BYOD + SaaS = Chaos
There is a paradigm shift happening in enterprise computing. Until now, most critical business applications, like SAP, SharePoint, Oracle, and others, have been operated by IT and protected by corporate firewalls. Furthermore these applications have been delivered onto Windows desktops and laptops that are purchased, provisioned, and managed by IT. However, increasingly this "orderly" IT environment is being disrupted by two trends:
- BYOD: Employees are purchasing devices of their own choice, such as iPad, iPhone, Android, and Windows Phone, and are bringing them into the enterprise. There are going to be a few billion personally owned smart phones and tablets in 2015. The majority of these devices are not going to be managed by IT.
- SaaS: Applications, such as Salesforce.com, Netsuite, etc., are developed and operated by 3rd party organizations. These applications cannot be managed by IT using the current set of tools at their disposal today.
This is a recipe for chaos for IT: there will be billions of devices and hundreds of applications that they don’t own or manage. How do they continue to deliver high quality SLAs, protect against data leakage, and provide their users a seamless experience?
Workspot re-invents App Delivery
We need to re-invent Application Delivery for this hybrid world of managed and unmanaged applications and devices. In order to do this right, we need to:
- re-invent access for end user workflows
- re-invent control for IT
And while we were doing it, we instrumented the new architecture to collect lots and lots of end user activity data. This data can empower IT to trouble-shoot problems, improve compliance, and even boost performance. Lets show you how.
Re-Invent Access with Mobile Virtualization
We designed our product in a mobile-first fashion with end user workflows in mind. An employee performs an end user workflow in order to do their job. For example an employee might get an email with a link to an expense report in SAP, which he/she will need to review in SAP, and then approve. Or, this employee might get a link in an email to a document in SharePoint that he/she needs to download for a business presentation. Today these end user workflows cannot be performed on unmanaged devices. IT does not let the employee use a VPN to log into their corporate network because IT does not want to expose their corporate network to the Angry Birds traffic. On many devices, like the iPad users can't download documents for offline usage. Hence end user workflows are broken on personal devices.
We have implemented a patent-pending mobile virtualization platform on the device called Workspot. Workspot is designed to keep the device personal. The Workspot application does not interfere with the end user's control over the device. All their work lives inside the Workspot application. Workspot is a light-weight mobile virtualization layer that drives a personal, seamless and immersive end user experience. An end user using the Workspot client has access to his/her business applications and documents. Different end users might need different applications. IT can configure this easily within our service. An end user is able to traverse workflows seamlessly, with no extra logins, VPN connections, etc. And finally, we have designed the application to provide an immersive experience for the end users. They can jump between applications and documents seamlessly within their Workspot.
In order, to deliver the best user experience and enable end users to execute workflows, we had to take ownership of the file system and the network stack. Our virtual file system stores documents downloaded by the user. All the documents in the virtual file system are encrypted. We have also embedded document viewers for common document types like Acrobat and Office. For IT, we secure the documents against data leakage by encrypting each document with its own encryption key.
The virtual network is a custom L4-7 stack that can talk natively to any SSL-VPN system. We support Cisco, Juniper, SonicWall, and F5 SSL-VPN appliances today. Supporting different edge appliances, with unique network protocols and configuration idiosyncrasies is a challenging task. We are fortunate to have on our team rock-star engineers who have been responsible for implementing the clients for many of the incumbent SSL-VPN products.
The Workspot client has a split tunnel implementation that allows it to be connected simultaneously to the corporate and external networks. Traffic can be routed to either network based on configuration on a per application basis. The network stack has SSO capabilities, enabling the end user to have single sign-on for different business applications.
Re-Invent Control for IT
We have simplified the deployment of our solution by leveraging and extending extending enterprise SSL-VPN appliance from companies like Cisco, SonicWall, Juniper, and F5. IT can configure their Workspot applications by completing a two step Express Setup using our Workspot Control panel –simply specify type and public address of VPN and URLs for application.
Workspot Control is a SaaS service. We have designed it so that the data plane and control planes are separated. In the figure above, data flows between the Workspot client and the applications directly via the white lines. The control panel is able to apply configuration and policy changes onto a client via the blue path. This separation between control and data planes is very critical for a number of reasons:
- Security: Data flows directly between the client and the applications; it does not flow through our control service
- Availability: Since we are not in the data path, the availability of applications is independent of the availability of our service
- Performance: Since we are not in the data path, there is nothing to impede the end user experience
- Cost: Our cost of scaling our service and delivering a high quality user experience is low. Hence, we are able to deliver an Access and Control edition of the product for free!
The Workspot client has the intelligence to authenticate directly against existing SSL-VPN appliances. It re-uses the existing authentication mechanism for your SSL-VPN, including Microsoft Active Directory and RSA SecurID. We do not store user credentials in the cloud.
Create Order using Big Apps
Today IT uses various Application Performance Monitoring (APM) and Security Information Event Management (SIEM) systems to understand events and performance inside the data center. However as more computing happens outside the corporate data centers, those tools are not sufficient. We have built a highly instrumented mobile virtualization platform to efficiently collect events on the device. We are building three Big Apps (apps that use this Big Data):
- Insights: Give IT a deep understanding of real end user experience, uptime, and usage data that can be analyzed by application, device, geography, or network. This will help them troubleshoot problems.
- Events (coming in Q3): A Twitter stream of real end user activity that can be plugged into SIEM systems for compliance and auditing.
- Boost (coming in 2013): Performance improvements based on understanding exactly what a user is doing inside their Workspot.
Every paradigm shift requires re-imagining application delivery and data management. We are currently in the midst of the biggest change in the history of our industry. Only by re-inventing App Delivery could we have simplified BYOD and SaaS. We are very happy with the initial feedback we've received from our pilots.
And we are not sitting still. There are many new solutions we are building: Libraries for Native Apps, Events & Boost Big App modules, Workspot on Android & Windows 8, and many more.
Please sign up for our free Access and Control Edition to experience this new platform for Application Delivery. And please tell us what you like, and more importantly what you don't like!