iPhone and Android securely in the enterprise

I was recently doing some investigation, thinking and evaluation of how to bring the iPhone and Android securely into the enterprise. Also not just doing it as a point solution but a strategic initiative that could be implemented tactically.

This is how....

The above diagram is a good summary of what I think the conceptual design should be to get get iPhone's and Android devices securely into the enterprise. The good things about this design are:

• It will save you money and make your users more productive allowing you to fire some of them!! Interested yet? :)
• It takes a more than just a point solution view - you don't just want to just provide iPhones / iPads, Androids etc to your demanding CEO, CIO etc. you want to enable any user to connect from any location, on any endpoint. You want to do this securely, with great performance and with a great user experience i.e. completely transparent to the user and with very similar experience regardless of what device and where they connect from. If you don't want this... read for some of the financial and productivity benefits or stop here :)
• It leverages many components that you already have e.g. terminal services, virtualization, remote access gateway, active-sync with exchange, web servers, two factor authentication
• You can build it one piece at a time (i.e. implement in 3 month tactical releases) - so you can give that annoying $&%$^ (I mean senior management) their email on their iPhone NOW!!

Some key aspects of this design:

• Any endpoint - it supports use of any endpoint be that a traditional PC and Laptop to a Mac, Linux, Netbook to the mobile revolution: iPhone, iPad (and other copycat second mover tablets), Android, and if you really really want Windows, Simbien, Meego etc and everything else that is not an iPhone or Android. Also zero client and thin client devices such as Sunrays, Wyse Desktops etc.

• Anywhere - it supports connecting over the internet from any location (home, on the train, Starbucks, in an internet cafe) and your traditional office locations. It also supports seamlessly moving from any of those locations to any other location completely transparent to the user and with minimal change to their experience

• How does it do this? - The ubicituos SSL gateway and the browser. The SSL gateway you can get from any leading vendor you have relationship with e.g. Juniper, Cisco, F5, Citrix Netscreen. With this you can of course do http/https, active-sync, RDP, and even full layer 3 IPSEC tunnel if you so wish. This gives you the benefits of full encrypted transit (via SSL), network access control (NAC/UAC) which allows you to stop that hacker from China or at least just give them free internet only, host integrity check (make sure some smart user hasn't installed a rootkit on your device), and most important for users WAN acceleration for improved performance

• Endpoint policy and mobile management - You need some server side software to allow you to manage your endpoints, push policies, authenticate them, deploy software, freeze/erase the corporate data, backup, get usage and geo-location of the device, get logs. What can do this? I would personally go with something like Juniper Pulse or Sybase Aferia

• Endpoint agent - Yes we wish we could avoid this, and maybe in the future we can as Apple and Google integrate these features natively, but for now you need an agent to allow you to: encrypt the corporate data in storage and in use, sandbox the corporate applications and data from the users personal applications and data (and stop them e.g. from copy pasting that HR list to their google email),  add a Firewall and Antivirus (for non leet endpoints) and log everything that user does on the corporate data and applications. Again Juniper Pulse or Sybase Aferia have agents that work on iPhones and Androids and of course every other mobile device. Of course for your truely zero or thin client endpoints you don't need agent

Why Good is actually bad:
Why would you not want to go with something like Good Technology to bring in your iPhone and Android? I'll give you three reasons:

• One trick pony - READ: POINT SOLUTION. If you don't understand why point solutions are BAD, please go and do this and enjoy your email, contacts and calendar on your iPhone tomorrow. Say hi to high TCO for me, close this browser window and don't let the door hit you on your way out. No don't do that - tell me why you are right and I am wrong in the comments to this post
• Upgrade problem - Good in their infinite wisdom has decided that it could develop a better e-mail client than Apple and Google. They will want to release a new version every time the OS is updated, this includes development, testing, release and the inevitable bug fixing
• Different APPS for corporate email and personal email

Business benefits:
Ok so how can you sell this to the people who have the money? It depends on what you need to sell. If its:

A. Why we should allow iPhones and Androids in the corporation? What about the security (oh lord the security!!!! when have they ever cared before?...)

• Save money - it is a hell of a lot cheaper than paying for your Blackberry licence, BES server management, Blackberry devices. Especially if you have already invested in many of what I describe above such as Exchange active-sync you will SAVE MONEY!!. But do the sums - make sure you give the total cost including: software licensing, support and maintenance, hardware refresh and maintenance, people/costs to maintain and support and change these environments, training, help-desk calls (deduct a reasonable % because iPhones are easier to use). Takeaway any current costs that are re-usable e.g. Exchange licences and maintenance

• User experience and productivity - usually all you need is the above, but just in case: give them an iPhone, iPad or EVO (just in case they have been in a cave), put that next to their laptop and Blackberry and ask them to do some similar tasks such as open and reply to email, browse the web, launch an application. That should just about do it
• If you need anymore I suggest you quit your job and go work for a real company

B. More advanced: Why should we allow users to use any endpoint from anywhere?

• Save money - Notice a trend? Work out the TCO of software for all your endpoints (PC's, laptops, mobiles), licensing and maintenance, hardware provision and refresh, staff/costs to issue, maintain and support these, % of helpdesk calls. Off set this vs. providing users £300(US$500 for a mobile and same again for a laptop/tablet), asking them to get their own endpoint or use their current one and pocket the cash, give them £50 (US$80) a month as an allowance for a mobile and broadband data plan (or use their own and pocket the cash) and using this endpoint(s) both in the office, at home. If you have a good investment in zero client or thin clients already, and users have laptops/workstations at home forget about the money for the laptop part. The users contract with the mobile and endpoint providers themselves (with a coupon corporate code), the currently and support and helpdesk is completely outsourced. If you can't get the security and mobile management outsourced from your current mobile provider for a like £3-5/user/month go talk to Vodaphone :)

• User experience and productivity - do a feasibility study, run a user survey. What would they rather use an iPhone or their chucky Blackberry, that awful Dell/HP/IBM laptop you give them or a Mac book pro / iPad. What would they be more productive on? 

Remember this is the overall strategy - implement it tactically. Do a POC, do a pilot, role it out one site at a time, one feature at a time.http://db.tt/oT9BDW