The real Edge in SASE, the Endpoint

The Need for Access

Secure Access Service Edge (SASE) is a modern security approach focused on keeping enterprise users safe anywhere they work and on any endpoint device they use. Zero Trust Network Access (ZTNA) is a foundational part of SASE architecture. However, current endpoint connection technologies utilize either a legacy remote access VPN or a “clientless” cloud access security broker (CASB) approach which is limited to browser delivered apps. Neither of these approaches meet the security demands of today’s diverse enterprise environments that include employees using managed (MDM) and Bring Your Own Device (BYOD) devices. In addition, SD-WAN solutions do not extend beyond the branch office without additional end-user hardware (such as a puck) for remote workers – either at home or while traveling.

Why a Smart, On-Device Client is Needed on Endpoints

Security should start at the true edge – on endpoint devices. Simply tunneling all traffic off the device to a remote server/cloud isn’t good enough. Here’s why:

  • Tunneling of all work and non-work data traffic (DNS, web, video) through a VPN tunnel to a server results in slow data performance, has a large attack surface, does not scale and increases traffic costs
  • Legacy VPN technology can only split route-based IP ranges, not domains or apps, and in many cases require managed device deployments
  • Legacy VPNs provide limited support for single or multifactor authentication requirements
  • Since CASB only works with browsers, applications aren’t supported which can be up to 90% of mobile activity

The Mobolize Solution

Powered by the Data Management Engine, Mobolize Access enables security, routing and tunneling from the endpoint client to improve scalability, usability, and performance for SASE services (SWG, DLP, SD-WAN, MiTM, etc.) – with feature parity for all major OSs and equal support for both MDM and BYOD devices.

The Data Management Engine delivered by our on-device client software enables fine-grain capture and precision routing from the client and works seamlessly whether the device is on or off the corporate network. This results in high-performance security with limited impact on the battery, throughput, and app compatibility.

The Benefits of Access

  • Built on a single code base for all OSs, Mobolize Access provides feature parity for all endpoints, enabling SASE solutions for both network access (ZTNA) and/or network protection (FWaaS, SWG, DLP). All apps and browsers are seamlessly supported on all endpoints including Android and iOS smartphones.
  • Security at the real edge – on-device, advanced fine-grain routing that tunnels/manages all apps, including browsers, on all platforms
  • Enables routing necessary for critical use cases, such as selective MiTM at app or domain level (avoids cert pinning issues without tracking IP addresses) and automatic DNS blocking of harmful links for both intranet and internet hostnames
  • Supports modern identity-based apps – applies the SSO authentication/sign-in directly in the packet flow, along with OAuth which requires an on-device client. Many vendors will support MFA but not SSO, and not all supporting SSO will support 3rd-party identity providers.
  • Any network, anywhere – provides full support for all capabilities regardless of the type of network – Wi-Fi or cellular, IPv4 or IPv6 or dual-stack – operating at Layer 3 (IP flows) through Layer 7 (app-aware path) for any/all data traffic port or protocol
  • Support for the modern employee – provides security and connectivity for any network (cellular or Wi-Fi) on any device (smartphones, laptops, tablets) and any major OS (iOS, Android, macOS, Windows, Chrome, Linux)
  • Intranet and internet safe – allows user flexibility and security when switching between intranet and internet links
  • Supports all employee devices – fully supports MDM and BYOD requirements
  • Cost and latency savings for enterprises – eliminates or lowers the need for firewalls and server traffic that add to the expense and time managing data traffic
  • Performance benefits for users – when there’s no frustration with battery drain, latency issues and broken apps, users are happy to stay connected on the enterprise security system on any device

The Result: Employees Are Always Protected and Seamlessly Connected

Access is a higher performing, more secure solution that improves the end-user experience by protecting and routing company data exactly where it needs to go and non-work activity direct to origin thus protecting the user against online threats and respecting user privacy.

Use Case

Smart Access at the Real Edge – The Endpoint Device

An enterprise business partner needed to move beyond the ‘Cloud Connector Client’ model and engaged Mobolize to improve performance, reduce security risks associated with the broad attack surface of the full tunnel VPN, and gain end user trust (separation of work and personal data usage). Existing solutions only worked on managed devices to offer per app routing and split tunneling, thus limiting reach. Cloud Client Connectors tunnel all the traffic which has privacy issues for users, slows down the device and data, and some apps simply don’t work – resulting in the end users turning on and off the client as well as challenges with cost, scalability and the large attack surface they create. The Data Management Engine with Access features, enabled via Mobolize SDK, delivers precision routing of traffic by app, IP, and domain (no more managing a list of IPs that are constantly changing) and works without the need for device management (MDM). Privacy of end user personal apps and browsing is maintained as that traffic goes direct to origin. Business apps and services are micro-tunneled to exactly where they need to go while everything else runs unimpeded at full speed.