Generally, it is understood that enterprises control heterogeneous resources and can entail complex security requirements. This ties into the constant interaction of external devices with enterprises, placing demands on access to resources. For instance, employees associated with an enterprise may carry their own personal mobile devices to work, while clients and visitors may bring in mobile devices for business purposes. Such mobile devices can include (but are not necessarily limited to) mobile phones (including smartphones), personal digital assistants and laptop or tablet computers; the term “mobile devices” is also used interchangeably herein with “devices”. An enterprise may be defined herein, non-restrictively but interchangeably, as a business, a business concern, a firm, a government agency, a non-profit organization or (generally) a workplace, any or all of which have resources to protect. As broadly understood herein, “resources” can refer to private data, services and/or tangible resources. Tangible resources may include, e.g., hardware such as printers, projectors or other items. Services may include, e.g., web or cloud services. Private data may include, e.g., data such as found in particular files or databases. Any and all of these items—resources including private data, services and/or tangible resources—can be considered to form at least part of an “enterprise network” as broadly understood herein.
Accordingly, it has not always been easy to strike a balance between functionality and security. While enterprises cannot literally shut down in the face of indeterminate threats, external devices accessing enterprise resources may still potentially carry and spread malware, or be in a position to mount insider attacks. For instance, external devices may be in a position to access and leak sensitive enterprise data. Simple “in/out” policies, according a single boundary or access point, may be overly restrictive and inflexible, wherein harmless devices get denied access or are subjected to undue intrusion by enterprises. Other inefficient and unworkable solutions have involved access based purely on identity, or the manual facilitation of access on a case-by-case basis on the part of system administrators.