September/October issue

Mobile working drives switch to federated access rights

William Knight

By 2007, 20 million people in Europe will be teleworking, taking the enterprise boundary with them. Federated access rights will lower risk and give managers the whip hand.

As society goes through changes in demographics and technology, so work patterns evolve to accommodate them. For instance, cheaper and more reliable communications makes outsourcing an option, not just for global firms, but for small ones too. An ageing workforce means paternal leave will take skilled workers out of the office, and flexible working will become enshrined in European law. Even so, weary commuters will demand cleaner and easier routes to work that involve climbing the stairs, not queuing on the M25.

According to market researcher Gartner Group's Policy Issues in Remote Access, "Organisations that do not account for virtual work styles on business processes will waste IT dollars and employee productivity. A failure to align processes and services to distributed work will degrade the viability and performance of 75% of businesses."
The stakes cannot be higher. Workforce mobility — whether driven by social mores, changing capabilities, or economics — cannot be ignored. It is already transforming the shape of the enterprise and dissolving the boundaries between work, home and travel.

Reggie Best, president and chief executive of Netilla Networks, puts it like this: "An increasingly nomadic workforce, coupled with a growth in partner extranets, has made it nearly impossible to segregate the internal network from the outside world. Attempting to establish trust boundaries is fruitless because the network perimeter is disappearing."

Mobility is an information risk
With increased mobility comes a host of risks for the enterprise (see Box 1: A mobility risk menu). But users seem alert; Gartner's Magic Quadrant (MQ) for SSL VPNs (secure socket layer virtual private networks) for the first half of 2004 reports that users are alarmed by the risks of access from unmanaged, and unmanageable, end point systems.

So they should be. In a recent survey of 100 IT managers in UK organisations, Reflex Magnetics found that, encouraged by the need for mobility, 85% used removable media devices to transport data between the office and home, and 84% of businesses did not prevent the use of removable media on the network.

In a separate study, Red-M, a vendor of intrusion detection products, discovered it could use wireless technology from outside the buildings to access the corporate networks of 80% of companies it surveyed.

As a first line of defence, SSL VPNs offer a good basis for securing information for a mobile workforce. In addition, they offer flexibility of access from any browser and the ability to act as a gateway. This has shifted attention away from VPNs based on IPsec, the Internet security protocols, and recent acquisitions and mergers have positioned the SSL VPN market for a surge. According to Gartner's MQ, "Leading network vendors are committing resources that will make SSL VPN a considerable growth market through 2005. Smaller incumbent vendors are fighting to stay in the race."

Gartner suggests SSL VPNs are the connection of choice for remote workers. "By the end of 2004 most enterprises will view SSL VPNs as a desirable method for (providing access while roaming), and by 2005 (vendors will find) demonstrations of good roaming solutions will be critical to win business."

A maturing market
The hunt for "good roaming solutions" is driving a trend for vendors to bundle solutions to the various risks. According to Juniper Network's head of corporate marketing, Peter Crowcombe, it is the combination of the features in a reliable package that makes the difference. Accordingly, the major vendors all provide after-use data cleanup, granular access based on tiered authentication, and support for mainstream authentication methods.

Tony Caine, vice president for the Europe, Middle East & Africa division of Aventail, an SSL VPN system vendor, believes the SSL VPN is becoming a platform of its own. "SSL VPNs are becoming the foundation for a dedicated application access platform that is evolving to include dynamic end point control, application security, and intelligent authorisation and sign-on engines," he says. "This platform is designed to handle the requirements of known people accessing appropriately secured resources."

Fervent activity
The market has seen fervent activity. Last November, Nortel announced the addition of SSL VPN capabilities to its Contivity Gateway portfolio, and Checkpoint has released an SSL VPN appliance called Connectra. Juniper Network's recent acquisition of Netscreen Technologies marched them straight into a leading position in Gartner's Magic Quadrant report.

According to Gartner, when the leading network vendors entered the market, the opportunity ended for new independent gateway vendors. Juniper's Crowcombe believes all the major players now have SSL VPN capability and will share most of the market between them. "Those vendors that are still independent will probably remain so or will have to find something else to do," he says.

But while the gateway market may be maturing, Gartner sees fresh investment in security, graphical user interfaces and management of the client side of SSL VPNs as excellent opportunities for growth.

Is you, or is you ain't?
SSL VPN vendors tend to be neutral with regard to authentication, preferring to integrate with mainstream practices and products. But the explosion of types of connecting devices has created a user community that is confused by authentication mechanisms and struggles to remember their own PIN numbers, passwords and challenge responses, and even to keep them secret.

