At VMworld 2021, we’re excited to announce continuous access controls for Workspace ONE Tunnel.
Continuous access is a key part of a Zero Trust strategy and is the next evolution from conditional access. One of the tenets of a Zero Trust security approach is that not only do you understand the full context around a user, device, application, network, and data, you also evaluate this on a continuous basis. If anything changes and goes outside of policy, access can be revoked immediately.
Today, Workspace ONE Tunnel can interrupt access to applications based on device trust as defined by the Workspace ONE Unified Endpoint Management (UEM) compliance engine. So, if a device ever goes non-compliant per company policy for any posture metrics such as OS version, firewall status, encryption, jailbreaking or the presence of untrusted apps, then Workspace ONE Tunnel will automatically break the connection, preventing unsafe access to enterprise applications.
Soon, Workspace ONE Tunnel will enable smarter app access by leveraging deeper security points. It will provide the ability to associate different policies with different apps and the ability to use Multi-Factor Authentication (MFA) as a remediation factor, delivering robust protection based on Zero Trust principles. Lastly, we want to enable security to be transparent to the user, so when a user’s access is interrupted, they will be notified and can self-remediate without help desk involvement. These continuous access capabilities are expected to be available soon.
Continuous access controls in action
In this morning’s Anywhere Workspace keynote with Shankar Iyer, we shared a demo of how continuous access controls for Workspace ONE Tunnel will work.
Imagine that an employee working from home logs in from a managed device into Salesforce (a highly sensitive application) and Slack (a less risky application). Based on the sensitivity of data involved, the company’s security team has set up different access policies for these applications, requiring different levels of device posture.
Next, while actively working in Salesforce and Slack, the employee decides to disable the firewall to print a document. The employee will immediately get a notification on the device indicating that the Tunnel session established with Salesforce has been blocked due to the detected change in firewall settings that no longer meets the access policy requirements. However, the Slack session is still active since it is a less risky application, with less stringent device posture requirements. As soon as the employee follows the provided remediation steps and re-enables the firewall, the device returns to the required posture for the session with Salesforce, and the session is restored.
In this example, Workspace ONE is constantly assessing the device posture and continuously enforcing policy for access to sensitive corporate data based on Zero Trust security principles.
Learn more
To learn more about Workspace ONE Tunnel, head to the following VMworld sessions and resources:
- VI3130 – Anywhere Workspace Solution Keynote: The Future of Hybrid Work Made Possible Today
- EUS2467 – Zero Trust Based alternatives to a Legacy VPN
- Workspace ONE Tunnel Deployment at the Digital Workspace Tech Zone
