All White Papers

White Paper

Empowering Mobile Users to Work Anywhere, on Any Device

Updated August 24, 2015

What’s Driving Mobile Workforce Trends?

How do enterprises give employees the freedom to use the mobile device of their choice to do their jobs from virtually any location and ensure that corporate resources and data are kept safe? Many enterprises are staring down these challenges, especially in light of industry and workforce trends, including the growing mobile workforce, increasing security threats, and continued privacy concerns.

Relentless growth

The mobile workforce is growing at a skyrocketing pace, with IDC predicting it will reach 1.3 billion users by the end of 2015.1 This accounts for about 37 percent of the world’s workforce, so worker mobility isn’t just a fad, it’s a new work reality. Mobile users expect reliable access to apps and data from any device, including smartphones, tablets, laptops, and soon, even wearables such as smart watches. The explosive growth of the mobile workforce and mobile devices leads to necessary but costly increases in network infrastructure.

Ever-increasing threats

By 2018, the number of employee-owned smartphones and tablets used in the enterprise is expected to reach 1 billion devices.2 Corporate security threats will continue to increase as the bring-your-own-device (BYOD) movement and users’ lack of security knowledge—even apathy—exposes organizations to vulnerabilities. Because users can download any content or apps they choose to their devices—after all, they’re personal devices—malware, viruses, and hacks are becoming rampant. And, with employees frequently using their devices on unsecured networks at local cafés, airports, hotels, and other public hotspots, corporate data stored on or flowing to and from them is particularly vulnerable to breach and exploit.

Privacy concerns

BYOD also raises privacy concerns, not only for users but for their employers since personal information on the device might be visible to the IT staff. To protect the enterprise and restore a degree of control to IT, some organizations are adopting corporate-owned, personally enabled devices, bringing life to yet another acronym, CYOD, or choose your own device, and the ability to isolate personal applications and data into a secure on-device container. Even this approach, however, doesn’t eliminate all security concerns.

Virtualization challenges

As virtual desktop infrastructure (VDI) solutions continue to be adopted, organizations need to ensure fast, secure access to virtual applications and desktops. This is true not just for traditional “remote” workers but also for today’s mobile workforce that needs round-the-clock access.

Meeting the Challenges of a Mobile Workforce

If your organization is like most, these new realities place mobility—and mobile security—near the top of your list of concerns. You’re likely looking for ways to:

  • Control and differentiate remote and mobile user access so you can build and adjust access policies based on identity, context, and environment.
  • Deliver seamless, unified access from users’ mobile devices to all applications, whether they are mobile, network-based, cloud-based, SaaS, VDI, or web-based.
  • Reliably and securely authenticate users, provide single sign-on (SSO) capabilities, and federate authenticated user identity across multiple applications, wherever they reside.
  • Monitor, audit, and report on access and application metrics for compliance purposes.
  • Address vital secure access use cases, including full layer 3 VPN access, per-application VPN access, VDI access, and access to SaaS applications without requiring VPN access.

F5’s unified access control and security solution, BIG-IP® Access Policy Manager® (APM) and its BIG-IP® Edge Client®, is designed to help you address four specific challenges: remote access management, enterprise mobility, SSO and identity federation, and secure, scalable VDI access. As a flexible, highly scalable, and cost-effective solution, BIG-IP APM is more than a simple remote access and mobile VPN solution.

Common Mobile Workforce Scenarios

Let’s look at a few real-world user scenarios to illustrate how BIG-IP APM can help you solve some of the most common enterprise mobility challenges.

Managing remote access and application access

Your employees who work remotely or on the road need secure access to corporate resources and applications to be productive. The key is to maintain security and provide fast application performance for users, and to give them a simple but engaging user experience. BIG-IP APM enables you to do this by allowing employees and other authorized users to work unimpeded on nearly any device, anywhere.

Take, for example, an employee of your Finance department who is working from home or a from branch office on a corporate-issued laptop. With BIG-IP APM, you can build policy based on identity, context, and environment—attributes like user identity, user group or role, location, device type, device security posture, type of network connection, time of day, and others. This gives you fine-grained control to decide what level of access users get, whether it’s access to everything they’re authorized to use on the network (full layer 3 VPN), access only to specific applications, or restricted access, say, only to their VDI desktop environment.

In this case, since the employee is working from home on a company-owned laptop, you might choose to grant her full (layer 3) VPN access to your corporate network. This will give her access to all the resources and applications she is authorized to use—including a highly sensitive Finance application that employees of other departments are not authorized to use.

Diagram: Working from home, the Finance employee can access all corporate applications she’s authorized to use but can’t access the HR application, which she’s never authorized to use.
Figure 1. Working from home, the Finance employee can access all corporate applications she’s authorized to use but can’t access the HR application, which she’s never authorized to use.

The BIG-IP Edge Client makes the authentication and VPN experience seamless for the employee. Because BIG-IP Edge Client integrates with existing authentication methods, including one-time password (OTP) and multi-factor authentication such as RSA SecurID, the user experience is seamless and familiar. There are no hoops for her to jump through to establish the VPN connection. After entering her user credentials, BIG-IP APM connects automatically and keeps her connected.

Before establishing a secure connection, however, BIG-IP APM checks her laptop to ensure it complies with corporate security policies. If it’s non-compliant or infected with malware, for example, you could bar all network access from her laptop until it is brought in line with corporate security policy. This helps protect your applications, data, and network resources from malware, theft, and hacking attempts.

Now suppose the Finance employee travels to the airport to catch a flight. She’s still using her laptop to connect to the corporate network, but now you must take into consideration her new location and the airport’s unsecured WiFi network. You might choose to block her access to the Finance application but continue to give her access to the other less sensitive applications she’s authorized to use so she can continue to work productively while on the move.

