Anatomy of the Workspot Cloud Control
Here are some key questions that we discussed passionately while bootstrapping the Workspot v1.0 architecture for app delivery:
- What will be the cost to store 1GB of enterprise quality storage by 2020?
- What will be the update frequency of OS’s running on mobile devices by 2020?
- What will be the network perimeter for most organizations for delivering applications by 2020?
- How many companies will enable BYOD or bring-your-own-device policy?
- Will users want IT to have visibility into personal applications?
- Will security continue to be a function of endpoint protection?
- Will data based risk management become mainstream security protection solution?
While redpointing any new architecture, previous industry experience, from a use-case perspective is always helpful. However, we did not shy away from making key digressions in terms of technology assertions in our client and cloud architectures. A few notable highlights:
Unified Client Experience
End User should have a single Workspace client as the springboard for all the enterprise assets to simplify the end user experience. Aggregation of apps should be abstracted out for the end user. For example, the end user should not be asked to even fill a “server address” in order to discover the application entitlements. Simplicity of User Experience was #1. Speed of access for every notable function in the client was #2. This lightweight client experience that is cross platform is orthogonally different from Type-2 client hypervisor approaches previously tried by vendors like Moka5, VMware, Parallels and Citrix. A lightweight app-visor Workspace client that can run on iOS, Android, Mac and Windows and provide the same data instrumentation ability is our unique value proposition. The client instrumentation enables us to capture high quality data at every point in the access stack and we use the data extensively for security.
Control Plane Architecture
On-Prem moving components to run the management infrastructure for every separate function was a consistent pain point highlighted during our customer interactions going back to our VMware and Citrix days. Deploying VDI or App Publishing became extremely complicated because of all the management pieces with the incumbent stacks. IT is interested in security policies and user experience; backing up SQL Server or installing SSL certificate for every View or Xen layer is plain overhead. We decided to completely do away with on-prem “ship a separate stack” for each function once a year software engineering model and chose a “release every week” and a single pane of glass cloud managed model. This was a hard decision because there will always be some customers who want to control everything but we are glad that we made the right decision. The client “data plane for business traffic and control plane for management traffic” isolation was unique when we started but is now seen as a common design pattern for hybrid cloud infrastructure startups. In the past, companies like Citrix and VMware acquired a lot of different assets and the complexity for both IT and end users have increased as the various products are never integrated seamlessly. It’s OK to have a few different consoles for managing a large 20k VDI deployment but the support overhead to troubleshoot performance or connectivity problems across five different management consoles is a non-trivial task for even experienced professionals.
Security of Data at Rest and In-motion
There are two fundamental security vectors for any end user computing product: security for any data that is brought from the enterprise to local disk a.k.a. data at rest; secure communication between client and server to prevent against man in the middle attacks a.k.a. security of data in-motion. Workspot client uses industry standard AES-256 encryption for all the assets that are brought down from the enterprise. The entropy is increased by using per-object unique encryption key. The master key used to unlock content is generated using the user provided passcode and is never stored on the device. For more details, please refer to the Workspot Technical Whitepaper. All traffic between the Workspot client back to the enterprise goes over an SSL tunnel. Workspot has an embedded VPN client - we have a custom full L4-L7 stack and have a flexible split tunnel model to ensure simultaneous connectivity to corporate and public networks.
Structured and Big Data Approach to Improve Security
Remote Access products typically generate a lot of network traffic, and as most organizations are moving to decentralized data centers and cloud application delivery paradigm, capturing the end user access patterns has become extremely important for the security teams. The data can be captured at the client, at the application host or application backend, or with a man-in-the-middle-approach. Companies like SkyHigh Networks, Adallom, Netskope and CipherCloud are using the man-in-the-middle approach for cloud SaaS application access brokering for example. Monitoring solutions like Citrix EdgeSight tried to capture quality data at the end point but the quantity of data for large customers was overwhelming for most traditional on-prem product architectures and could not even handle the performance metrics. Further, the instrumentation required in the client stack to capture the insightful data requires deep instrumentation and a unified network and application stack to provide visibility across the SSL layer on the client. This coupling of network and application or protocol stacks allows Workspot to capture every L7 request and very fine grained metrics around bandwidth, latency, location, document access patterns and provides unprecedented visibility for Ops and Security teams.
We started with the goal of not only enabling large scale data handling but we did it as a single multi-tenant stack for all the customers. This means along with data collection we have put the right multi-tenancy controls to isolate data between different customers using leading industry techniques of anonymization, encryption and hashing. Read more here.
