Enabling Seamless and Secure Mobility for the Enterprise

An Overview of the Market Drivers, Alternatives and
Birdstep’s SafeMove Mobile VPN Solution

14March 2008

Copyright ©2008 Birdstep Technology ASA

Birdstep Technology
PL 333, Finlaysoninkuja 21 A
FI-331 01 Tampere, Finland
Phone: +358 20 740 2555
Fax: +358 3 389 0108

Table of Contents

Executive Summary

The Changing Mobile Landscape

Characterizing the Mobile Workforce

Market Drivers for the Mobile Workforce

Alternatives for the Mobile Enterprise

IP Security

SSL

Mobile VPNs

Proprietary MVPNs

Alternatives At-a-Glance

Enabling Enterprise Mobility with the SafeMove Mobile VPN

The SafeMove Mobile VPN Solution

SafeMove Mobile VPN Benefits for the Mobile Enterprise

Conclusion

Executive Summary

Security remains the primary concern in the mobile enterprise, despite the many advances on numerous fronts. In fact, the many new advances in technology only seem to creategreater challengesfor IT departments tasked with providing security for today's proliferation of new mobile devices and applications. Why is that? Why has implementing robust mobile security remained so elusive?

The answer can be found only by accepting an inconvenient truth: mobile security is too complex—for both users and administrators alike. And the complexity is only going to increase with the proliferation of wireless network options in the public infrastructure and the private enterprise. When users struggle with network access, productivity suffers. The problems they encounter burden the IT department. And the short-cuts and work-arounds they take compromise enterprise security.

In a perfect world, there would be single, secure wireless networking technology that all enterprises and carriers adopted and deployed throughout their respective networks and service areas. Mobile device manufacturers would also adopt the same technology and build it into all their laptop PCs, PDAs and smartphones. The technology itself would be inherently secure and support seamless mobility among a carrier’s cells or access points, and users could roam—again seamlessly—among different carrier networks without incurring exorbitant roaming charges. With such a global infrastructure, mobile workers would enjoy continuous connectivity, empowering them with peak productivity. And IT departments could finally quit worrying about how to secure their enterprise networks.

The real world of mobility is manifestly different, however. Today’s wireless network operators employ different technologies in different geographic regions, and all are evolving into their next-generation versions. This harsh reality, which is expected to continue for the foreseeable future, makes it very difficult for mobile workers to get and stay connected seamlessly. Significantly, the most promising next-generation networks—3G and mobile WiMAX—address the need for seamless mobility with exactly the same solution: the industry-standard Mobile Internet Protocol. Just as virtual private networks (VPNs) add security to an inherently insecure Internet, Mobile IP adds mobility to an Internet originally designed exclusively for stationary devices.

This same “next-generation” solution is available for today’s heterogeneous wireless networks with Mobile VPNs, such as SafeMove from Birdstep Technologies. The Mobile VPN combines Mobile IP with industry-standard IP Security (IPsec) to enable seamless and secure roaming among different wireless and wired networking technologies deployed by different network operators. As a segment of the VPN market, Datamonitor estimates that the demand for Mobile VPN solutions will drive sales to reach $637 million in 2008 with a compound annual growth rate of 22.3%.

The Mobile VPN offers the enterprise mobile workforce better productivity with a seamless and secure roaming experience among multiple networks.

Birdstep’s SafeMove is a complete Mobile VPN solution that provides secure and seamless mobile connectivity for the enterprise in a convenient, transparent and easy-to-use manner for the user, and as a manageable, standards-compliant solution for the IT department. SafeMove is also field proven to operate successfully in demanding applications that require rigorous security for multiple mobile devices utilizing the most advanced public wireless network services available today.

The SafeMove Mobile VPN makes mobile security “enterprise-class” by eliminating the complexities enterprise-wide. For the IT department, this means having a familiar solution—IPsec—with the addition of centralized management over all aspects of mobility, including the security posture of all user devices, the client software configurations that ensure proper authentication and appropriate public network utilization, and centralized control over all user and session access privileges. For users this means providing the ability to logon in the morning and get the best possible secure connection available at any location as they roam throughout the day—automatically without any hassles. For the enterprise itself, this means achieving a high return on investment that results from maximizing mobile workforce productivity while minimizing wireless access costs.

Theremaining material is organized into three sections followed by a brief conclusion. The first section on The Changing Mobile Landscape examines the business, social and technological driving forces behind the mobile enterprise, making an important distinction between workers who are merely “nomadic” and those who are truly mobile. The second section on Alternatives for the Mobile Enterprise evaluates four alternatives for implementing mobility, making the case that only one solution—the Mobile VPN—is sufficiently robust for enterprise-wide deployments. The third section on Enabling Enterprise Mobility with the SafeMove Mobile VPN provides an introductory overview of Birdstep’s SafeMove Mobile VPN solution. Additional information on Mobile VPNs and SafeMove is available on the Web at

The Changing Mobile Landscape

Some workers in most organizations have always been mobile; that much has not changed. What has changed, and changed substantially, is just how productive today’s mobile worker can be, and indeed must be to compete. Time spent driving can now be spent conversing with customers and coworkers—on a hands-free headphone, of course, for safety. Time spent in airports, coffee shops, trains and planes can now be spent communicating via email, Skype and instant messaging.

