IPass beefing up policy enforcement

Global service provider iPass is introducing security features this week aimed at enforcing the corporate security policies of its customers.

The four features fall under a product umbrella called iPass Policy Orchestration. The features - endpoint self-quarantine, dynamic policy retrieval, assessment verification and coordinated enforcement - will be rolled out throughout the rest of the year, says Roy Albert, CTO at iPass.

One industry expert gives the initiative a positive review.

"One of the things that is impressive about this announcement is that [iPass] has spent a lot of time integrating every possible security client you can run on a laptop," says Abner Germanow, program manager at IDC.

The service provider is working with 45 security vendors to better integrate their wares with iPass' Corporate Access worldwide remote-access service. IPass already has integrated the products with its network, but still is working out the kinks of rolling out services based on the technology, Albert says.

The vendors range from well-known to lesser-known organizations and include AppGate, Cisco, Check Point, Internet Security Systems and Mobile Automation. A full list of the security technology partners can be found at here.

Endpoint self-quarantine uses a personal firewall to ensure users' PCs adhere to corporate security policies as they attempt to surf the Internet or connect to their corporate VPN. Users required to have the latest Microsoft security patch to access their VPN might be denied access for not having it, but they still might be able to surf the Internet.

Dynamic policy retrieval lets network administrators make policy changes to how all users access the corporate network directly from their desktop. Today, all policy changes go through the iPass trouble ticket system.

Using assessment, remediation and patch management systems, the iPass assessment verification feature confirms a user's system is up to date and if it's not, the correct security patch automatically is sent to that user's machine. Whereas endpoint self-quarantine merely blocks access if a user does not meet policy, assessment verification works to remedy the non-compliance.

The coordinated enforcement feature specifically addresses VPN access policies at the customer's network, after a user might have already gone through the endpoint self-quarantine process. IPass is working with network enforcement systems such as Cisco's Network Admission Control and Microsoft's Network Access Protection to block access to a VPN if a user's PC is not configured correctly or is infected with a virus. Vendors are just introducing these systems now so this feature likely will be one of the last iPass makes available.

Two existing policy enforcement features, called SecureConnect and continuous policy enforcement, also will fall under the Policy Orchestration umbrella. Before a user authenticates on the iPass network, SecureConnect checks to be sure that user's laptop is running specific security software, not necessarily looking for a policy, but an application.

IPass' continuous policy enforcement feature ensures that a user will maintain his company's policy while connected. For example, if the security policy says a personal firewall must be on throughout a connection, this feature will disconnect users if they shut down their firewall.

All of the service provider's Policy Orchestration features will be integrated with the iPass Connect connectivity client.

"Making sure that each user connection is safe is quite challenging," IDC's Germanow says. But iPass has done a good job of making sure those connections are safe for the user and the enterprise network to which they connect, he says.

IPass is not the only service provider to offer integrated policy management tools. In February, competitor GoRemote Internet Communications (formerly known as Gric Communications) also announced a comprehensive policy enforcement security system it calls Total Security Protection. Fiberlink also offers its remote-access customers a brand of integrated policy enforcement. All three offer remote-access services to enterprise users worldwide.

IPass says its Policy Orchestration features will be rolled out over the next several months. The service provider says it is in the process of determining which features will be integrated with its standard Corporate Access service and which add-on services will cost more each month.

IPass to better integrate security

IPass plans to enhance its Policy Orchestration features in four ways by year-end.
Service What it does Using
Endpoint self-quarantine Restricts PC if it does not adhere to company security policy.Personal firewall
Dynamic policy retrievalAutomates policy changes for customers.Active Directory
Assessment verificationConfirms PC has security patches and updates.Remediation and patch system management
Coordinated enforcementConfirms VPN access at user’s network server.Cisco Network Admission Control
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT