Preserving Usability While Enforcing Access Compliance
By Scott Gordon
We’re living in a complicated time right now in terms of enabling a mobile workforce, securing endpoint devices and protecting access to sensitive corporate and consumer information. On one side of the equation, organizations are moving data into the cloud – public, private and Software as a Service (SaaS). On the other side, we’ve got the consumerization of IT with a big shift in the mobile endpoints and Internet-connected devices users are employing to access that data. The challenge becomes “How do we consistently enforce secure access policy, without negatively affecting usability and end user productivity?”
To put it another way, how can we protect the connection while adding fidelity to make informed decisions and have audit records showing that we’re following policy? This is one of the problems Pulse Secure is solving. Our role is to have the IT organization focus on how they can fortify new business initiatives and a mobile workforce, while extending protected and authenticated access from the endpoint of the user to the resource, in a way that preserves usability and enforces compliance.
This is a big issue if you’re a regulated business that wants to provide access to certain applications and information but doesn’t physically own the endpoint or wants to ensure specific use of corporate-provided devices. Could that device be misconfigured, introduce ransomware, inadvertently offer an unsanctioned app, or be susceptible to unauthorized access and data loss? How do you ensure that the right person gets access to the right information, that the communication session is protected and that user’s device is secure?
How do you ensure that the right person gets access to the right information, that the communication session is protected and that user’s device is secure?
If a company provides access to personal customer information through a critical application that resides with a cloud service provider, you may require that user identity and device security state be verified and that a Secure Sockets Layer virtual private network (SSL VPN) connection needs to be enforced whenever that application is used. At the same time, you want the mobile user to be redirected seamlessly to specific resources, but have the policy centralized, tracked and applied, regardless of user’s device of choice.
Our Pulse Connect Secure product can ensure an always-on virtual private network (VPN) connection or application-specific protected connection. In addition, our host checking functionality verifies that the endpoint is running certain applications and has up-to-date defenses, from antivirus to a personal firewall. We can check that corporate-owned devices have endpoint management software that is installed and active. We can even invoke remediation, such as triggering Microsoft SCCM, to remediate that endpoint. We let you define an endpoint compliance policy down to that level – the user identity, the group, the required device security state and response – depending on the scenario of what type of resources are to be accessed.
Pulse Secure ultimately provides organizations extensive visibility into users and devices to allow IT to make informed decisions and mitigate risk. Once you have this intelligence, you can align business requirements to security requirements, allowing you to preempt the impact on users. You can define the extent of user authentication, device inspection, endpoint compliance requirements and action that would be taken depending on the role and endpoint security state – whether the resource being requested is on the corporate network, in a private cloud or being served by a third-party SaaS application. They can be set up relative to the role of user and the information they want to access. These policies can be phased-in and matured as needed.
A Secure Access policy is typically based on who you are, what group you belong to, what kind of device you have, potentially your location, what resource you’re attempting to go to, the security state of your endpoint and the operational control over the endpoint. All those things can make up a compliance policy that can be triggered as soon as someone attempts to access a resource, whether they are remote or on a corporate network. The policy can also impose different access security conditions if the application or information is in a corporate data center or cloud-based. They key is to enable policy management that can consistently delivered across different user types, computing devices, applications and network resources.
A Secure Access policy is typically based on who you are, what group you belong to, what kind of device you have, potentially your location, what resource you’re attempting to go to, the security state of your endpoint and the operational control over the endpoint.
Pulse Secure achieves this for our customers by using open standards and proprietary methods that facilitate interoperability with a broad array of network, security and cloud-based operating environments. Imagine a remote user requires going to certain corporate applications and a few web applications hosted in a public cloud, the user would only need to authenticate once through our Pulse Secure client for all their access needs. We can use Security Assertion Markup Language (SAML) protocol to federate and facilitate the authentication of that user to that cloud application. Our systems also work with commercial and government issued two-factor authentication systems to enable stronger, identity assurance.
Using standards, we can also ensure that non-employees attempting to access network resources, say through wireless controller, will also be managed. You can have visitors and contractors under specific guest policies where they have restricted access, if that’s the policy you define. For instance, a contractor could have restrictions on specific resource access that they need, set up in advance by an authorized employee sponsor. At the same time, general visitors can request access through a captive portal, where they will be put into a guest virtual LAN (VLAN), to segregate the employee network. This automated process to identify, classify and segregate guest users and their endpoints according to policy is also applied to unknown, internet-connected devices as a means of Internet-of-Things (IoT) security.
Secure access capabilities can also be applied to state and federal government to meet their requirements. We’re used by some of the largest cities, where public servants may need to access resources to look up sensitive information or take tactical activities. Our systems are protecting access and securing the transmission. Another use case applies to discretionary access provision. A visiting federal service agent might require temporary, restricted access to a state or local municipality network resource during a local emergency. These are examples of enabling civic-ready secure access. It’s the ability to have multiple layers of policy from least to most restrictive and be able to activate and enforce that policy as needed.
In a military context, there is even more stringent security, resiliency and integration requirements. The policies are similar, however, in cases where you have multiple entities that are working as coalitions to carry out missions, which is where visibility, availability and response is crucial and interoperability comes to bear. This requires workflow management and secure access orchestration that combines strong authentication, endpoint security assurance, access enforcement, granular policy management, dynamic control application, operational visibility and automated response capabilities. In these situations, usability is about a lot more than just end user experience. Usability might mean the difference between life and death if participants can or cannot easily access the data they need to do their jobs.
IT organizations need operational visibility and the means to assure appropriate and protected resource and data access. Enforcing a security policy without negatively affecting user productivity requires a careful balancing act of process and technology. We provide the platform to allow organizations to gain and leverage secure access capability, while preserving user experience.
Scott Gordon is the Chief Marketing Officer at Pulse Secure