Mobility thorny for application security

Security guru offers five ways to manage a secure environment for mobile workers, including moving away from network-based access controls.

Mobility is proving to be a growing challenge for IT managers looking to secure access to business applications, according to a security expert.

Kurt Roemer, Citrix's chief security strategist, said the challenge stems from the way networks are traditionally managed, where administrators are used to defining network segments and policy controls. However, as workers become more mobile, a company's applications are now accessed from anywhere, Roemer said during a phone interview Wednesday.

"But when you talk to the actual folks who are managing networks, they often do not take [mobility] into consideration," he said. "How many people have Starbucks and home users on their network diagram?"

As a result, Roemer said, there is now a proliferation of wireless and mobile devices used by employees to maneuver around traditional barriers in order to access an application.

Device management is also proving to be a security bugbear, as IT managers are now faced with managing a myriad of mobile devices running on different operating systems.

In addition, Roemer said traditional methods of securing network access to company resources such as network access control (NAC), have limitations in a mobile environment.

"One of the most frequently used features of NAC is the bypass password, with which you can bypass the need to patch or update your system before you can get your work done," he explained.

However, traditional IT planning is a long-term process with returns on investment considerations, while today's businesses require a lot of agility, he said.

To address such issues, Roemer recommended five ways to overcome the mobility challenge:

1. Provide a secure channel for communication
Companies need to provide a secure channel for employees to access applications over the network, whether it is over wireless or managed network infrastructure. A secure channel is "critically important".

2. Apply user/ access policies
Policies need to be in place to manage user access to applications, and should be implemented across multiple applications in a consistent manner. These could include identity management such as passwords.

Policies are also necessary to control how users access an application. For instance, they can be permitted to access everything they require if they are within a corporate network. If they accessing the corporate network remotely, they should either be denied access to all applications or provided with access to resources in a virtualized environment. This ensures users retrieve resources in a secure way, even if they are logging in from insecure systems and networks, such as a public Wi-Fi network.

3. Ensure visibility of network
From an organization perspective, IT managers need to have strong visibility of what their users are doing on the corporate network. This can be done by deploying an application delivery infrastructure that allows companies to stay on top of potential security problems.

4. Overcome the people problem
Despite putting technology safeguards in place to mitigate security risks, people are often the weakest link in the security chain. In most instances, users do not have malicious intentions and want to do the right thing. Unfortunately, Roemer said, most companies have different security policies that make it difficult for people to get their jobs done. As a result, employees will work around inefficient security methods in every way possible.

With an application delivery infrastructure, companies can enforce strong authentication such as encryption, for all applications with a strong password access policy and bypass an end-user's direct involvement--thus, reducing any human error.

Roemer said: "The users don't have to think about it, and they can continue to do their work without being the weakest link."

5. Don't differentiate between remote and local access
Roemer said the lines between remote and local access have blurred. "Within Citrix, we don't even talk about remote access; we just talk about access," he said. People should be able to work the way they want, under their own rules and schedules.

At the same time, companies should enforce regulations and policies with full visibility. Otherwise, with increased mobility and new compliance requirements, "companies are fighting a losing battle by applying network-based controls to what's really an application problem", Roemer said.