
Employeeswill resist any inconvenience
or threat to their personal privacywhen
using their company devices for private
purposes, too. This forces IT teams to
focusonprotectingtheirdataandnotthe
devices.
Failing to Educate Users
Asthemobileworkplace trendprolifera-
tes, it becomes harder tomanage how
peopleusemobile technology; IT teams
mustrelyoneducatingemployeestopar-
ticipateinkeepingcorporatedatasecure.
Secure Business Connectivity
34
Conclusion
Despitemanycriticalvoicesracedinthe
discussionofmobileworkplaces,thead-
vantages for both, companies and em-
ployees,cannotbedenied.Thesuccess
of a company wide mobile workplace
programis largely influencedbydefining
therightstrategy,usingtherighttechno-
logyandinvolvingtherightpeople.
While defining the appropriate strategy,
companyindividualpolicies,conventions
andrequirementsshouldnotbeneglec-
ted.Otherwise the upcoming realization
of the strategy will fail due to impacts
thatdonot fit thecompany. In termsof
technology,VPNsareacorecomponent
ofacomprehensivecyberdefenseinfra-
structure andhave come to the fore as
flexible working has taken root inmany
businesses. Despitemany advances in
network security, robust VPNs remain
critical toensureremoteemployeesand
employees using their own devices can
enjoy the convenience of anytime, any-
whereconnectivityandITteamscanen-
suredateintegrity.Finally,theresultswill
bebestifallstakeholdersareinvolvedin
anearlystageoftherealizationprocess.
Often, employees highly value the pos-
sibilityofparticipationand influenceand
thereforeobserverulesmorewillingly.
Secure Business Connectivity
35
Interested?
Wouldyouliketocheckoutthenumerous
benefitsofHOBSoftware?
Justcallusorsendusaquickmail!
Youarewelcometocontactus:
HOBGmbH&Co.KG
Schwadermühlstraße3
90556Cadolzburg
Tel:+4991037150
E-Mail:[email protected]
Webseite:www.hobsoft.com
Informationinthisdocumentissubjecttochangewithoutnotice
HOBisnotliableforanyomissionsorerrorswhichmaybecontainedinthisdocument.
ProductinformationcontainedhereinisfromMarch2013.
Anytrademarksinthisdocumentarethepropertyoftheirowners.
Layout:MaximilianGöppner
Secure Business Connectivity
36
Footnotes
(1)BYODorBust,KyleLagunas,HRMar-
ketAnalyst,SoftwareAdvice,March2012
(2) A Cloud-Client Architecture Provides
IncreasedSecurityatLowerCost,Oster-
manResearchInc.,January2012
(3) SANS Institute SANSMobility/BYOD
SecuritySurvey,March2012
Secure Business Connectivity
37
• Page27-OrlandoRosu
(Thinkstock)
• Page28-KarinJehle
(Thinkstock)
• Page29-R.MichaelStuckey
(Thinkstock)
• Page30-Thinkstock
• Page31-Fotolia
• Page32-SergeyIlin(Thinkstock)
• Page33-R.MichaelStuckey
(Thinkstock)
• Page34-Fotolia
Picture Sources
• Page1-Goodshoot(Thinkstock)
• Page4-Zentilia(Thinkstock)
• Page6-ArkadiBjarnov
(Thinkstock)
• Page7-YuriArcurs(Thinkstock)
• Page8-EyecandyImages
(Thinkstock)
• Page9-ArkadiBojarinov&
ThinkstockPhotos(Thinkstock)
• Page10-ppart(Thinkstock)
• Page11-PavelPospisil
(Thinkstock)
• Page12-MaksymKobakou
(Thinkstock)
• Page13-MaksymYemelynov
(Thinkstock)
• Page16-JulienGrondin
(Thinkstock)
• Page17-roonstick(Thinkstock)
• Page28-AndrejPopov&
IvgenChepil(Thinkstock))
• Page19-pressureUA
(Thinkstock)
• Page21-Fotolia
• Page22-ZoonarRF(Thinkstock)
• Page23-Thinkstock
• Page24-pressureUA
(Thinkstock)
• Page25-RobertoRizzo
(Thinkstock)
• Page26-IngramPublishing&
GiovanniBertolli(Thinkstock)