The future of the mobile enterprise is even more promising with respect to productivity and workforce enablement with new mobile business processes. Just as significantly (and perhaps paradoxically) mobility has improved the work/life balance for most employees. The ability to work productively anywhere at any time frees workers to chose those places and times, which enhances the ability of a company to recruit and retain top-notch talent.

Characterizing the Mobile Workforce

Enterprise mobility must be considered across a fairly wide spectrum of different workers doing different jobs in different ways and in different places. Most workers regularly move about the enterprise campus to attend meetings or perform other duties, and therefore, should be considered “mobile” to some extent. Some travel occasionally on business trips or to conferences. Others travel frequently. And some are mobile constantly, almost never coming into an office. Work style also has an effect. Some workers are “nomadic”—that is, merely moving from place to place where they work for extended periods of time. Others are truly “mobile”—working intermittently or continuously while on the go, wherever their professional or personal pursuits take them. Although both nomadic and mobile workers have a need for both voice and data communications, the analysis here focuses exclusively on mobile data network access.

IDC’s Mobile Worker Population Hierarchy depicted in the chart below shows a fairly comprehensive characterization of the mobile workforce. IDC also identifies five additional categories of mobile workers as an overlay on this hierarchy that includes Travelers, Visitors, Commuters, Corridor Cruisers and Work Extenders, all of whom require mobile access to wireless LANs and/or wireless WANs.

IDC organizes mobile workers into this hierarchy, all of whom are either “nomadic” or “mobile”—or both.

The existing network infrastructure has its own spectrum of capabilities—and limitations. Because campus-bound workers—whether nomadic or mobile—move about only within the confines of the enterprise, a robust and ubiquitous WLAN can afford the periodic or continuous network access these workers require. As they move from room to room or building to building, they may be able to roam from access point to access point seamlessly. Of course, many enterprise WLANs today are not yet fully enterprise-wide, with gaps in coverage that disrupt user sessions. And security continues to remain a concern in many enterprise wireless LAN deployments, especially those that are made available to visiting guests and/or extend into adjacent public spaces.

Workers who travel away from the campus—occasionally or constantly—face even greater challenges in today’s network infrastructure. As these workers move beyond the reach of the physical enterprise network, it is necessary for them to utilize the public network infrastructure. It is these mobile workers who, therefore, stand to benefit the most from seamless roaming among multiple, public and private wireless and wired networks. And it is these workers who are at the forefront of the truly mobile enterprise.

Market Drivers for the Mobile Workforce

Changing work patterns and advances in technology have transitioned workforce mobility from being a “convenience” for some to being a business imperative across the enterprise. The table below shows the results of a survey conducted recently by Gartner. Note how the Top 5 Business Priorities translate into IT Priorities, and that every one of these priorities involves mobility to one extent or another.

Top 5 Business Priorities / Top 5 IT Priorities
1. Business process improvement / 1. Business intelligence applications
2. Controlling enterprise operating costs / 2. Security technologies
3. Attracting and growing customer relationships / 3. Mobile workforce enablement
4. Improving strategic advantages / 4. Collaboration technologies
5. Improving competitiveness / 5. Customer sales and service

Gartner found that all Top 5 Business and IT Priorities in a recent survey involved workforce mobility to some extent.

A survey conducted in 2007 by the Economist Intelligence Unit for Nokia asked respondents, “What do you think is the most competitive factor driving your company toward greater mobility in the workplace?” Topping the list was the “Need to quicken response times to customer needs” (36%) and the “Need to improve collaboration across the enterprise” (28%). According to the findings, “Organizing business processes around mobility lets firms collaborate better with their employees, partners, suppliers, and customers by providing information to the right people at the right time, no matter where they are.”

A 2007 survey of IT professionals conducted by SearchMobileComputing.com revealed these factors
driving mobility in the enterprise.

With mobility now a necessity in today’s global economy, IDC expects the mobile workforce to grow from 708 million in 2006, representing 23% of all workers, to 1 billion worldwide in 2011, representing over 30% of the total workforce.. IDC attributes this growth in workforce mobility to four fundamental driving forces:

•a desire for enhanced worker productivity;

•increased organizational efficiencies;

•higher levels of customer satisfaction; and

•improved work/life balance for employees.

