Mobile users with devices like iPhones and iPads are creating new challenges and new opportunities for IT. Unless you've been living under a rock, the challenges are probably already pretty familiar to you. Mobile users want to access corporate data (files, presentations, intranet content, applications, and so on) from their devices, so they use tools like Dropbox to create copies on cloud storage so they can at least access files. Voila! You've got a potential nightmare on your hands with risks of data leakage, data coherency problems, and compliance violations.
But of course users don't do this just to make your life more interesting. They have a legitimate need to access corporate information from wherever they happen to be. This is where the opportunity comes in. What if every salesperson could securely access the latest customer presentations and sales information? What if every field technician could immediately access the latest field bulletins and product documentation?
NetApp® Connect—based on technology from the ionGrid acquisition in February 2013—is designed to give mobile users access to the corporate data they need when they need it without having to copy anything into the cloud or store sensitive data on an unsecured mobile device. NetApp Connect provides security, compliance, access to all on-premises content, and pixel-perfect rendering for users of mobile devices.
NetApp Connect: The User Experience
NetApp Connect is ideal for mobile iPad® and iPhone® users because it gives them direct, in-place access to corporate data and documents from home directories, file shares, and Microsoft® SharePoint®. A secure "container" in the mobile device acts like a virtual hacker-proof wall, separating files and applications accessed by NetApp Connect from personal data. This secure container includes a browser that gives users access to intranet resources and applications while all data remains behind your corporate firewall.
If you've ever tried to access a document from your mobile device (and at this point who hasn't) you know that the way a document gets rendered on your device is not always perfect. NetApp Connect eliminates this difficulty by enabling every document viewed on a mobile device to be a pixel-perfect rendering of the original. Fonts, logos, custom colors, and the overall look and feel are preserved to protect brand consistency.
Figure 1) Example showing varying results when viewing a file on a mobile device. Only NetApp Connect provides the same view as the original.
NetApp Connect accommodates four types of users:
- Those who need to consume content (view only). A good example might be a salesperson who accesses and displays the latest presentations for a customer.
- Those who need to download content and view it offline. People on planes are the most obvious example.
- Those who need to comment on content. Connect users can revise proposals, annotate mockups, or comment on presentations using built-in annotation tools.
- Those who need to make edits using other applications. Connect provides "edit-in" and "save-back" for collaboration with others on SharePoint or network shares.
So from the user perspective, NetApp Connect provides simple, direct access to corporate data and documents with pixel-perfect rendering. No more messing around with cloud storage and no more worries about what the document will look like or whether you'll be able to read everything.
NetApp Connect: The IT Perspective
If you've read this far, you probably already see that NetApp Connect eliminates some big IT problems by allowing users to securely access data directly from corporate data centers instead of copying it to the cloud or storing it on unsecured mobile devices. But you're probably asking yourself, "How secure is it, how does it work, and what do I have to do to set it up in my IT environment?"
NetApp Connect is designed around a few key technologies that allow it to meet the needs of both mobile users and IT:
- Deliver the necessary security to protect corporate information.
- Leverage existing infrastructure by using authentication processes, storage, metadata, content management, access controls, credentials, and policies to simplify management.
- Provide a great user experience with consistent performance both online and offline.
Single Sign-On. NetApp Connect provides single sign-on so that users only have to sign on once to access storage, HTML pages, and web applications (subject to defined policies). Your existing authentication workflow is extended to mobile users. We support RSA SecureID, X.509 certificate-based authentication, and numerous single-sign-on and multifactor systems. The same credentials are required for both online and offline work. Neither the user credentials nor the decryption key are ever stored on the device—which is useful in case the device is lost, stolen, or left unlocked.
Figure 2) NetApp Connect overview. iOS devices sign on once to access web apps, web pages, and files. (The Policy Engine can restrict the level of access on a per-user basis.)
