June 4, 2017
Modern “Wish-list” for connected applications
In every organization, the demand for well-connected applications is growing. For the end user, a well-connected application enables them to access it anywhere, on any device, at any time. The application should work correctly on the chosen device – gestures should work on tablets and smart phones, frames should fit well on the screen, and the user should be able to work wherever they happen to be. To make life easier, there shouldn’t be unnecessary and complicated security software and protocols the user has to engage just to do their job – security should be built in as much as possible.
For the organization itself, a well-connected application provides the user with the features and functions they need – perhaps as an integration of several applications, presented in a way that’s natural to end user. Security should be integral and not at all dependent on device ownership, installation of complex software, or what network is being used to communicate back to the corporate data center.
Finally, there should be cost-effective management that doesn’t get in the way of the end user and the ability to support a DevOps-style build-release cycle, speeding delivery of new capabilities. In summary:
Organizational services need to
- work from everywhere
- run on any device
- support customized views based on user and context
- deliver security that is appropriate for the risks presented
- provide cost-effective management that does not come at the expense of user experience
- embrace devops style build-release cycle to support faster delivery of new capabilities
The Cold Reality of Expensive and Inflexible Infrastructure
As much as organizations would like to deliver on the wish list of functionality presented above, traditional solutions do not make that task easy. A typical coroprate solution involves the following:
- Restrictions on device type, ownership, model, OS and sometimes even brand
- Complex layered software visible to the end user: Mobile Data Management, VPN, anti-malware, 2-factor-authenticators, device encryption layers, virtualdesktop software (VDI), etc. Some of these are in additional to native functionality. A typical user might have to do all of the following to access a critical service.
- Login to device
- Login to corporate VPN
- Login to the remote desktop software
- Login to the domain
- Login to the application
And then, the application might not even work that well on the device. For example, most VDI solutions work poorly on phones and tablets and underperform on desktops or over less than perfect networks. * Complex layers invisible to the end user (unless they don’t work correctly): MPLS or other private networks and management software for all of the software listed above.
The issues abound:
- There is significant expense to build and maintain secure branch office infrastructure, and other network access solutions when the public Internet is often better, faster, cheaper, and more widespread.
- Security solutions on their own are numerous, complex to manage, and difficult to determine whether they are fully working or not
- VDI solutions help, but they are expensive and don’t adopt well to nonWindows devices
Finally, almost any sort of business change throws a monkey wrench into the entire structure exposing its fragility:
- Connectivity requirements for a merger or acquisition force a step backward (overuse of travel or simple email-based communications) in access and communications.
- Providing access for consultants or other temporary workers is almost impossible unless company built laptops are provided – adding high cost and inconvenience to all involved.
- Opening and closing temporary offices is nearly impossible or extremely costly.
- Repurposing applications for any internal or external use, providing custom views and functionality is nearly impossible without complete rewrites.
- Use of new devices is restricted for long periods of time, flying in the face of corporate claims of modernization and technology advancement.
Where the world is going - security architectures to support greater flexibility
A key tenet of security is to limit the number of things you need to trust. This is true in everyday things: human security (only small portions of the population have security clearances), typical dual control processes, or even in the storage of highvalue physical objects (money is kept in vaults with limited access).
Oddly, corporate infrastructures often try to trust a lot of widespread components: the data center, the wide area network, the branch office physical location, the branch office local network, the user device, etc. Even building trust models for the potential combination of configurations is complicated and error prone.
A more modern approach is to construct highly secure and trusted cores and assume nearly every aspect of the edge and communication to the edge is not trusted, except for small amounts of software that can be placed at the edge to work in concert with the core to deliver secure applications. We see this approach work well with applications or new services such as novastone for finance, zscalar and ZPN.
Common themes of this modern architecture include:
- A data-center centric architecture that consists of data and application processing served the core with edge devices enabled for access, taking advantage of the best properties of those devices.
- Containerized computing enabling both simplification and enclave of sensitive information and processing. Here we see Docker (and similar solutions) as a solution for the server
However, both legacy and even new complex applications need help to adapt to this, modern architecture. AppBus’s software provides the solution. AppBus software is the first solution to provide a containerized, trusted software delivery and application access layer that:
- Provides service-side abstraction and a device-side secure delivery container
- Containerizes both the application and selected functions of the application. No data is persisted on the device unless authorized by corporate policy.
- Creates a reduced attack surface that is designed to prevent leakage and penetration by malware and active attackers
- Assumes all user devices are untrusted, enabling a wide variety of user devices such as BYO, contingent workers, business partners, and new M&A counterparts to quickly gain access to enabled applications.
- Can be used for legacy applications, off the shelf applications, and new development. Further, the integration layer enables all of these different kinds of applications to be built and rebuilt into different, focused application surfaces for use by different user groups.
- Requires no changes to legacy applications.
