PROTECTING YOUR CLOUDS | A ZDNet Multiplexer Blog What's this?

Extending SaaS to Mobile Workers

When remote employees want to use SaaS applications on laptops, tablets and smartphones, the promise of increased productivity must be balanced against the increased risk. We'll talk about monitoring and controlling data access and storage, authentication, remote management, and other critical factors for SaaS endpoints.

The security of data accessed from mobile devices is a huge concern for enterprise IT departments. Laptop computers connecting from outside the LAN are enough of a problem, but mobile iOS and Android devices are radically different and constrain IT's ability to control and monitor the user and device.

In some ways, the security issues for mobile devices are identical to those of desktop systems, but let's review what makes them different. These devices don't typically connect directly to the corporate network, but through a cellular network or outside WiFi network connected to the Internet. This places them out of the direct control of IT.

Standard solutions to this problem include mobile device management (MDM) or enterprise mobility management (EMM), both of which use an agent resident on the device to manage security.

EMM products typically provide secure provisioning of devices, forcing strong passwords, enabling device encryption, establishing VPN connectivity to the corporate network, preventing device tampering, running apps in a sandbox to limit the harm they might cause, and giving IT management control over app installations and data on the device. In situations where the user owns the device, these tools often create a separate, isolated environment on the device where work-related apps reside, and/or only allow access to work-related apps and network folders when certain security and authentication conditions are met.

This is only a portion of what modern mobile security solutions provide. But with respect to SaaS providers, EMM begins to fall short.

Traditional mobile management frameworks block the installation of unapproved apps. But because they don't run in the SaaS itself, there are limits to what they can do. These tools can't 'see' what's happening on SaaS servers and they can't enforce authentication policies for cloud-based services.

In order to ensure that mobile workers access SaaS apps safely, you need a comprehensive solution that combines EMM with a cloud access security broker, or CASB. GlobalProtect Mobile Security Manager (MSM) and Aperture, both from Palo Alto Networks, operate as a natively integrated solution that delivers mobile device management and secure SaaS access.

As part of a Next-Generation Security Platform, Aperture accesses other Palo Alto Networks capabilities such as App-ID, Content-ID and even Wildfire. This allows it to have full visibility into corporate data, who is sharing it and with whom, what cloud applications are being accessed, whether malicious code has been used, and whether any action violates policy. Because Aperture can see and track so much, it can even apply policies retroactively.

GlobalProtect Mobile Security Manager then extends this functionality to users across devices and geographies. It runs in the cloud as part of the broader Palo Alto Networks platform. GlobalProtect applies authentication and firewall policies to any device, anywhere, so mobile workers and their applications are secure.

There's nothing magic about protecting data on SaaS networks accessed by mobile users. You need to be able to scrutinize usage and put it in context of users, applications, and data. With the right tools and smart administration, this is a very solvable problem.

Learn more about Aperture here.