W HITE P APER
Mobile Access Security & Management Managed and Unmanaged Mobile Access to Windows Applications and Virtual Desktops—from Smart phones and Tablets Ericom Software www.ericom.com September 2012
Mobile Access Security and Management
Table of Contents Introduction .............................................................................................................................................................. 3 The Challenges ......................................................................................................................................................... 3 How the Connection Broker Can Help ................................................................................................................... 3 Mobile Device Support – The “Native Client Mismatch” ..................................................................................... 3 Bring Your Own Device ........................................................................................................................................... 4 Regulatory Compliance ........................................................................................................................................... 5 Encryption .............................................................................................................................................................. 5 Ericom Solutions ...................................................................................................................................................... 6 AccessToGo .......................................................................................................................................................... 6 AccessNow ............................................................................................................................................................ 7 PowerTerm WebConnect RemoteView ................................................................................................................. 7 Conclusion .............................................................................................................................................................. 10 About Ericom .......................................................................................................................................................... 11
www.ericom.com
Page 2
Mobile Access Security and Management
Introduction The task of maintaining network and data security is one of an IT administrator's greatest challenges. In recent years, this already difficult task has been further complicated by the proliferation of mobile devices connecting to the network. This white paper discusses some of the challenges involved in delivering secure mobile access to organizational IT resources while also allowing for the use of mobile devices.
The Challenges In this day and age of seemingly universal connectivity and the growing Bring Your Own Device (BYOD) trend, a growing number of employees, contractors, students and medical professionals are using a wide range of personal devices to access remote desktops and applications, running on the organization’s servers. This uncontrolled access opens entry into malicious activity, leakage of data and exposure to malware and compliance risk. The task of providing users access to remote applications and remote desktops through their mobile devices might initially seem to be relatively straightforward. Even so, there are a number of challenges that the IT staff must overcome, especially with regard to Bring Your Own Device (BYOD).For example, end- user devices are almost always configured in an insecure manner, so it can be a major challenge to allow users to establish connectivity from such device while still maintaining your network’s overall security and complying with any applicable regulations (HIPAA, SOX, FIDMA, etc.).
How the Connection Broker Can Help One of the most effective techniques for addressing the security and manageability or remote desktops and remote applications is to deploy a connection broker. As the name implies, a connection broker manages inbound connections by matching users up with an available remote access session. In addition to this basic functionality however, a connection broker also centralizes the installation and maintenance of applications and / or desktops that reside on secure backend servers. This eases the burden of managing remote desktops and remote applications, while at the same time improving the overall security of organizational IT resources. Having centralized control over virtual desktops and remote applications eliminates the need to manually install applications or define settings on individual user desktops (or mobile devices). Instead, all administration and maintenance is performed at the server level with no need to service or upgrade end user devices.
Mobile Device Support – The “Native Client Mismatch” Although using a connection broker greatly improves remote access security and manageability, there are still a number of other issues that must be overcome when supporting mobile devices. One such issue is that connection broker and client mismatch. This can be especially true when you consider that end users may be using just about any make or model of mobile device.
www.ericom.com
Page 3
Mobile Access Security and Management
One of the reasons why connection broker / client mismatch can be such an issue is because some native clients (clients that are designed for a specific device or mobile operating system) are not compatible with connection brokers and therefore will not work in a managed environment. Of course the opposite can hold true as well. Some native mobile clients are only designed to run in a managed environment. Such clients are almost always designed to work with one specific connection broker. For example, the Citrix client only works with a Citrix backend. The manageability aspect of supporting mobile devices is one of the easier challenges to work around. Ericom for example, offers a native client called AccessToGo that can function in both managed and unmanaged environments.
Bring Your Own Device The challenge of securing and managing mobile device usage is often made more complex when Bring Your Own Device (BYOD) is brought into the picture. BYOD is a trend in which users access data and applications through their own personal devices such as tablets and smartphones. Although once regarded as a fad, BYOD is accelerating rapidly and will probably become a new norm. There are several reasons why BYOD complicates mobile device security and management. First, the very nature of BYOD means that users will attempt to access network resources from all manner of mobile devices. The IT department is typically expected to facilitate end user device connectivity, regardless of the make or model of the device. This can prove to be a challenge because of the connection broker / client mismatch issues that were previously discussed. Another reason why BYOD can complicate the issue of security and manageability is because users do not typically implement adequate security on their own personal devices. When a user establishes a connection to the network from their personal mobile device, that device is in an unknown state. It might be configured with a strong password, or it might not have a password at all. The device could be running a clean configuration, or it could be infested with malware. Using a connection broker can help to mitigate at least some of the risks associated with otherwise insecure mobile devices. Once the user attaches to the organization’s network through a VPN or through a remote access gateway, the connection broker may be the only thing standing between the user’s device and sensitive network resources. The connection broker prevents the host server’s IP addresses, open port numbers, and other information from being revealed to the mobile device. Beyond mitigating mobile device security and management issues, a connection broker also reduces IT support requirements related to accessing numerous applications from a device. The connection broker centralizes the maintenance of applications and desktops residing on backend servers (TS / RDS / VDI) instead of on the enduser’s device, lowering both total cost of ownership as well as risks of malware contamination and distribution.