Diagram: When the employee uses her corporate laptop and unsecured Wi-Fi at the airport, access to the Finance application is restricted, but other authorized applications are still accessible.
Figure 2. When the employee uses her corporate laptop and unsecured WiFi at the airport, access to the Finance application is restricted, but other authorized applications are still accessible.

Enabling enterprise mobility

After boarding her flight, the Finance employee switches from her laptop to her personal mobile device and uses the unsecured in-flight WiFi service to connect to corporate resources. BIG-IP APM integrates with several industry-leading mobile device management (MDM) and enterprise mobility management (EMM) solutions that automatically provision the BIG-IP Edge Client on a personal mobile device when the MDM/EMM app is installed. These third-party solutions perform extensive checks of mobile devices and BIG-IP APM, in turn, leverages the device attributes they capture. That means you can use the device attributes to create more granular, context-aware access and security policies in BIG-IP APM, which it will then enforce.

Because the Finance employee is now using a personal device, you might choose to give her “per-app” access only—that is, access only to select applications that she’s authorized to use. When she selects an app from her mobile device, the BIG-IP Edge Client automatically builds a secure, encrypted tunnel only for that particular app on her mobile device, to your network, cloud, or wherever the app and its data are located. This is all done transparently; she merely selects an app on her device or, in the case of a web-based app, enters a URL in her mobile browser. This seamless, low-touch user experience improves her ability to work productively while on the road.

Diagram: Because she is using a personal mobile device and unsecure in-flight Wi-Fi, the employee is now restricted to per-app access; she can only access the project management application.
Figure 3. Because she is using a personal mobile device and unsecure in-flight WiFi, the employee is now restricted to per-app access so she can only use the project management application.

Today, it seems that every new access application requires a unique access gateway. Deploying, managing, and maintaining these devices vastly increases your infrastructure costs. By consolidating access control—mobile, remote, network, web, and wireless—into a highly scalable, easy-to-program platform, F5 significantly decreases your infrastructure overhead and cost, enabling you to deploy a single platform for all access types and means.

Providing SSO and identity federation to SaaS and other apps

Today’s users often need to remember dozens of user credentials for the multitude of applications they use daily. The phenomena of “password fatigue” is very real—and it’s not just an inconvenience for users. Password fatigue causes employees to use weak passwords because they are easier to recall, or to use the same password for multiple corporate and web-based applications. This can dramatically increase your organization’s vulnerability.

BIG-IP APM supports single sign-on (SSO)—one of the most commonly requested features among users. With SSO, your employees and authorized users can log into one application such as Microsoft Outlook and then access other corporate applications without having to log in again.

For all its convenience though, SSO only works within a network boundary—that is, within a single network domain. By supporting SAML 2.0, BIG-IP APM takes SSO a step further and provides access across different domains. This allows BIG-IP Edge Client users to log into SaaS apps like Salesforce.com, for example, and then access Microsoft SharePoint 365 (if authorized) without being asked to supply login credentials again. The user has been securely authenticated, and his or her identity has been federated across applications, domains, and other entities, ensuring secure access through a single sign-on.

So, with BIG-IP APM, users get the same SSO experience across corporate and cloud- or web-based applications. This improves employee productivity and also decreases the volume of helpdesk calls, saving your organization mounting support costs. More importantly, when an employee leaves your organization, BIG-IP APM enables you from a single location to immediately eliminate that user’s access to all accounts, including cloud- and web-based applications, thereby limiting any malicious access by former authorized users. The dismantling of user access does not interfere with your existing authentication workflow and is immediate. This helps you ensure security and saves valuable IT resources and time.

Supporting VDI environments

Virtual desktop infrastructure (VDI) solutions are becoming increasingly more robust and more widely used in enterprises. To be successful, however, these solutions must be highly secure, provide reliable application delivery, availability, and performance, and be transparent for users to access from any device. They also must be highly scalable in order to concurrently support up to tens of thousands of users.

Through its native support of market-leading virtual environments—including those from Citrix, VMware, and Microsoft—BIG-IP APM enables authorized users to access their virtualized apps and desktops without launching a separate client. The BIG-IP APM web interface, or webtop, provides a single desktop view of all resources the user is authorized to access, including VDI resources. And based on a mobile user’s identity, context, and environment, you might limit access to only VDI, enforced by the granular, context-aware policies you create and manage using F5 Visual Policy Editor (VPE), a simple yet sophisticated GUI-based policy engine. In addition to its broad support of VDI environments, BIG-IP APM provides unparalleled scalability, supporting hundreds of thousands of VPN users on F5’s largest, fully loaded VIPRION chassis.

Conclusion

With the mobile workforce fast becoming the new enterprise reality, many users are now accessing corporate resources from personal mobile devices across untrusted public networks. This significantly broadens and complicates your attack surface and increases your vulnerability to viruses, malware, and other hacks.

As a unified, secure application access solution, BIG-IP Access Policy Manager, in conjunction with BIG-IP Edge Client, gives you the tools you need to protect your applications and data and reduce your risk of data loss and corporate liability. BIG-IP APM provides centralized management control over all access methods and enables you to create differentiated access policies based on a user’s identity, context and environment—so you can address virtually any access scenario.

At the same time, BIG-IP APM integrates seamlessly with your existing authentication workflow, and supports federated identity and single sign-on to applications wherever they reside, enhancing user experience while empowering users to work productively from any device, anywhere, at any time. Finally, BIG-IP APM delivers unparalleled scalability, eliminating additional access infrastructure costs while enabling you to stay ahead of your company’s constantly growing demand for enterprise mobility.

 


1 IDC, 2/5/2012
2 Juniper Research, 11/19/2013