John Stewart, chief executive of Signify, a managed authentication provider, says that multiple access points cause the problem. "Clients do not want to have to issue and manage a different form of authentication credential (password, token etc.) for each user at each access point. This quickly becomes a cost and management nightmare," he says.

He sees today's authentication methods as the beginning of a coalition of security checks where personal and corporate identities merge into one. "The ability to access many sites over the air will be expanded to encompass more aspects of our personal and corporate lives," he says. "Our digital identity is required for banking and retailing, but for now we need different digital identities for personal and corporate activities. The merging of these identities will be achieved through coalition of services in the retail, finance and business sectors."

This view is echoed by Mark Blowers, senior analyst at market research firm Butler Group. He says the convergence of all technologies into one broadband connection will see handhelds, personal digital assistants (PDAs), laptops and phones all settle on one authentication solution, or perhaps a solution suite.

He emphasises the need for federated authentication, which he believes is an innovative solution to the problem of multiple sign-ons. Under this regime an identity passes through boundaries with each layer authenticating the layer before. As such it is ideally suited to a mobile workforce, he claims.

Netilla's Best agrees with the idea. "Rather than provide an external user with access to internal assets," he says, "the forward-looking goal is to provide external and internal users with access only to the assets that they should use legitimately. Authentication will become more complex; federated models will prevail."

Open borders, open standards
Information security has always seemed to be an afterthought; software developers have been keen to provide working features before worrying about how they might be subverted. But even when they have anticipated illegal usage, actual practice has merely highlighted the ingenuity and creativity of the illegals in finding work-arounds. As result, many security procedures develop in response to a known problem. This has led a confusing landscape of switches, drop-down lists and passwords that few understand and most resent using. If a car had evolved in the same way, we might be speeding downhill before being asked to sign on to the brake management system.
This approach cannot continue as the workforce goes mobile and connects to sensitive systems through unknown devices and via insecure routes. As with a fistful of custard, there will be leaks.

Paul Simmonds is global information security director at chemical company ICI and spokesman for the Jericho Forum, a group of very big IT user organisations dedicated to developing open standards for secure, boundary-less information flow. He believes enterprise borders will disappear when we secure the data rather than a boundary. "A boundary does not really exist as a control point," he says. In his view there is no distinction between internal and external, just users whose access to assets varies depending on their authorisation, authentication and client device.

As ever, vendors use their own jargon to describe the concept; boundary-less is also called de-perimeterisation or the inverted network, and Simmonds admits the concept is a hook for looking at security in a new way.
For him, de-perimeterisation is a change in emphasis and thinking that he believes is sorely needed. The proliferation of products, access methods, devices and configuration mechanisms is causing companies to ignore security, he claims. Because of the resulting complexity, "a lot of companies shrug their shoulders and turn a blind eye," he says.

His view is corroborated by government statistics. In the 2004 UK DTI survey of information security breaches using remote access, 53% of the companies that used wireless networks had done nothing about wireless security, 95% had failed to implement any additional authentication, and 77% had not securely placed their access points.

Jericho is a formidable pressure group. With members such as ICI, BBC, HSBC, Royal Dutch/Shell, and BP turning up the heat, vendors are sure to pay attention to Simmonds's three essential steps to securing the mobile workforce. These are:

• Inherently secure protocols (encrypted, authenticated, non-repudiated) - see AS2, the specification for Electronic Data Interchange using the Hypertext Transfer Protocol (HTTP)
• Federated identities, to enable seamless authentication across businesses
• Inherently secure system design where additional software or configurations are not required for products to be secure

Aventail's Caine believes SSL VPN is the obvious foundation on which to build Jericho's walls. "While the inverted network is more of a concept right now," he says, "we are seeing companies starting to look at secure access in a new way, and network administrators are already realising that they need consistent, secure access, whether someone is remote or in the conference room."

Now that a vast number of European workers are about to go mobile, it is not surprising that Aventail's Caine sees the SSL VPN as the future of security for the mobile workforce. Indeed, given the plethora of access devices and the predicted growth in the market, it is hard to argue with him when he suggests the SSL VPN will evolve from secure remote access from anywhere to secure access from everywhere. Until, that is, the Next Big Thing.

William Knight is a technology writer with 18 years experience in Software Development and IT consulting. He writes for titles that include: Computing, JavaPro and Gantthead.com

Back to features index