www.ericom.com
Page 4
Mobile Access Security and Management
Regulatory Compliance Another major issue that is often encountered when supporting mobile devices is that of regulatory compliance. Although not every organization is regulated, regulations such as HIPAA, SOX, and FISMA affect a large number of companies in America. Although such regulations may not always specifically address mobile devices, they do provide mandates for how data is to be handled and secured. These mandates remain in effect regardless of whether the data is being accessed from a mobile device or a PC, from inside or outside your network. As such, it is critically important to take any applicable regulations into account prior to allowing mobile devices to connect to resources on your network. Naturally, the requirements vary from one set of regulations to another, but often times your connection broker might make it easier to achieve regulatory compliance. This is especially true when it comes to issues such as the logging and monitoring of user sessions. For example, HIPAA sets the following requirements with regard to logging: •Section 164.308(a)(5)(ii)(C) “Log-in Monitoring” requires that organizations monitor log in attempts and report any discrepancies. This requirement applies to both failed and successful logins. •Section 164.312(b) “Audit Controls” requires organizations to implement hardware, software, and / or procedural mechanisms that record and examine in information systems that contain or use electronic health records. •Section 164.308(a)(1)(ii)(D) “Information System Activity Review” requires organizations to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
These are just three examples of HIPAA requirements for auditing and logging user activities. Although HIPAA does not specify the exact manner in which auditing and logging must be performed, the law is very clear in that user sessions in which the user is accessing electronic health records must be audited. PowerTerm WebConnect is a comprehensive connection broker that can help to facilitate compliance with HIPAA and other similar regulations in this regard by offering features such as detailed logging and auditing, as well as real time monitoring of user sessions. (More on PowerTerm WebConnect in upcoming section.)
Encryption It is impossible to discuss security without talking about encryption. In order to remain secure, data must be encrypted both at the storage level, and when it is in transit. All of the major sets of regulations address encryption in one way or another. HIPAA for instance imposes the following requirements: www.ericom.com
Page 5
Mobile Access Security and Management
Section 164.306(a)(2)(iv) Encryption and Decryption (Addressable) requires an organization to implement a mechanism to encrypt and decrypt electronic protected health information. Section 164.306(e)(2)(ii) Encryption (Addressable) also requires organizations to implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
The HIPAA regulations as a whole are designed to outline requirements, but are purposefully vague in that they do not stipulate the exact mechanisms that organizations must use to comply with the requirement. As such, the requirements outlined above clearly state that protected health information must be encrypted, but do not detail the nature of that encryption. A connection broker such as Ericom PowerTerm WebConnect can also help to address this requirement. PowerTerm WebConnect provides built-in support for Secure Socket Layer (SSL) and Secure Scripting Host (SSH) encryption for secure communications.
Ericom Solutions Each organization's access requirements and goals are different. Some companies may limit the use of mobile devices to certain employees (executives, field/sales people, third party consultants, independent agents); others may want to extend their use to the entire workforce. A successful mobile access security and management solution must be tailored to fit the relevant scenario. Ericom (http://www.ericom.com) offers a portfolio of products that can be used in combination, or each on their own, to address the range of security and manageability issues that come into play when supporting mobile devices.
AccessToGo One such product is AccessToGo (http://www.ericom.com/mobile). AccessToGo is a native client for mobile platforms that specifically works with iOS, Android tablets and smartphones. It is designed to work in both centrally managed (with a connection broker) and unmanaged environments. AccessToGois available in two modes: standard RDP (Free) and accelerated.
In unmanaged environments, AccessToGo can optionally use Ericom's free SSL Secure Gateway for secure, encrypted remote access from the AccessToGo application to hosted desktops. In ‘Accelerated’ mode, Ericom AccessToGo leverages Ericom RDP compression and acceleration technology to enhance remote desktop display performance by up to 10 times over slow network connections and WANs. These accelerated sessions are especially useful for viewing content that contains highly graphical images and animations, such as PDFs, streaming video, and 2D/3D images. Go to www.EricomBlaze.com to learn more. www.ericom.com Page 6
Mobile Access Security and Management
In managed environments, AccessToGo connects mobile devices through a connection broker such as PowerTerm WebConnect to remote applications and remote desktops residing on remote servers and physical PCs. AccessToGo can also connect to desktops managed by VMware View, and the RDP connections are free.
