Ivanti & F5: Secure Multi-Cloud Access in the Zero-Trust Model

CHALLENGES

  • Mobile apps have become the primary way for business users to access cloud services
  • Traditional, PC-based security solutions are not enough to protect data in the cloud
  • Applications can be located anywhere and accessed everywhere—meaning security has to encompass public and private cloud, mobile devices, as-a-service platforms, and on-premises apps and data

BENEFITS

  • Protect data with conditional authorization based on device, app, and cloud posture
  • Simplify authentication with seamless SSO
  • Accelerate remediation workflows to ensure continuous productivity
  • Maintain detailed logs for audit and compliance reporting
  • Adopt a standards-based approach proven to support scalable, best-of-breed cloud security
  • Leave no gaps with a comprehensive, end-to-end platform for mobile-cloud security

It used to be, an employee would use the same stationary PC—onsite and usually from within a cubicle—to log into a single corporate intranet to access everything they required to do their job. Gradually, that process evolved to include laptops and home PCs, logged in via the corporate VPN to access the intranet from home. Back then, IT security strategy was focused solely on the network: Make the user enter a password to get in the front door, but once inside they could generally roam about as needed.

Now that approach looks quaint. Today’s comprehensive security strategy goes well beyond network security and focuses on users, assets, and resources as well. Known as Zero Trust cybersecurity, this model doesn’t just take into account modern devices like the smartphone and tablet, it also acknowledges that today’s employees need secure access to a lot of content outside the corporate intranet. F5 and Ivanti work together to strengthen Zero Trust cybersecurity across all of an organization’s cloud applications. That includes enterprise applications deployed on public cloud services like Azure or AWS, as well as cloud-based services like Box, G Suite, Microsoft Office 365, and Salesforce.

Secure multi-cloud applications

An organization needs to be able to control secure access for all users (remote, mobile, and distributed) and all applications (on-premises and multi-cloud). F5 BIG-IP Access Policy Manager (APM) does just that: It secures, simplifies and centralizes access to apps, APIs, and data—no matter where users and their apps are located. BIG-IP APM makes it simple to control who has access, what applications they can access, and from which networks they can do it—down to the device level. BIG-IP APM even enables single-sign-on (SSO) from the corporate network. By delivering validation based on granular context and securing every single request for app access, BIG-IP APM is an important part of many organizations’ Zero Trust security model.

BIG-IP APM includes a Visual Policy Editor (VPE) graphical user interface that makes it easy to create, edit, and manage identity-aware, context-based policies, including policies that determine which users can access which applications in which cloud.

Security beyond the password

In addition to verifying user identity, Zero Trust mobile security requires a Unified Endpoint Management (UEM) framework that is capable of checking device posture and app authorization status. That ensures that only trusted users, devices, and apps access corporate resources from the cloud. Ivanti’s Zero Sign-On fills this role by providing conditional access to cloud services from mobile apps and browsers. Unlike traditional security approaches, Zero Sign-On (formerly MobileIron Access) correlates user identity with unique information feeds such as device posture and app state. Ivanti Zero Sign-On ensures that:

  • Business data cannot be stored on unsecured devices
  • Users cannot connect to unmanaged apps
  • Information cannot be shared via unsanctioned cloud services

In addition to delivering conditional access that verifies the security of the user, device, app, and network before granting cloud access, Ivanti Zero Sign-On enables IT organizations to easily adopt leading-edge solutions such as general zero sign-on (ZSO) and multi-factor authentication (MFA). Here’s how they work:

In addition to delivering conditional access that verifies the security of the user, device, app, and network before granting cloud access, Ivanti Zero Sign-On enables IT organizations to easily adopt leading-edge solutions such as general zero sign-on (ZSO) and multi-factor authentication (MFA). Here’s how they work:

  • Zero Sign-On eliminates the need for passwords by making the mobile device itself the secure enterprise ID, enabling seamless access to productivity apps and content. In one example, an Ivanti customer reported that ZSO not only reduced risk of phishing attacks, it decreased the average application login time by 70% (from 7 seconds to 2 seconds). Each month, across 100,000 logins, this equals a time savings of nearly 140 hours.
  • Multi-factor authentication steps in when a device is unrecognized or out of compliance, enabling users to quickly verify their identities and secure their devices via push notifications. This technology is also used for fast and easy setup of new devices or users through one-touch enrollment. Ivanti also merges MFA with ZSO for Passwordless MFA, utilizing multiple factors including biometrics, certificates, device posture, and more to authenticate user identity.

Deployment

Ivanti customers that have deployed F5 BIG-IP APM as part of their mobile UEM platform can use BIG-IP APM as Identity Provider (IDP) while deploying Ivanti Zero Sign-On in Delegated-IDP (or IDP-chaining) mode. In this scenario, BIG-IP APM acts as the primary IDP, but it relies on Ivanti Zero-Sign-On for its unique authentication abilities. For example, as requests come into cloud applications like Salesforce and Office365, those requests are authenticated by BIG-IP APM, which in turn relays the request to Ivanti Zero Sign-On to check that the source device is indeed managed. In the case of an unmanaged device, Ivanti Zero Sign-On will hand the request back to BIG-IP APM for corrective actions, like blocking, adding to denylist, etc.

 

In the above deployment, BIG-IP APM controls the flow and implements security policies. Only mobile endpoint SSO traffic is forwarded to Ivanti Zero Sign-On for scrutiny.

Summary: Zero-Trust security for the modern workflow

As enterprises increasingly adopt a mix of cloud services, mobile apps, and smart devices, IT needs a scalable, centralized way to apply policies and track, monitor, and report on compliance. Ivanti Zero Sign-On and BIG-IP APM work together to deliver a standards-based approach that secures all an organization’s cloud services without requiring proprietary integrations.

Ivanti “was purpose-built for global companies to secure and manage mobile devices and apps,” said Nayaki Nayyar, President, Service Management Solution & Chief Product Officer at Ivanti. “By teaming with F5, we can offer our customers an optimal employee experience while improving application delivery, enforcing critical security policies, and ultimately increasing mobile productivity.”

An integrated solution deploying BIG-IP APM with Ivanti Zero Sign-On ensures that only trusted and managed users on sanctioned devices are given access to corporate resources; while also providing IT with high levels of visibility, control, and security across unmanaged devices. This integrated solution delivers a seamless experience for end user and IT manager alike, enabling employees to easily access critical data and make critical business decisions from wherever they work and whatever device they work on.

Learn more

Webinar: Killing the password with Zero Sign-On

F5 solution: Access control and authorization