Best Practices for Secure Mobile Access

Best Practices for Secure

Mobile Access

A guide to the future.

Abstract

Today, more people are working from more locations using more devices than ever before. Organizations are eager to reap the benefits of a mobile workforce but they cannot afford to sacrifice security.

This paper explains how you can implement secure mobile access in a controlled, step-by-step manner, so you can enable your increasingly mobile workforce while ensuring the security of your enterprise.

Introduction

Significant changes in mobile technology and global business practices have spurred an evolution of both local and remote access. With more people working from more locations using more devices than ever before, all users are potentially

remote and all endpoints potentially unsafe. Therefore, local user access must be as tightly secured as remote access, and remote user access must be as simple and comprehensive as local access. As a result, providing access while still protecting network resources is more difficult and expensive. The trend is towards a universal access control model, one which inverts the network so that the protective perimeter is concentrated around application resources. That is, the focus is shifting to securing communications between all users and business- critical applications and data. This paper explains this trend and details how Dell™ secure mobile access solutions, including SonicWALL™ Mobile Connect, E-Class Secure Remote Access (SRA) and next-generation firewalls provide you with the solutions you need to establish secure mobile access control today.

2

“ IT today must

assume that all

users are potentially

remote and that

all endpoints are

potentially unsafe.”

The evolution of secure mobile and

remote access

The growing demand for mobile access Remote access technology has evolved dramatically over the past decade. New mobile devices and business solutions, offered in new combinations that weren’t even on the radar for enterprise IT a few years ago, are announced in the industry nearly every day. Broadband access to the internet has become an expected standard, at work, at home and everywhere in between. Traditional desktop PCs are being replaced by laptops, smartphones and tablets, all mobilized with sophisticated wireless and cellular connectivity. The rise in VoIP has turned phone calls into data resources and transformed telephony into yet another network access methodology.

This fundamental technological shift has sparked a mobile access revolution across the enterprise worldwide.

Partners, vendors and consultants play an increasingly vital role in daily operations. Traditional network boundaries are disappearing; “the office”

no longer has anything to do with any specific physical location. For example:

• Executives expect full access to the same application and file resources from their laptops, smartphones and tablets in a hotel suite on the other side of the world as they have using a laptop at headquarters.

• Accountants require secure access to financials on a remote site from field offices via the internet.

• Sales teams now take their virtual office on the road with them using a host of mobile devices, and also demand access to corporate resources from public WiFi hotspots at hotels, airports and convention centers.

• Business partners, vendors and consultants, often collaborating in cross-functional teams, require access to “internal”

enterprise resources across the extranet from endpoint locations behind their

“external” firewalls.

• Remote teleworkers in all business capacities connect to business applications and files via WiFi hotspots at their homes or neighborhood cafes.

The impact on access control

Increased access can mean increased productivity, since work can now be conducted from more places. But providing wider access while still protecting network resources has often proven to be more difficult and expensive. Data centers have become virtualized, providing fluid access to resources from anywhere. Hard-wired LAN access is being outmoded by ubiquitous high-speed connectivity over wireless networks and the internet.

Whether wireless laptops and mobile devices are issued by IT or personal devices, it is hard for IT to control what users do with them. In particular, it is hard to limit the ways users expose these devices to threats that can impact the security of enterprise resources. For example, a user might use the same mobile computing device at home as

3

in the office, use a personally owned device for business purposes, or use a corporate-owned device for personal purposes, all of which introduce risk to the organization.

In short, IT today must assume that all users are potentially remote and that all endpoints are potentially unsafe.

The convergence of local and remote access

Accordingly, standards for local access and remote access are converging:

Local user access must be as tightly secured as remote access, and remote user access must be as simple and comprehensive as local access.

With this convergence of local and remote access, rather than striving for a secure network, IT should focus on establishing secure communications to network resources. The traditional network perimeter must be tightly concentrated into a resource perimeter around the corporate applications and data.

In effect, enterprise IT data centers will increasingly resemble e-commerce innovators like Amazon and eBay by providing internet-based, globally accessible services. Local/remote access evolves into universal access.

Universal access

With universal access, the access playing field is leveled: No user, device or location is trusted implicitly, and the focal point becomes the information resources — applications, data and services. At the same time, universal access expands the playing field: All users, devices and network technologies are potentially welcome, and all resources must be potentially available with ease from any endpoint device or location.

Universal access control

While universal access to any resource must be potentially available, it does not mean it should be universally allowed.

IT needs a strategy to establish and maintain universal access control (see Figure 1).

As laptops and other mobile devices move in and out of an increasingly fluid perimeter, the traditional network cannot be fully protected by IT. The most dangerous attacks on your network may actually come from local rather than remote users. IT must now assume that any user on any device is a potential risk point, whether the user is gaining access remotely or is plugged directly into the LAN.

“ With the conver-

gence of local and

remote access,

rather than striving

for a secure

network, IT

should focus on

establishing secure

communications to

network resources.”

4

Corporate data center

Local/remote access model

The evolution of access

Universal access model

Extranet users

Customers or suppliers Remote access

Employees using wireless hotspots

Travelling executives VoIP

users

Day extenders

Customers or suppliers behind firewalls

Internal users Employee tablet users

Employees at kiosks

Corporate data centers

Figure 1. Local access and remote access are converging into a universal access model.