The AppBus Advantage for Security
The AppBus software provides significant security and data protection capabilities that make it suitable for the most sensitive applications. Meticulously designed around the following key security principles, AppBus is a leading example of a product designed and implemented to be fit for purpose.
AppBus software assumes all devices are untrusted
- Application data is never stored on the device unless authorized by corporate policy and configured through the AppBus management portal.
- Transient and cached data is encrypted at all times – during transmission and in the cache at the device.
- The device container software isolates applications with in from unsafe components such as the camera, unknown URLs – but can access them if needed.
- The AppBus software cannot be made to run other software outside of its container.
AppBus software is location aware
- External factors such as the device’s current location can be used to control access to data and applications
AppBus software is application security aware
- There are access control functions available at the application level for a rich set of fine-grained objects – even more so that might have been originally implemented in the application.
- Documents that need to viewed are done securely and without leaving the documents on the device unless authorized.
- Customized application views can be provided depending on context and security requirements – it is possible with AppBus to implement finer grain object access control than provided in the original application
- Contextual multifactor escalation is a unique feature – enables access control on top of fine-grained features and functions within the container. For example, to gain access to client data, the user can be prompted for additional authentication. All of which can be configured in the AppBus management portal without change to the application itself.
AppBus provides rich data about application usage
- AppBus logs every user interaction across all systems and applications.
The AppBus Advantage for Usability
Contemporary solutions for improving security at the edge are often clumsy, limiting, slow, or otherwise unwieldy. Many users find ways around them because of these issues. A study in the UK found that 67% of users violated security policy in order to work remotely. As much as AppBus is particularly designed for security, it has equally been designed to be user friendly and to be a mobile device application. This means that, unlike virtual desktops, AppBush embraces the capabilities that users expect:
The software should take care of its own security
- AppBus software enables any device to be used to access sensitive business applications, without worrying about other apps on the device – the container prevents other apps from gaining access to the applications or data delivered by AppBus.
- AppBus software doesn’t add complex restrictions on the end user or the organization.
- AppBus is safe to use on any device, including kiosks, hotel computers, and BYOD devices.
Native gestures and other device capabilities should be available in the way they were intended
- AppBus supports all native gestures, enabled intelligently for each application
- AppBus is lightweight and fast, much like most device apps. The experience is natural and intuitive.
The software should not simply be a display app – it should provide value add
- AppBus enables the creation of new applications providing an advanced transport and integration layer
- AppBus provides customized views of applications depending on context – mix and match as needed to make new apps out of old
- AppBus enables single-sign and access to complex workflows that span multiple applications. The potential for streamlining business processes is virtually endless with this capability.
- Usage patterns can be mined to improve workflows and optimize application usability.
The AppBus Advantage for Effective Cost Management
Simply put, there has never been a security-focused solution that can both save money and improve security; that is, until AppBus. All other security solutions are add-ons to the existing infrastructure – often times extremely costly add-ons. AppBus enables an enterprise to save money in a number of ways:
Take away infrastructure and unneeded security solutions
- Deploying AppBus to the edge enables expensive branch office networks to utilize basic Internet service for all communications
- Remove expensive virtual desktop solutions – AppBus is a lighter weight solution deployed on the application and web servers.
- Leverage out-of-band authentication systems or utilize biometric authentication.
- With AppBus, expensive MDM solutions can be removed because there are no sensitive data on the device that needs to be destroyed in the event of device loss. Users can be encouraged to use native free tools such as Find-MyiPhone.
- Let your users choose and support their own device. All corporate data and applications (including email) are accessed via the AppBus app. On employee termination, it is a simple step to disable all access and know that no data was stored on the users device outside of the AppBus software.
Reduce staffing and optimize operations
- Reduce helpdesk staff who need to deal with remote user issues. The AppBus software is easy to use and reduce the amount of apps every user has to deal with. Less apps, less helpdesk calls.
- Reduce engineers and administrators who are needed to build and support all the complex remote network and security systems. AppBus is easy to implement and supports the goals of the business – placing value producing applications on every device their employees use.
- AppBus enables natural and intuitive secure access to corporate applications via all kinds of mobile devices, without application rewrite. It’s estimated that a typical corporate application rewrite to support mobile devices naturally (not via clumsy VDI approaches) is upwards of $1m. AppBus enables a natural solution, without rewrite in a fraction of the time and cost.
- Enable DevOps style frequent releases without adding risk– applications can be delivered to all or part of the organization, features can be enabled for test groups and then to all users, and usage data is collected to understand what is users are actually doing.
AppBus Software – Exceeding the Market Need
AppBus is the first software platform that, in addition to providing significant improvement to enterprise security, also enables business process optimization and usability improvements. With AppBus software, it is possible to enable any application on mobile devices or laptops, without changing a single line of code, saving millions of dollars in software re-write. In addition, new workflows and finergrain access controls can be layered in – making new applications out of older ones or enabling access by new user groups, where previously security or integration concerns made this impossible. All of this and more is possible with AppBus software.