workspot enables spectrum of trust
DESCRIPTION
Gartner has introduced a concept of spectrum of trust to talk about how companies should think about mobile security. Workspot enables spectrum of trust. Workspot has created a workspace a service solution. It is a 100% cloud solution for BYOD. Workspot is the fastest way to deliver business applications and data into a workspace on any device.TRANSCRIPT
Photo by Marc_Smith - Creative Commons Attribution License http://www.flickr.com/photos/49503165485@N01 Created with Haiku Deck
Workspot Enables Spectrum of Trust
§ Leadership Team
§ Problem: Consumerization of IT and BYOD – Spectrum of Trust – Workspace is the Right Solution
§ Workspot = Workspace as a Service – Simple End User Experience w/ Workspace – Securing Web, Windows, Native Apps – Securing Documents – 100% Cloud Control – Last Mile Visibility – Adaptive Auth Enabled by Big Data
§ Summary
TABLE OF CONTENTS
AMITABH SINHA, CEO (GM XenApp/XenDesktop,
Citrix)
PUNEET CHAWLA, CTO (Founding Engineer,
VMware View)
WORKSPOT UNDERSTANDS END USER COMPUTING
Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
RANA KANAAN, VP (VP Product Management,
XenApp/XenDesktop)
YOUR ASSETS ARE ON A PC TODAY
IT Owned IT Managed
Domain Joined
70% WEB 25% WINDOWS
5% NATIVE
90% ON-PREMISE
90% CIFS 50% SHAREPOINT
YOU HAVE 50-500 APPS
YOUR END USERS WANT ...
Easy Access to: § All their Apps § All their Data § From Any Device § From Anywhere
CURRENT SOLUTIONS ARE NOT SUFFICIENT
Applications
Devices
Desktops
• Devices Managed by MDM or ESD
• Trust the Device
• Cannot lock down personal devices
• Does not solve the apps and data problem
• Apps Delivered with XenApp
• Poor UX
• Does not apply to all applications
• Virtualize the PC with VDI
• Trust Nothing
• Poor UX
• High Total Cost of Ownership ~ $800/user/year
NEED TO SUPPORT SPECTRUM OF TRUST
Introducing the Spectrum of Trust for Mobile Enterprise Design Published: 4 April 2014 Analyst(s): John Girard, Dionisio Zumerle, Bryan Taylor
Trust the Device Trust Nothing
WORKSPACE KEY TO SPECTRUM OF TRUST
All Apps
All Data
All Devices
Seamless VPN Auth
Single Sign-On
Web, Windows, Native
CIFS
NTLM, Kerberos, CA Siteminder, Oracle iDP, SAML 2.0
iOS, Android, Windows PC, and Macs
Workspace is a trusted space for Enterprise Apps & Data on a managed or un-managed device
WORKSPOT = WORKSPACE AS A SERVICE
Simplest User Experience on
Any Device
100% Cloud Control No New Boxes to
Install
Last Mile Visibility
Contextual Auth
SSL VPN
WORKSPOT ENABLES SPECTRUM OF TRUST
Trust the Device – Native Email & 3rd Party Native Apps
Trust the Workspace – Inside the workspace trust apps, files, etc.
§ Secure the Device with MDM Policies
§ Securely Deliver Email and Native Applications
§ Remote Wipe
– Workspot Control also provides IT the capability to remote wipe any data, including documents, cached objects and cookies, inside the Workspot Client. Data outside the Workspot Client is un-affected by the remote wipe operation.
§ Secure Offline Access with PIN
– When a user taps on Workspot Client on their device, they are prompted for a PIN. The PIN is validated against client master secret (CMS). If the CMS can be decrypted then the PIN is deemed valid; otherwise the PIN is invalid. The Workspot Client will allow up to 5 invalid PIN entries after which Workspot Client will wipe all the data on the device.
TRUST THE DEVICE: MDM TOOLS
Workspot Client can be installed on managed or unmanaged devices. We perform a Device Posture Check to verify that the device has not be compromised:
- As soon as the Workspot Client is started, it conducts a posture check to determine whether the device has been jail-broken. An evolving set of checks to verify supported versions and platforms are performed, and only when the device is determined to be secure is the Workspot Client launched.
VERIFY THE DEVICE
§ One Click Access to Apps & Network Drives
§ Transparent VPN auth
§ Transparent Single Sign On to NTLM/Kerberos/CA Siteminder/Oracle iDP/SAML 2.0
§ Simplicity of User Experience is balanced with unique security architecture
WORKSPOT MAKES IT SIMPLE FOR END USERS
WORKSPOT PROTECTS DATA IN MOTION
§ Workspot-level VPN – only Workspot is on the corporate network
§ OpenSSL VPN termination to Cisco, Juniper, SonicWall, and F5 appliances
§ Full L4-7 Control § Blacklist/Whitelist URL
WORKSPOT PROTECTS DATA AT REST
§ All enterprise assets fully encrypted in memory before touching the file system
§ Multi-level encryption § Each file is encrypted using its own
key
§ Each key is encrypted using a master key
§ Master key is encrypted using a PIN which is not stored
§ FIPS validated AES-256
iOS/Android/Windows/MacOS
RDP Client
Web Apps
CIFS Client
Virtual File System
Document Viewers
HTML(5) Engine
Context Agent SSO
VPN
Windows Apps Network Drives
§ When an end user downloads a document inside the Workspot application, it is encrypted in-flight.