The enterprise must balance these driving forces with the requirement for regulatory compliance in the areas of security, privacy and integrity. Organizations also want to achieve cost savings by taking advantage of free wireless access, wherever available, and by negotiating more favorable rates with carriers and service providers—without adversely impacting on user productivity. Similarly, users will be able to optimize work/live balance only to the extent they are empowered to work fully effectively—and without hassles—at the time and place of their choosing.

Vendors and service providers have responded to these driving forces with advances in technology that offer many more options to both the enterprise and its mobile workforce. Having options and choices is always preferable, of course. But such versatility also increases complexity—sometimes substantially so. Wireless networking is one arena where both the number of options and the overall complexity are inextricably linked, increasingly on a single, multi-mode device. Nokia’s newest smartphones, for example, support WCDMA PS, GPRS/EGPRS, GSM CSD, HSCSD and 802.11b/g WLAN access on a single device with a QWERTY keyboard. Many of these smartphones also feature Voice over IP (VoIP) over Wi-Fi. Qualcomm’s Gobi technology is designed to add CDMA2000 EV-DO and UMTS HSPA support to laptops already equipped with built-in Wi-Fi interfaces. For existing laptops, these and other wireless WAN interfaces are now available as plug-in PC Cards or USB adapters. And Intel is working aggressively to get WiMAX built into both handhelds and laptops.

The mobile workforce also has more options at home, where users want to take advantage of their DSL or Cable access service. Many homes now even have wireless LANs, giving users even greater work flexibility. And in parts of Europe and Asia, and more recently in the U.S., carriers are offering 3G FemtoCell Home Access Gateways and more flexible subscriber plans to compete for end-user broadband services.

The myriad changes in mobile networks and mobile devices have made the difference between being “nomadic” and being “mobile” even more profound. Once upon a time, users were content to lug around laptop computers with the hope of being able to get some form of network access somewhere. Today’s increasingly mobile workforce now requires constant access on much smaller devices, such as handheld smartphones and PDAs. For many, being out of touch means being out of the loop. And when key personnel are out of touch, the problems caused may ultimately lead to the company itself being out of business. Performance and productivity inevitably suffer. Timely opportunities are missed. And critical decisions are delayed or made, instead, without workers being fully informed.

Simply put: The mobile workforce can be expected to expect more from IT departments in the future. With the increasing ubiquity of mobile networks, and the growing breadth and depth of mobile device capabilities, users will expect continuous connectivity. Users will also expect that their continuous connectivity be effortless, eliminating their need to re-establish secure connections or work around problems. Finally, users will expect to be able to choose whatever PC, PDA or smartphone makes them the most productive, and the IT department will just need to find a way to support, manage and control this array of devices cost-effectively.

Alternatives for the Mobile Enterprise

The Internet is truly remarkable by any measure; its existence has revolutionized the way companies conduct business—both internally and with customers. The Internet was originally designed, however, with a set of assumptions, many of which no longer apply. One such assumption is the exclusive transport of data traffic, so the Internet had to be enhanced with traffic prioritization and special signaling provisions to carry streaming video and real-time voice over the Internet Protocol (VoIP) with sufficient Quality of Service (QoS). Another assumption was the lack of need for end-to-end security, necessitating the creation of virtual private networks (VPNs) to overlay secure private communications onto the public Internet infrastructure.

A third no-longer-invalid assumption was that hosts—clients and servers—would be stationary. And once again the industry is responding with a variety of “solutions” to accommodate mobile devices. But these solutions vary dramatically in their capabilities. The following is an analysis of the four basic alternatives for the mobile enterprise: IPsec, SSL, Mobile VPN (or MVPN) and Proprietary MVPN. Each is viable in those applications where the mobile user is merely nomadic; that is, the user is stationary for the duration of a work session and, therefore, requires only some form of VPN security to use the public Internet. But where a user is constantly on the go while working, only two alternatives—the Mobile VPN and the Proprietary MVPN—offer the seamless mobility required.

IP Security

Virtual private networks emerged over a decade ago as a more cost-effective alternative to private enterprise networks, and have since been successfully deployed in both site-to-site and client-to-gateway (remote access) applications. The industry standard solution for the general-purpose VPN is IP Security or IPsec, which combines authentication, tunneling and encryption to provide confidentiality and integrity for private communications via insecure public networks.

The major advantage of IPsec is its operation at the Network Layer. Such operation is, in fact, the raison d’être of IPsec, whose objective is to provide LAN-like functionality across the IP WAN. For this reason, a remote user or group of users in a remote office appears to be connected directly to the enterprise LAN, allowing full interoperability with the entire enterprise network infrastructure, including all of its management and security provisions. The main disadvantage of IPsec in mobile applications is that sessions need to be reinitiated whenever users connect via a different network. In other words: IPsec is nomadic, but not truly mobile.

Because first-generation implementations of IPsec client software were difficult to configure and operate, many organizations began to consider use of SSL as an alternative for securing remote access.