AccessNow Another solution offered by Ericom is AccessNow (http://www.ericom.com /Ericom_AccessNow_Products). Like AccessToGo, AccessNow is an RDP client that enables users to access remote Windows applications and desktops, hosted on RDS / Terminal Services / VDI. Where AccessNow differs from AccessToGo is that it does not require a dedicated native client to be installed on the user’s mobile device. Instead, AccessNow provides browser based connectivity; any mobile client can establish connectivity to a remote Windows desktop or application, so long as the client is equipped with an HTML5 compliant Web browser. AccessNow is secure and easy to deploy and therefore ideal for use in BYOD environments in which users may need to use mobile devices and IT seeks to reduce support costs. With AccessNow, corporate data and applications are not downloaded to the device, and personal information and personal apps on the device are inaccessible by the corporate applications. AccessNow can also act as a high-performance gateway, enabling secure remote access to virtual desktops and terminal servers from outside the firewall. AccessNow also helps organizations to maintain business continuity by allowing employees to access their applications and desktops from any available end-point device, anywhere, without having to install any software or plugins. Moreover, end-user devices do not require any provisioning since remote sessions are accessed through a Web browser.
PowerTerm WebConnect RemoteView Ericom’s advanced connection broker, PowerTerm WebConnect, helps organizations improve information security and achieve regulatory compliance while reducing desktop management efforts and costs. PowerTerm WebConnect acts as a ‘mediator’, between end-users and hosted computing resources residing on any combination of Terminal Services (RDS), leading VDI hypervisors, Cloud services or Blade/physical PCs.
www.ericom.com
Page 7
Mobile Access Security and Management
PowerTerm WebConnect increases security since the servers that are hosting remote desktops or remote applications are not exposed directly to the Internet. Instead, remote users attach to the PowerTerm WebConnect Server, which proxies the user’s request to backend resources.
PowerTerm WebConnect RemoteView does more than act as a proxy for user requests. It also centralizes security by seamlessly managing authentication for AccessToGo and AccessNow clients. In fact, PowerTerm www.ericom.com
Page 8
Mobile Access Security and Management
WebConnect RemoteView is designed to work with virtually almost any LDAP compliant directory server, including the Microsoft Active Directory, Novell’s directory service, and iPlanet. This approach reduces the overall management burden since user accounts only need to be managed in one place. For example, if a user account is disabled within the Windows Active Directory, then PowerTerm WebConnect RemoteView recognizes that the user account has been disabled, and will not allow remote access from that account. PowerTerm WebConnect RemoteView further enhances security through additional features such as encryption and two-factor authentication. PowerTerm WebConnect RemoteView also comes with the Ericom Secure Gateway (option) – alternatively, RemoteView supports other SSL VPNs that organizations might already have deployed.
www.ericom.com
Page 9
Mobile Access Security and Management
Conclusion There are several considerations that organizations seeking to support remote mobile clients should take into account: 1. First, it is important to choose a solution that can provide connectivity from all network endpoints. The diversity of the user devices that are likely to connect to your network makes it essential to choose a solution that will work equally well with native clients and with browser based clients. PowerTerm WebConnect is such a solution. 2. More importantly, using the client side and the connection broker side both provided by Ericom ensures end to end security. Using AccessNow or AccessToGo in conjunction with PowerTerm WebConnect RemoteView ensures that the end user is using the appropriate configuration, and that authentication and encryption will function end to end. 3. Finally, the solution that you choose should be easy to deploy and easy to use, as well as cost effective. Ericom’s solutions can be used to create a self-provisioned environment in which users can simply click on a link to connect to a remote resource. This ease of connectivity extends to virtually any device connecting from anywhere.
www.ericom.com
Page 10
Mobile Access Security and Management
About Ericom Ericom Software is a leading global provider of Application Access, Virtualization and RDP Acceleration Solutions. Since 1993, Ericom has been helping users access enterprise mission-critical applications running on a broad range of Microsoft Windows Terminal Servers, Virtual Desktops, legacy hosts and other systems. Ericom has offices in the United States, United Kingdom and EMEA. Ericom also has an extensive network of distributors and partners throughout North America, Europe, Asia and the Far East. Our expanding customer base is more than 30 thousand strong, with over 7 million installations. For more information about Ericom and its products, please visit http://www.ericom.com.
For more information on Ericom’s products and services, contact us at the location nearest to you. And visit our web site: http://www.ericom.com North America Ericom Software Inc. 231 Herbert Avenue, Bldg. #4 Closter, NJ 07624 USA Tel +1 (201) 767 2210 Fax +1 (201) 767 2205 Toll-free 1 (888) 769 7876 Email info@ericom.com
UK & Western Europe Ericom Software (UK) Ltd. 11a Victoria Square Droitwich, Worcestershire WR9 8DE United Kingdom Tel +44 (0) 845 644 3597 Fax +44 (0) 845 644 3598 Email info@ericom.co.uk
International Ericom Software Ltd. 8 Hamarpeh Street Har Hotzvim Technology Park Jerusalem 91450 Israel Tel +972 (2) 591 1700 Fax +972 (2) 571 4737 Email info@ericom.com
Copyright Š 2012 Ericom Software Ltd. Ericom and PowerTerm are registered trademarks of Ericom Software Ltd. Other company brands, products and service names are trademarks or registered trademarks of their respective holders.
www.ericom.com
Page 11