Over the ages, philosophers challenged the conventions of traditional thinking by meditating upon a “koan.” A koan is similar to a riddle, except that there is no punchline. It typically involves a paradoxical statement that is subject to a multitude of interpretations, many of which are correct in their own peculiar way. And even when analyzed with a great deal of time and deep thought, the koan defies an answer.
For security practitioners, the topic of what to do about mobile devices introduces a series of modern-day koans.
- How could your network security policies apply to users who are not in the office?
- How do you inspect traffic when users are not behind your firewall?
- How can you provide security while respecting privacy?
- How can you protect business data on a device that you don’t own?
These questions were not easily solved, primarily because conventional thinking led to more dead ends. Organizations accustomed to having total control over fairly stationary, corporate-owned devices found themselves in an entirely different world when faced with mobile devices and BYOD. And trying to apply such measures often led to stalemates or unacceptable compromises to the protection of the company’s data or user’s expectation of privacy.
In order to address concerns with mobile security, and break through the questions around past approaches, Palo Alto Networks partnered with VMware/AirWatch to bring forward fresh thinking. The Palo Alto Networks next-generation security platform provides the most comprehensive approach to stopping threats, based on prevention. AirWatch has deep expertise for managing mobile devices and applications. By providing integration points between these two sets of products, we can provide our respective customers a solution to deliver security for business assets on a device while honoring privacy for both personal data and traffic.
The first aspect of the integration is the use of AirWatch’s enrollment process to provision the GlobalProtect app. During enrollment, an unmanaged mobile device (including one that is personally owned) is loaded with the appropriate configuration and enterprise applications that prepare it for use in a business environment. The organization can manage the business assets separately from the personal apps and content on the device. The GlobalProtect app can be transparently installed during enrollment, providing the key capability of establishing an app-level VPN tunnel back to the next-generation firewall for traffic visibility, the enforcement of policy, and threat prevention. The traffic from personal apps remains untouched, thus honoring the user’s expectation for privacy with non-business-related activity.
A second aspect of the integration is the use of threat intelligence from WildFire to detect mobile devices with malware. Since AirWatch knows about the inventory of apps on a mobile device, integration with WildFire allows the organization to spot devices that are infected. AirWatch can apply a workflow to address the issue, such as alerting the user or quarantining the device until the problem has been corrected.
With these new capabilities, organizations have a more nuanced and balanced approach to mobile security, one that’s focused on the specific requirements of protecting the business apps and data without having to cross personal boundaries. By applying an integrated approach, the mobile security koans now have answers that are readily available. The organization can move forward with the adoption of mobile computing by having the requisite security for business content while honoring their employees’ expectations of privacy for personal data.
To learn more about this integration, visit http://paloaltonetworks.com/airwatch for more information. Palo Alto Networks will also be on hand at AirWatch Connect in Atlanta this week. Watch this space for more thoughts following my time there.
[Palo Alto Networks Blog]