Expanding the boundaries of the digital workplace

The assumption that users will be limited to a PC is no longer accurate as they use devices that are best suited to particular circumstances. Knowledge workers may use a laptop while in the office, switch to a smartphone during a commute, and use a tablet in a plane. Frontline workers may switch between a shared kiosk, smartphones and a wearable.

In all cases, users should not have to know where applications and data are hosted. This changing work style marks a shift to a perimeterless digital workplace. Digital business creates new requirements that drive the need for a perimeterless workplace. These requirements include:

• Support for increased workforce mobility.
• Flexibility in the choice of devices and the ability to switch between them.
• A desire for experiences similar to those of consumer apps.
• Enhanced frontline and knowledge worker productivity.

One of the central principles in establishing a perimeterless digital workplace is that the network alone does not determine which services users can access. Unlike the perimeter-based security model, the decision to grant or deny access is not tightly bound to a physical location, IP address or the use of a virtual private network (VPN).

Instead, user, device and other contextual data, such as threat signals, dynamically determine the appropriate access policy, which may trigger the need for multifactor authentication, access denial or other trust elevation techniques.

User and contextual trust should be appropriate to the level of risk associated with the resource being accessed. This is best illustrated with an example of a user accessing sensitive data. Sometimes, the access to sensitive data – for example, company financials – might require the user to be a full-time employee using a fully managed device. But it is possible that the user credentials and/or device are compromised – as in zero-day and targeted attacks, credential theft and insider threats. So, a one-time block/allow security assessment for access and protection is not enough.

Users can be allowed the same access externally as they enjoy internally, but only if trust matches or exceeds the risk. This calls for adaptive access using a combination of an authenticated user identity and device-level trust. Access management tools that typically provided authentication, authorisation and single sign-on (SSO) as core capabilities have now expanded to include more intelligent adaptive access controls.

These capabilities apply analytics to contextual data and trigger adaptive access policy decisions that allow or deny access; or can require trust elevation, such as the use of additional user authentication methods. Device-level trust is foundational, because without it, you cannot ascertain whether the device is compromised.

To enable continuous risk assessment on the endpoint, unified endpoint management (UEM) tools integrate with adjacent security tools such as endpoint detection and response (EDR), mobile threat defence (MTD), and security information and event management (SIEM)/user and entity behaviour analytics (UEBA). As such, access management tools increasingly leverage UEM tools as a single orchestration point to enable reliable and remote device attestation.

In addition to mobile device management (MDM)-based device compliance, UEM tools manage device certificates and make them available in various authentication scenarios. Provisioning X.509 certificates to mobile devices is a strong and simple way to enable strong device identity at access time. Duo Beyond is one supplier that does this.

Most leading UEM tools enable managing the device certificate lifecycle – either using built-in public key infrastructure (PKI) or integrating with third-party PKI (GlobalSign, Microsoft, Entrust Datacard, OpenTrust and RSA are such tools).

Google’s internal implementation of a perimeterless work environment, known as BeyondCorp, uses X.509 certificates as persistent and unique machine identifiers for desktops and laptops. On iOS devices, identifier ForVendor is used, while Android devices use the device ID reported by the MDM capability. Adobe uses a combination of UEM and identity and access management (IAM) to enforce policy, security settings and certificate-based authentication (VMware Workspace ONE for UEM and Okta for IAM).

To balance usability and security, an adaptive approach ensures that the right level of access is determined in real time. For example, when a user requests to download data locally, UEM performs a context-based assessment of risk and trust and determines whether it should be allowed, conditionally allowed, or denied. Downloads to unmanaged devices can be restricted to managed devices in good health.

Alternatively, downloads to an unmanaged device may be allowed, but only if the file is encrypted. Sample suppliers that offer transparent file-level encryption include SecureAge (SecureData) and DriveLock. Device context plays a role in anomaly detection and includes device location, IP address, usage behaviour and security posture. The level of device risk (trusted device versus unknown device, for example) determines the need to prompt for a step-up authentication method.

Adoption of Windows 10 and MacOS in the enterprise, as well as the increasing viability of UEM tools to manage both PCs and mobile devices, are driving the convergence of client management tools (CMTs) and enterprise mobile management (EMM) tools to produce a single UEM solution. UEM tools can remotely deploy apps and operating system updates, and wipe PCs (if necessary) without joining a corporate domain, much like mobile devices.

The consolidation of PCs and mobile devices helps to establish common policies, processes, metrics and tools. UEM tools deploy apps across multiple platforms as part of a common workflow (with the exception of complex Win32 applications on Windows 10 PCs). Chromebooks now support the ability to execute Android apps deployed through the managed Google Play Store, thus further blurring the lines between notebooks and mobile devices. Although this expands the universe for Android apps, they are subject to device limitations such as GPS and accelerometers.

In a perimeterless digital workplace, it is important to analyse application response time as perceived by the user, as opposed to measuring uptime from an infrastructure perspective. This is because the user experience is subject to multiple factors in addition to the application itself. These include network performance and device characteristics, such as CPU, and operating system overload due to other processes.

Finally, the need to support legacy Windows (or “thick client”) applications is a hindrance to mobilising business workflows. Therefore, a tactical strategy is needed to support these applications until they are refactored or completely redesigned. In some cases, mobile apps can make legacy apps redundant. Hence, rearchitecting apps should not turn into an exercise in recreating mobile equivalents of existing apps.

This article is an excerpt of Gartner’s report, “Four steps to implement a perimeterless digital workplace”. Manjunath Bhat is a research director at Gartner.