Let me put some color on the two key aspects of “structure” and “volume” of data to enhance security. First, we concluded that MDM or device management approach to lock down the device is never going to be a universal solution - it is primarily a stepping stone for asset and inventory management with threshold controls for employee owned devices. For the emerging BYOD theme, it is important that security is primarily a function of evaluating “what the user is doing in the context of work” instead of “let’s rely primarily on the OS provided controls for all the security”.
Structure of Data: Big Data tools have evolved a lot in the last few years and processing data both in structured and unstructured formats has become fairly easy. Storage and distributed parallelism issues have been addressed and therefore the application logic can easily handle large streams of data. Time Series and Event processing tools all use the same logic to chunk and process data. However, we strongly felt that the quality of data needs to be improved at the client layer and then forwarded to a cloud gateway for processing. The “what data is interesting” is not an easy problem and we have taken a good stab at defining the “stream of data that captures what the user is doing in the context of work”. We are excited about how some of our large customers are using this data and continue to make good strides in evolving the use-cases.
For example, this sample JSON payload is compressed, pseudo-anonymized and sent to Workspot cloud control from a mobile device based on various company configured policies.
The payload captures the amount of time spent in an internal application by a user from a device with a unique identifier with location info only known to Workspot cloud control plane. This is just one example of well structured data collection that is easy to parse for security teams and allows real time contextual security. This data collector is inline and instrumented in workspot client across all OS’s and form-factors and is not an afterthought plumbed entity. Workspot can capture every URL request used by end users in the context of work without invading the privacy of end users. Most modern security analytics solutions use machine learning and behavioral analysis to flag suspicious actions and threats. Possession of the right data is way more important than the machine learning aspect to capture the context. Alerts from threat detection products with supporting evidence (machine data, server logs, network packet data, client activity trail) is immensely valuable for security teams to drill down for incident investigation. Workspot enables activity feed for the following kinds of user events:
- Application type and time of access
- Client Location and IP Address
- Rich device information
- Time spent in application
- Every URL accessed inside the application
- Documents accessed
- Client side access patterns for documents (which page opened, printed, etc)
Customers have all the knobs to dial the amount of data collected up or down based on the needs of the organization and geographical restrictions. This data is also available back to the enterprise in the form of a Splunk data feed if the customer wants to build and manage their own risk profile pipeline by aggregating data from other sources inside the company. We are excited about how the “Workspot Events” feed is used at some of our large customers. Read another post about visibility here.
Quantity of Data
We have built a flexible data pipeline for handling thousands of events for millions of users every day.
Having a cloud architecture with services based approach allowed us to create a single and scalable API gateway that can provide cloud scale with no tenancy or geographic limitations. Data can be forwarded to different services or sinks based on the processing requirement and can be handled at different latency requirements to prioritize performance vs strong consistency. We picked the following tools for our data pipeline:
- Redis: A nosql open source in-memory data store and cache
- MongoDB: Scalable and Flexible next-gen document oriented database
- Postgres DB: Rock solid relational DB for configuration data
- Amazon S3: Long term storage for static assets
- Play Framework: Modern reactive framework for building next-gen web applications
- Containers: Most services and web dyno’s run in stateless linux containers
In summary, the cloud control service along with the unified client architecture is different from the previous generation products in the following ways:
Unified client architecture enables a single user experience across all devices. This lightweight client approach is different from an assembled workspace of multiple clients or a full virtual machine approach
The management or control plane architecture is designed to be scalable from the ground up. The architecture enables 10’s of services and 100’s of compute instances. It’s designed to handle thousands of tenants and millions of devices
A flexible big data pipeline allows us to capture and handle large amounts of events
Gartner has highlighted the need for context rich systems as a top strategic trend for 2015. In an environment where IT doesn’t fully manage the device, IT needs analytics, reports and tools to understand what the end user is doing with work related assets. The solution needs to enable the Chief Information Security Officer (CISO) to get a granular view of end user business activities on a mobile device for compliance and auditing. We foresee large organizations use filtered and grouped event processing to make real time access decisions to better manage risk across the organization in the coming years. For this to happen, current SIEM systems need more contextual data from mobile and Bring Your Own PC and Mac devices to generate more confidence in providing risk based access and security controls.
Just like Wi-Fi moved from a big security flag to a mandatory requirement for every business over the last 10 years, BYOD will also emerge as a key business accelerator with the right Workspace product. We are excited to help customers go through that journey!