More Users, More Access, More Clients, Less Control

It used to be that “mobile” access implied “remote” access. That’s no longer true. As the variety of clients continue to expand along with the venues from which we users can access corporate resources the ability to intelligently enforce access-control policies also increases in strategic importance.

Every time we add a new access method in the enterprise we go through a period in which we expend a lot of time and energy trying to figure out how to control that access.

The consumerization of IT, for example, in which consumer-grade devices (gadgets) have been slowly but surely permeating every facet of the business have led to a need for IT not only to support but manage, i.e. control access from, such devices. The lure of virtual desktop infrastructure (VDI) continues to be strong, providing myriad benefits for IT in terms of management, security, and simplified support across a broader variety of clients.

But it also introduces challenges that must be addressed lest the benefits of a VDI implementation become quickly lost. Performance can be significantly impacted by the deployment of VDI, and the access-control challenges introduced are nothing if not non-trivial.

The server farm will carry a higher processing load, and will need more highly specified storage systems, by comparison with a more conventional client/server architecture. Some firms may need to fund a network upgrade also, to cope with higher data transport demands. [emphasis added]
-- Forrester Research Analyst Andrew Parker, “Desktop Virtualization — How Will It Impact Desktop Outsourcing Costs?”

If prognosticators are correct, these challenges will become serious impediments to successful VDI implements as early as this year (2011). The latest projections from research firms regarding the deployment of virtual desktop technology is staggering. Gartner forecasts the install base will almost triple this year (2011), noting “HVD [Hosted Virtual Desktop] works best with well-managed environments. Currently, that means fully locked down.”

But it is hardly advantageous to overload an already overloaded admin and operations staff by requiring yet another layer of access control specifically to address virtual desktops and mobile device access.

What’s needed is something strategic, something more intelligent that can apply access policies based on context such that access to corporate resources can be managed more consistently across the growing variety of endpoints and locations from which those resources are being requested.

CONTROL and CONTEXT

The one thing that is common across most emerging data center and deployment models today is control, or more accurately the loss of control it imparts on IT.

VDI, mobile endpoints, cloud computing . These technologies all share one common and complexifying attribute: they potentially erode the control IT needs over access to resources to ensure that corporate data and applications remain secure and uncompromised. Introduce a few emerging threat vectors thanks to cloud computing and virtualization into the picture and the need for access control and endpoint management becomes not just a nice to have, but a critical component to the long-term security of data, applications, and the data center network.

Even if you do have access control under, well, control, when you introduce the distributed nature of cloud computing and virtualization and you start running into problems associated with a loss of context in which to evaluate and apply that control. It’s not enough to know that User A is requesting a virtual desktop; you also need to know from where and what device that user is making such a request. It is important to understand whether User A is attempting to access resources from their home network or an Internet cafe somewhere in Bangladesh.

The ability to dynamically apply graded authentication and authorization to resources based on the context of a request is also increasingly important in a world where a user may flip seamlessly from iPhone to Windows desktop to Blackberry tablet (Hey, it’s coming. It’ll happen.) And that is a bigger problem than some might think because it’s not just iPhone on Verizon or AT&T that’s a problem, it’s an iPad that may be connected via WiFi from within your own network.

1. Unauthorized Smartphones on Wi-Fi Networks
Smartphones create some of the greatest risks for enterprise security, mostly because they're so common and because some employees just can't resist using personal devices in the office -- even if their employers have well-established policies prohibiting their use.
"The danger is that cell phones are tri-homed devices -- Bluetooth, Wi-Fi and GSM wireless," says Robert Hansen, founder of Internet security consulting firm SecTheory LLC. Employees who use their personal smartphones at work "introduce a conduit that is vulnerable to potential attack," he explains.
-- Six security leaks to plug right now, ComputerWorld (January 2011)

So it isn’t just from where, it’s from what device. You can’t just lock down applications and resources based on the network. Context-awareness is an integral – or should be an integral – part of any remote access-based strategy and increasingly it will be important to a general resource control strategy because “mobile device” no longer implicitly means “remote”. Mobile devices are inside the perimeter and they aren’t going away. VDI is gaining traction quickly because of its security and management benefits.

If you’re going to deliver a fully configured and ready to use desktop via some virtual desktop infrastructure, you need to be concerned about where that desktop might be going and who might be requesting it. The only thing you can do is control access and delivery via infrastructure solutions that are intelligent enough to enforce policies based on a combination of variables. And that control of access and delivery will almost certainly need to look inward in addition to outward and cloudward, to ensure that those policies are appropriate enforced.

The hardest part of doing that is to do so without sacrificing performance and without blowing out your budget.