Mobility's Impact on Remote Access by Gartner

 

Summary of Findings

Bottom Line: A mix of secure wired, wireless, virtual private network (VPN) and server-hosted virtual desktop infrastructure (VDI) technologies is needed to support new and expanded use cases for remote and mobile access. Multiple advanced policy systems will need to coexist, with few industry standards to support interoperability and enable consistent policy enforcement.

Context: Today, many organizations are pursuing strategies to enable mobile work from any device, from any location and at any time of the day. Changes in use cases, mobile work patterns, and the demand for secure remote and mobile access solutions are influencing policy changes, investments in upgraded infrastructure, and short-term changes in IT network, application and security architecture. Looking ahead, the expected enterprise use of hybrid private and public cloud services, accessed over a mix of public and private networks, involving Internet Protocol version 4 (IPv4), Internet Protocol version 6 (IPv6), wireless LAN (WLAN) and cellular networking protocols, and an even more diverse set of managed and unmanaged devices, will require multiple approaches for secure connectivity.

Take-Aways:

• Secure remote or mobile access requirements have evolved beyond traditional "road warrior" use cases that only focus on external access from remote locations, company-provisioned laptops and use of two-factor authenticators.
• New and extended use cases include support for partners, work-from-home programs, bring your own device (BYOD) programs, secure access to a remote cloud provider and support for access to a consistent workspace image while roaming.
• A mix of IPsec and Secure Sockets Layer (SSL) VPN gateways continues to be widely used for use cases that each is well suited for, with the SSL-based approach providing the greatest flexibility for a range of use cases involving nonemployees or access from devices not provisioned by IT.
• Secure connectivity solutions come in hardware and software appliance form factors, and are often delivered as a component of a multifunction network or security platform offering.
• Secure access and connectivity services are provided by network infrastructure, wireless network infrastructure, virtualization infrastructure, application delivery controller, network security, and solutions that implement platform- or application-specific secure protocols.
• Enterprises face significant challenges in assuring the identity of users and devices, while providing the convenience of single sign-on (SSO) for access from a growing range of portable computing devices.
• Secure networking based on IPv6 and software-defined network (SDN) approaches are still mostly for early adopters.
• Microsoft's DirectAccess and an improved Unified Remote Access Service (URAS) make it easier to deploy and operate on hybrid IPv4 and IPv6 networks, but for most clients, the Microsoft solution and the industry's support for IPv6 and transitional protocols need to mature.
• Long-term planning for investments in secure access infrastructure needs to consider expected changes in use cases, a diverse set of endpoint devices and ownership models, and an architecture that accommodates multiple technical approaches and hosting models.
• In the short term, customers will often need to use several solutions to satisfy their use cases. Although these solutions can provide advanced context-based access control, their policy management is by and large solution-specific.

Strengths:

• Established remote access vendors are innovating and investing in expanding their capabilities to support secure access for a broader mix of mobility use cases.
• Some BYOD program risks can be mitigated by secure access mechanisms that are able to identify and segregate unmanaged endpoint devices.
• Mechanisms that intermediate access between the requesting endpoint and the target service create a clear point for access policy enforcement and the creation of a reliable audit trail for satisfying compliance audits on which users (and devices) accessed which services and associated regulated data.

Weaknesses:

• Current industry standards are not sufficient to ensure consistent policy across multiple technical access enforcement mechanisms.
• Mechanisms that authenticate and establish a secure connection for accessing IT services and data generally involve a trade-off between usability and security — this is especially true for the latest generation of touch-based endpoint devices.
• Application silos are re-emerging independently as mobile applications address the need to authenticate, authorize and establish secure connectivity to the back-end application infrastructure.

Recommendations:

• Take an architectural approach to addressing the expected classes of use cases and avoid ad hoc solutions to unanticipated secure access requirements.
• Seek versatile solutions that can evolve rapidly to keep pace with a faster innovation cycle for consumer-oriented technologies and products.
• Build capacity, within the secure access infrastructure for future usage and business continuity scenarios, that enables rapid expansion in the number and types of endpoint devices that can be supported.
• Be agile and accommodate diversity in the technologies and endpoint devices that internal clients are likely to require. Consider segregating newer types of devices until their risk level is better understood or additional controls can be deployed.

Conclusion: Secure access to IT services by diverse endpoint devices will require a mix of technical access policy and enforcement mechanisms, as determined by the use cases that need to be addressed. It will also involve traditional VPN suppliers and other technology partners that natively support secure network and application layer protocols.