Enterprise Mobile Device Security: Discriminating by Device Profile
Over time, many organizations have built policies that allow them to discriminate between various device types and device security posture levels in order to set an appropriate level of access for a particular session.
For example, a user attempting to access the network from an appropriately protected and registered mobile device might be granted full network access, whereas a user attempting to connect from an unknown mobile device might have her data and application access severely restricted. Or that user might not be able to access the network at all until she follows the appropriate steps to make the device compliant.
In order to discriminate between devices with varying security posture levels, it is crucial to validate the endpoint machine prior to allowing the user to connect to the network in a remote-access setting.
Note that at the time of this writing, very few VPN products offer a solution to the challenges outlined in this section, but it is anticipated that additional vendors will attempt to solve these challenges for their customers in the near future.
Below is an illustration of a a typical scenario where access controls are applied based on the device and the device security posture. In this case, the SSL VPN policy dictates that a different level of access is granted to the end user based on whether the user’s machine is in compliance with the policy, as detailed in the following list:
Corporate-managed or patched mobile device: In this case, the user is attempting to access the network from an Android OS device that is registered and has been provided by the organization. Antivirus and personal firewall software is installed on the device, and the organization can remotely wipe and track the device should it become lost or stolen.
Based on this device information, and on the user’s authentication with a one-time password, the managed role applies for this particular session. Because the user is coming from what appears to be a managed device that meets all the security requirements, the user is granted full, Layer 3 network access. Along with that access comes the ability to reach all applications.
Personal mobile device: In this example, the user is attempting to access the network from an Android OS device, but this time, it is the user's own personal device that she brought from home. In this case, no endpoint security software is installed, and the device hasn't been registered, so the organization doesn't have the capability to remotely wipe the device or track it if it’s lost or stolen.
Based on this device information, and on the user’s authentication, the unmanaged role applies for this particular session. In this case, the user has access to far fewer applications and resources than she had when accessing the network from the corporate-managed device.
Here, she can access only a select few web-based applications, she has no ability to access corporate file shares, and only a very short network inactivity timeout is employed to help guard against loss or theft because the IT admin can't provide these protections on this particular device.