The evolution of access

5

Requirements for universal access control

To increase mobile workforce productivity, organizations want to increase access to resources — without increasing costs or complexity. Today, all users are potentially remote, all endpoints potentially unsafe and the underlying network is inherently insecure. Efforts to harden the increasingly fluid network perimeter have sharply increased infrastructure costs. In particular, the increasing scale of deployments, application diversity and security demands is driving up costs of managing and maintaining traditional

“fat client” remote access solutions.

IT needs solutions that scale to existing infrastructure and systems while maintaining performance. To

successfully establish universal access control, enterprises must re-examine how they view network security. Before access is granted, three fundamental questions must be answered:

• Who is the user?—Universal access control requires unequivocal proof of the user’s identity using a strong authentication method.

• What is on the endpoint device?—Every endpoint system must be interrogated to determine its identity and state of integrity, such as whether a smartphone or tablet has been jailbroken or rooted, or whether a laptop contains a valid device certificate or current anti-virus signature file.

• What resources are being accessed?—

Users should be provided access only to appropriate resources and data based on policy.

All application access is controlled

Universal Access Control

Remote Access Control

SSL VPN

Policy coverage

The path to universal access control

User coverage

Remote access a critical use case

Niche remote access

Remote users to applications

Endpoint Control and Application Control

All devices, all applications,

all users

Figure 2. Universal access control covers all devices, all applications and all users.

6

“ IT managers

should consider a

strategic, phased

approach to easing

their organization’s

transition to

universal access

control.”

A step-by-step path to universal access control

IT managers should consider a strategic, phased approach to easing their

organization’s transition to universal access control. IT can take incremental steps focused on immediate solutions for specific business and technology pain points, such as:

• Delivering mobile access: Increase productivity by providing all employees with secure, policy-enforced access to appropriate mission-critical applications, data and resources from smartphones, tablets and laptops — both IT-managed devices and unmanaged, bring-your-own- device (BYOD) options.

• Extending extranet access: Open access to partners in order to increase collaboration

— without compromising access control and security.

• Securing wireless networks: Secure users on the wireless network as tightly as remote users, mitigating concerns over who has access to the wireless network.

• Enforcing policy: Collaboration and compliance is encouraging granular access controls, yet IT struggles to enforce policy across disparate points of entry.

• Handling disaster recovery: Be ready for business disruptions, when demand for access from remote locations could instantly spike to include the majority of your workforce.

• Extending network access control (NAC):

NAC is positioned around host integrity checking and network access; many organizations want to extend NAC to cover application access control as well.

A staged approach can bring immediate and ongoing results without making a significant impact on budget and resources. For instance, a first step might standardize remote access policy for all mobile devices. The next step might incorporate SSL VPN access policy and endpoint controls into broader

enterprise network access control (NAC) initiatives, and a third step might apply standardized remote access as the foundation for a remedial disaster

recovery strategy in case workers are forced to work away from the office during an emergency. With each step, the organization moves closer to its goal of providing universal access with universal control.

Dell secure mobile access

To address your mobile workforce needs, Dell delivers a secure mobile access solution that combines its SonicWALL^™ Mobile Connect^™ application with its Dell SonicWALL Secure Remote Access or next- generation firewall appliances. The solution enables you to easily provision secure mobile access and role-based privileges, so you can provide mobile workers with fast, simple access to the enterprise applications, data and

resources that they demand. At the same time, you can ensure that the corporate network is protected from mobile security threats, such as unauthorized access to data and malware attacks, without the expense and complexity of a dedicated mobile device management solution.

With the Dell solution, you can:

• Detect what is on the endpoint device—

Enforce granular access control rules based upon the trust of the user and the user’s endpoint environment.

• Protect resources being accessed—Control access granularly based on user identity and device integrity. Centralize control over all users, groups, resources and devices and enable administrators to quickly set a single policy across all objects.

• Connect users securely and easily to applications on any device—Provide a seamless common user experience across a wide range of applications and platforms

— including Windows^®, Windows Phone, Apple Macintosh^®, iOS, Android^™ and Linux^® — from managed or unmanaged devices, over a single gateway. Appropriate security is automatically selected based on centralized resource policy, user

authorization and the integrity of the endpoint.

For more information Dell SonicWALL 2001 Logic Drive San Jose, CA 95124 www.sonicwall.com T +1 408.745.9600 F +1 408.745.9300

7

WhitePaper-BestPracticeSecureMobileAccess-US-TD-DellSW 557-09/13

© 2013 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. (“Dell”).

Dell, Dell Software, the Dell Software logo and products—as identified in this document—are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.

The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products.

EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,

DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE

IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.

About Dell Software

Dell Software helps customers unlock greater potential through the power of technology—delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs:

data center and cloud management, information management, mobile workforce management, security and data protection.

This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com.

If you have any questions regarding your potential use of this material, contact:

Dell Software 5 Polaris Way Aliso Viejo, CA 92656 www.dellsoftware.com

Refer to our website for regional and international office information.

For More Information