Secure Container. We force each mobile device, whether online or offline, to provide a secure container, which maintains the security of your company data. This force field is important to support both bring-your-own-device and corporate-issued device strategies by allowing corporate uses to be isolated from personal data and applications. All data is encrypted during transport and any corporate data stored on the device for offline work (if permitted) remains inside the container in an encrypted state. Each session uses a cryptographic random session ID that is assigned by the Policy Engine when a user authenticates. Physical access to the device is not enough to give someone access to data stored inside the (application) container or to your corporate network. That requires both physical device access with PIN and corporate authentication credentials.
Policy Enforcement. NetApp Connect gives you fine-grained policy control that allows you to control exactly which actions users are allowed to perform both when they are online and when they are offline. Policy is enforced by the server when online and by the client application when offline. You can create and enforce policies based on things like device location and whether the device is attached to a 3G network or Wi-Fi. For instance, you can disable large transfers over 3G to reduce data charges. Online activities are always streamed to reduce bandwidth consumption.
Coherent Access. Advanced Message Queuing Protocol provides encrypted transport between client and server. Data, metadata, and permissions are all checked so that data remains coherent even during concurrent online editing. Offline changes can be integrated into an underlying document at a later time when the user is back online. Web applications and HTML pages can also be made accessible online and offline.
The logical architecture used by NetApp Connect consists of three tiers:
- The Client Tier on the mobile device is responsible for things like on-device security, final rendering, and data transport.
- The Policy Enforcement Tier sends and receives messages to and from clients and applies appropriate cryptography and message routing based on defined rules.
- The Storage Tier provides authentication and access to resources like web servers, SharePoint, and NAS and SAN file content via CIFS and local mount points. Note that the storage tier leverages existing infrastructure like web servers, file servers, and so on.
Figure 3) NetApp Connect uses a three-tier architecture.
When a client application on a mobile device needs to communicate with NetApp Connect, it sends a message that is received by a message broker (RabbitMQ) located in a demilitarized zone outside your company's firewall. The message broker then communicates across the firewall to NetApp Connect.
Installation and Operation
NetApp Connect users download and install the application directly from the iTunes® App Store or your enterprise app store.
On the IT side, you need to install and configure the message broker and the NetApp Connect server. The message broker must be installed such that it's accessible to the Internet and can communicate through your firewall to the NetApp Connect server infrastructure on specific and common ports (for example, SSL 443).
NetApp Connect servers can run on bare metal, but most IT groups prefer to run them in a virtual machine. The NetApp Connect server is implemented with several building blocks (engines):
- Policy Engine (PE) enforces policy.
- Storage Engine (SE) handles authentication, storage, and web access.
- Asset Operator (AO) transforms content for consumption by clients. Recently rendered content is cached for subsequent reuse.
These engines communicate by messages, which makes them distributable and makes the architecture highly scalable. Small installations or pilot projects can operate on a couple of servers or VMs (a single message broker and a single NetApp Connect server running all functions). You can easily scale the infrastructure as requirements grow, even when you've got hundreds of simultaneous mobile users to support.
Figure 4) NetApp Connect scales by distributing engines to numerous servers.
Configuration and management are performed through web interfaces that allow you to easily fine-tune roles and responsibilities. For instance, you can turn web access on or off or create proxy settings to limit access to particular resources such as only allowing Sales to access your field portal and so on.
At NetApp, we're currently deploying NetApp Connect to support the mobile needs of our workforce of over 13,000 employees. We're initially planning on two message brokers, a couple of Policy Engines and Storage Engines, and a set of 8 to 10 Asset Operators. NetApp Connect includes analytics that make it very easy to identify bottlenecks and fine-tune the configuration for optimal performance.
NetApp Connect meets the needs of both mobile users who need better data access and IT teams that need to keep critical business data secure. The technology has been tested by large financial institutions and the U.S. government; both found that our solution offers rock-solid security as measured by the strictest penetration tests. (These tests are used by the largest and most security-conscious organizations to verify security.) Everything is encrypted including offline data stored on the device—both in-flight and at-rest data offer peace of mind for IT organizations. Mobile users can browse your company's intranet without a VPN and without commingling work and personal information.
Naturally, NetApp recognizes that no single product can address every need. That's why we've worked with our partners to make Citrix ShareFile and VMware Horizon available on NetApp storage as well. These solutions complement NetApp Connect and provide additional functionality to meet your needs.