#RSAC Orphaned #mobile accounts are no laughing matter…
It was inevitable that along with mobile device entry into the enterprise would come mobile device management (MDM). MDM solution providers such as AirWatch, MobileIron, SilverbackMDM, and Zenprise offer IT the control they need to ensure consumerization enhances productivity and enables remote access without compromising security.
But along with managing the devices themselves comes the need to manage the users who use them, and do so, obviously, remotely to ensure secure mobile access to corporate resources.
F5 has partnered with leading MDM providers to mitigate the risks associated with a growing mobile workforce while preserving productivity, a major incentive for organizations to allow mobile devices into the corporate fold.
F5’s mobile user access solution, comprised of BIG-IP® Access Policy Manager™ (APM™), BIG-IP Edge Gateway™ , and BIG-IP® Edge Client® for mobile devices provides secure, high-performance access to enterprise resources. By partnering with leading MDM vendors, F5’s unified enterprise mobility solution extends mobile access policy enforcement from LAN networks and wireless connections to smart phones.
Using a combination of F5’s mobile user access solution and MDM offerings, organizations can extend full VPN and route control capabilities for the increasingly distributed enterprise user base. It also ensures that access can be managed, on-demand, to ensure fast on-boarding and just as fast de-provisioning to mitigate the risk posed by orphan accounts.
Orphan accounts refer to active accounts belonging to a user who is no longer involved with that organization. From a compliance standpoint, orphan accounts are a major concern since orphan accounts mean that ex-employees and former contractors or suppliers still have legitimate credentials and access to internal systems.
-- Cloud Security Alliance, “Test Accounts Another Compliance Risk”, 2011
“Whenever the risks from the insider threat are discussed, it’s usually about the disgruntled or malicious employee within the firewall, abusing permissions to steal data or plant malware,” says security evangelist Ryan Naraine with Kaspersky Lab Americas. “But the orphaned account is a bigger risk and, frighteningly, is often forgotten.”
In fact, some stats in a 2008 Symark survey point to an alarming situation.
- Forty-two percent of businesses don’t know how many orphaned accounts are on their networks, and 30 percent have no way to find them.
- In 30 percent of businesses surveyed, it takes at least three days to terminate an account after an employee or contractor departs. In 12 percent, it takes longer than a month.
- Some 38 percent of companies have no way of determining if an orphaned account has been used to access information.
- Of the few companies who can determine use of orphaned accounts, 15 percent said the account had been accessed at least once.
-- Orphaned Accounts Posing Major Security Risk, 2011
While it is fairly common for enterprise systems to leverage existing identity stores such as Active Directory or LDAP to centrally manage identities, still others do not necessarily integrate directly and instead provide their own credential management. It is therefore imperative that integration with infrastructure systems and components be available to facilitate seamless, on-demand management of credentials both during the on-boarding and out-placement process. F5 iControl affords that integration, and enables real-time MDM publications to propagate automatically to BIG-IP APM to ensure immediate revocation of access that mitigates the risk associated with what would otherwise become orphaned accounts.
Benefits of a combined F5 – MDM approach include:
- End-to-end policy and management controls.
Ensure security and compliance with combined access and device control. Organizations can leverage the advanced Visual Policy Editor in BIG-IP APM to create, deploy, and manage device policies, as well as the F5 iRules® scripting language, to interact in real time with MDM solutions to verify mobile device registrations. Using F5 iControl®, an open, standards-based API, real-time publications from MDM solutions can be received and acted upon, ensuring that administrators can revoke user access automatically and immediately as policies or access rights change.
- Unified access approach.
With simplified access designs and security policies, reduce costs while gaining improved performance. BIG-IP APM integrates disparate technologies such as MDM, virtual private network (VPN) access, and virtual desktop infrastructure (VDI) to provide greater control of the entire infrastructure. This integration and collaboration eliminates the need for multiple, disconnected solutions to address user management and operational risk within the data center. Security, performance, and availability services are all equally manageable, and ultimately more scalable, when deployed on the BIG-IP platform.
- Broad mobile OS support.
F5’s mobile solution provides full SSL VPN access to leading mobile OS and handset vendors including Apple, Google, and Microsoft. Enterprises are able to extend secure remote access to the most popular platforms and enable bring your own device (BYOD) to work policies, reducing device costs while maintaining security standards.
You can learn more about this and other F5 security solutions at RSA, where we will be showcasing these integrated solutions. And if you’re just starting to learn about MDM, this is a great primer by MobileIron over at NetworkWorld: How does mobile device management (MDM) work?
Latest F5 Information