Well over a decade ago, at a Citrix conference, I saw an amazing video. It showed a team of people in geographically separate locations collaborating to solve a business problem, sharing access to applications and data in the process. It showed a business person leaving his office, and having his running applications seamlessly follow him to a mobile computing device in his car, then, when he got home, seamlessly follow him to the computer in his home office, all the while continuing the collaboration session with his teammates. At the time, none of this technology existed outside of developers’ imaginations (and whatever prototypes they might have been working on in their labs).
Today, not only does the technology exist, it is relatively commonplace. Telecommuters access data and applications with performance that is every bit equal to that of their colleagues in the office. Engineers work on CAD drawings remotely with no loss of performance or graphic resolution. Radiologists can view a diagnostic image on an iPad from the sidelines of their child’s soccer game. Companies have discovered the cost savings available from Bring Your Own Device (BYOD) programs. And it all goes back to the basic vision that work is something that you do – it is not necessarily a place where you go.
The popular term for this today is “mobile workspace.” But what is a mobile workspace? What does it look like, and what are its characteristics?
A more fundamental question is: What is the business need? – because that is what will ultimately drive the characteristics of a mobile workspace. Simply stated, people need to be able to access the information and applications they need to do their jobs from any location, over any kind of connection, using any kind of client device, without compromising security or risking loss of confidential data.
There are a lot of remote access technologies available today. Providing secure access is the tricky part. This means that either (1) the confidential data never leaves the confines of the data center, or (2) if it does leave the data center, it must be encrypted both in transit and on the remote endpoint, and control must be maintained over the data such that it cannot be disseminated further and it can be remotely wiped from the endpoint if it becomes necessary.
This all becomes even more tricky if the remote endpoint is an employee-owned device as opposed to a corporate asset. It implies that you need some form of mobile device and/or mobile application management that can keep corporate data isolated from personal data, prevent corporate data from being copied to an insecure repository, printed, emailed, etc., and let you remotely wipe the data if the employee leaves the organization or the mobile device is lost or stolen – preferably without wiping the employee’s own personal data.
You will also need to think long and hard about identity management. Does simple username/password authentication give you enough security? (Hint: probably not.) Remember that all modern browsers are capable of caching Website passwords, so if your employees can get to email via Outlook Web Access (OWA), or if you use a Web front-end to your VPN or remote access solution, there’s nothing to stop a user from caching the access credentials in the browser – meaning that a lost or stolen laptop immediately becomes a potential security breach. And, for that matter, do you really want everybody to be able to get to email via OWA? If you don’t, how will you prevent it from happening? Once your OWA site is up and running, it’s fair game for anyone who knows, or can find out, the URL you’re using – and remember that smartphones and tablets typically also use the OWA URL for accessing email, meaning that confidential company email messages could end up on any employee’s personal smartphone or tablet – unless you’ve implemented specific security measures that ensure that only authorized devices can connect.
Multi-factor identification comes in many forms these days. Most of us remember the old days when two-factor identification meant some kind of hardware token (e.g., the RSA SecurID key fob token) that displayed a one-time ID number that had to be combined with the user’s PIN and entered as an additional authentication factor after the username and password were entered. Those tokens still exist, but are not by any means the only technology available. You can have software tokens installed on mobile devices so that the user only needs a PIN to unlock the software token, you can have one-time passcodes pushed to a user’s mobile phone (assuming that the user is in a location that has cell phone reception, which is not always a safe assumption), you can use some kind of biometric authentication, you can use smart card authentication, or you can take the user to an authentication Web page with numbers randomly displayed in an array and have the user choose the numbers in a prearranged pattern known only to that user (e.g., if my secret PIN is 1295, I would click on the first, second, ninth, and fifth number or symbol in the array, in that order).
Of course, the more complicated you make the authentication process, the more pushback you’re likely to get from your users. Sometimes this can be mitigated by using context-sensitive authentication. For example, a username/password combination may be fine if the user is authenticating from within the corporate network or from a branch office, but if the user is trying to connect from outside of the corporate network, a stronger form of authentication may be required. And if a particular user generally works from 9:00 am to 5:00 pm Monday through Friday, and suddenly tries to authenticate at 3:00 am on a Sunday morning, or tries to access the accounting application when they have no legitimate business reason to do so, you may want to deny the connection regardless of the credentials and authentication presented. Likewise, if a user who never travels on company business is unexpectedly trying to authenticate from an Internet café in Hong Kong, you will probably want to deny the connection.
The good news is that all of the things described in this post are available now. Mobile workspaces can be created that will give your employees the flexibility they need to maximize their productivity, improve their quality of life, and still not compromise security or performance. It is possible to implement BYOD programs and still keep your data safe. Not only is it possible, it’s one of our specialties. Ask us how.