Enterprises have become extremely good at developing and managing security approaches for their own networks, but when things go across a third-party network, that's when it gets complicated. Add mobile into the equation and we can see why so many IT departments are happy to pursue one of three alternatives. The first is to eschew the network altogether and to rely on infrared, Bluetooth and even cradle-based synchronization for connectivity between mobile devices and applications. The second is to use the locked-down and tightly controlled BlackBerry tunnel available to users of that device and service. The third is to use laptop computers, 3G network connectivity and a VPN tunnel for secure, mobile access to enterprise data and applications.
This leaves us with a debate about what mobility really is. Is it a laptop and a 3G card? Or is it an even more mobile device that boots instantly
Requires Free Membership to View
SearchMobileComputing.com members gain immediate and unlimited access to expert guides for mobile deployment, management and security, industry trends, and more-- all at no cost. Join me on SearchMobileComputing.com today!
Kate Gerwig, Editorial Director
and uses whichever network is available at the time? The former is state-of-the-art, but the latter is an integral part of the complicated future ahead of us.
Authentication: Middle ground between carrier and enterprise
In order to secure a user, we must authenticate him, which means that we must first identify him and verify the services that he is authorized to use. Once we have verified this information, then we can deliver services securely. In this regard, mobile operators and enterprises are doing similar things with different technologies. On GSM networks, the SIM card is an important part of a mobile user's identity, but SIM technologies aren't used on CDMA networks or in many enterprise applications. For IT departments, the mobile operator's credentials can be a good place to start for authentication, though other certificates or device attributes (such as MAC addresses) are viable alternatives.
Services like Wi-Fi and WiMAX rely on authentication technologies such as RADIUS, WPA, TKIP and other approaches well-known to IT organizations. Getting the carriers involved in sharing those directories is a different story. More likely than not, mobile workers will continue to rely on multiple user identities and permissions across carrier and enterprise networks. Even as enterprises rely on directories for user permissions, there will be duplication between the carrier and the enterprise.
Islands of authentication
 |
||||
|
|
|||
|
||||
The same holds true with mobile data. A recent study found that 90% of the traffic generated by users of laptop + 3G card combinations was from on-campus locations. Faced with the responsibility of "thinking" about connectivity, most mobile users opt for the least common denominator – or the solution that works in the greatest number of places with the least amount of effort.
The point about mobile data is that -- if enterprise IT departments want to manage user connectivity (including roaming users onto the most appropriate network) in order to provide a cohesive set of enterprise services -- IT managers will need a way to manage user authentication and to share credentials with public network operators. And the management of authentication, credentials and security requires agreement about the underlying process of mobile device management.
A service example
For example, suppose an IT department wishes to offer a cohesive enterprise telephony service to workers. This service will place the user on the corporate network whenever an enterprise Wi-Fi signal is available (e.g., on campus, remote office, VPN tunnel, etc.). In all other situations, the user will access public cellular networks. The user will have a single telephone number and it will ring to the mobile device. The user will be able to specify the hours during which calls are taken and individuals whose calls ring through at all hours. The user will not have a desktop telephone, and there will be a single voicemail that can be available in an email-like format on the mobile handset. The IT department will provide reduced-number dial plans and will be able to route calls (including international ones) via the corporate network.
Today, there are technologies that provide some of these features, but these approaches require a level of integration between enterprise and carrier networks. Some of the services mentioned rely on access to the carrier signaling infrastructure. Other services rely on access to enterprise Wi-Fi authentication services. Providing this integration between the carrier and the enterprise requires agreement at a fundamental level about the software and certificates available on the mobile handset. Reaching this agreement requires clear delineation of mobile device management roles and responsibilities.
It's about services
Delivering enterprise services to mobile users requires IT departments to share credentials and user authentication information with mobile operators. To do this securely and effectively, enterprises and mobile operators will need to establish a common set of expectations about roles, responsibilities and demarcation points for mobile device management.
|
|
|
|
|
|
This was first published in July 2007