§ The file system remains in an encrypted state even when the end user is within the container.
§ Only when the end user wants to view a document, for example an Adobe Acrobat document, does the Workspot Client decrypt the selected document and present it inside a viewer that is embedded within Workspot.
§ We have tuned the embedded viewers for the best possible rendering experience. Documents are more secure, because the documents stay within the Workspot Client. As soon as the end user finishes viewing the document and closes the viewer, the document is restored to its encrypted state on the device.
§ For large documents, we only decrypt the pages of the document that are currently being viewed.
EMBEDDED DOCUMENT VIEWERS
WORKSPOT IS 100% CLOUD CONTROL
§ Workspot Control is Single Pane of Glass to Manage Workspace on any Device
§ No data flows through or is stored in the Workspot Control
§ Workspot Control has been architected to be a control plane. When the user is performing workflows on the device using Workspot, all the data flows back and forth directly between the client and the business applications (e.g., Exchange, SharePoint, Salesforce.com). If the applications are behind the firewall, then they go back to the corporate network. If the applications are external, then the traffic directly goes to the external application.
§ Separation between control and data planes is very critical for a number of reasons:
• Security: Data flows directly between the client and the applications; it does not flow through our control service
• Availability: Since Workspot is not in the data path, the availability of applications is independent of the availability of our service
• Performance: Since we are not in the data path, there is nothing to impede the end user experience
CONTROL VS. DATA SEPARATION
We store the following information in Workspot Control:
§ Configuration: We store configuration information about the VPN, e.g., public URL address, whether it uses RSA or not.
§ User Configuration: First Name, Last Name, Email Address, etc.
§ Application Configuration: Application URLs, whether or not it is behind the firewall, etc.
§ Performance Data: For each network access, we store the amount of time it took to fetch a response from the application (e.g. SharePoint), the device used (e.g. iPad3), the network used (e.g., AT&T), and the location (e.g., California).
§ Activity Data: We track different kinds of activity on the device, e.g., Open/Close Workspot, Open/Close Application (e.g., SAP), Open/Close Document, and View/Print Page of Document. All activity data is anonymized.
Our current policy is to retain this data for a period of one year.
WHAT IS STORED IN THE CLOUD?
What is context?
Context is who is doing what, when, and from where. For example, user Adam downloaded a document at 9:00 PM from California. Or Adam took 12 seconds to access the SharePoint application from an iPhone in Chicago. Context can help you better secure your data and understand and improve the real user experience for your employees.
Context enables compliance, discoverability, and auditability
Look for a solution that will help you “prove” you know what end users are doing with corporate data on the device. For example, you should know which files users are downloading. Or you should know which apps they are accessing from where?
MOBILE NEEDS LAST MILE VISIBILITY
CLOUD ARCHITECTURE ENABLES CONTEXT
iOS/Android/Windows/MacOS
RDP Client
Web Apps
CIFS Client
Virtual File System
Document Viewers
HTML(5) Engine
Context Agent SSO
VPN
§ Container is highly instrumented
§ Collects Context - who/what/when/where/how fast data in real-time
§ Uploads to Workspot Control when network conditions permit
Windows Apps Network Drives
WORKSPOT COLLECTS GRANULAR CONTEXT
§ Business Benefits: Discoverability, Compliance, and Auditing
§ Can be integrated with existing SIEM systems, e.g., Splunk
§ Download Splunk Application from Workspot Control
§ Simple Integration between Splunk and Workspot w/ security keys
INTEGRATION WITH SPLUNK
MOBILE NEEDS ADAPTIVE AUTH
Today IT and InfoSec teams cannot balance the needs for convenient access from mobile devices with the requirements of information security. Workspot has granular contextual data that can balance convenience with security. § All applications are not equally sensitive – the directory application is less
sensitive than the financials application. § All users are not equally trusted – the CEO is more trusted than a
contractor. § All locations are not equally trusted – if a user is connected to a corporate
WLAN and is sitting in an office, then they are more trusted than somebody trying to access enterprise assets from a remote location.
Workspot can use this data to change the authentication required – making it simple when the access is trusted, and providing more challenges when the access is less trusted.
CONTEXT DRIVEN ADAPTIVE AUTH (2H 2014)
Adaptive Auth ID/SSO/Access
§ Intranet in HQ => Aggressive SSO § Network file share from Africa => Require RSA token § Heavy document download in China => Deny access
Policies App/User/Geo/
Device Events/Behavior
Context Who/What/When/Where
WORKSPOT ENABLES “SPECTRUM OF TRUST”
§ Trusted workspace for all Apps & Docs
§ Best-in-class User Experience
§ Last Mile Visibility; Contextual Auth
Lock down the device using MDM APIs
LEARN MORE ABOUT WORKSPOT
Email us at [email protected]
Additional resources at www.workspot.com/resources