With Remote Work, BYOD Gets Riskier for Enterprises
We’ve been talking about bring-your-own-device (BYOD) for a long time. For me, the first iPhone, which I purchased for personal use, ended up transforming my work life – sorry my beloved Blackberry! And thank you Steve Jobs! While there are productivity benefits for allowing people to use their own devices to perform work, there are also security challenges that come with the territory. IT teams have struggled over the years to mitigate the risks associated with BYOD with limited success. And that was when people actually worked in an office, where performing software updates and requiring implementation of vulnerability scanning was easier. Today, most people are working from home, and most CFOs plan to increase the number of people working remotely post-pandemic. Additionally, outsourcing work to contractors is at an all-time high for enterprises. It’s fruitless for IT teams to try to control what happens with end points. People are left to manage their own hardware and software for the most part. Zero Trust Security, which most enterprises have adopted, is impossible if you try to rely on securing the myriad laptops, smart phones and tablets people use regularly.
The Hallmarks of Zero Trust BYOD
So what’s a CISO to do? Remote workers, whether they are employees or contractors, must have fast, easy access to the applications and data needed to perform their work. But the traditional approach to security – trust but verify – is outdated and downright dangerous in today’s world. Unfortunately, the risk of trusting people – especially when it pertains to contractors – is even greater. Contractors may have little sense of loyalty to the business; they come, and they go, and their awareness and discipline around securing IP and sensitive data may not be particularly strong. On occasion, a bad actor might intend to do harm.
And what about the diligent employee who just did not realize that her 6-year-old was playing with Mommy’s laptop and inadvertently downloaded malware? Yikes. Good people do dumb things sometimes!
To mitigate risk, the end point(s) people use for access simply cannot be trusted. In a Zero Trust Security environment, the same philosophy – trust no one – would extend to anyone accessing the company’s apps and data, whether employees, contractors or partners. That’s a lot of personally-owned devices to worry about. Since you can’t control those devices, you might as well stop worrying about them! Instead, these are the steps we recommend to ensure that everyone inside and outside the organization is able to securely access the apps and data they need.
Control Your Data Footprint with Cloud Desktops
Controlling your sensitive data is a top priority. IT leaders supporting physical desktops and workstations have a daunting challenge to keep sensitive data safe, especially in this era of mandatory work-from-home directives and with remote contractors because it’s almost impossible to control the device they are using, even if it’s corporate-issued. To achieve Zero Trust Security, you need to make the switch away from physical PCs.
Virtual desktops have long been known for improving security, because data is centralized in the datacenter, rather than being distributed across end points that are at risk for loss and theft. Organizations that still have on-premises virtual desktop infrastructure also have an opportunity to make the switch to cloud desktops to strengthen security and reap enormous business benefits as well.
The Workspot Enterprise Desktop Cloud Platform is inherently more secure than traditional VDI, physical desktops and other cloud desktop solutions. Unlike other solutions, our innovative architecture separates the control and data planes. This is a critical security innovation as it ensures that your sensitive data never leaves your security boundaries, such as traversing the cloud desktop control plane or other 3rd party services (see more below on Principle of Least Privilege, or POLP). Users access apps and data directly from the cloud or on-prem. Layered security capabilities – across Workspot Client, Workspot Control, and the public cloud vendor forms a strong foundation.
When you combine the Workspot Enterprise Desktop Cloud platform with the powerful security capabilities of Google Cloud and Microsoft Azure, end user computing becomes more secure than other approaches. The key to enforcing Zero Trust is continuous monitoring and validation of multiple end user attributes, including user identity, endpoint type, network characteristics, and more. With Workspot, you’re able to monitor and manage all your users from a single console, giving you a global view of the implementation. Additionally, Workspot’s Network Operations Center plays a key role in identifying potential risks by leveraging Azure Security Center (ASC) & Google Security Center features to obtain deep visibility into all the activities in the desktop subscription. This enables Workspot to monitor security for all the Workspot assets running on public clouds.
Enforcing Zero Trust is a great reason to move desktop workloads to the cloud with Workspot!
Employ Multi-Factor Authentication
In a Zero Trust world, you must assume that every attempt to access your corporate data is a threat, and since passwords are easily stolen these days, single-factor authentication just isn’t good enough. MFA is essential anytime there is data to protect. Workspot was built for enterprise deployments, and among many other enterprise capabilities, that means we integrate with the authentication systems you may already use or are evaluating. The majority of our customers use Azure AD, Azure MFA, Okta, Duo and/or PingID.
Principle of Least Privilege
Select a vendor who is committed to POLP. Workspot’s cloud-native architecture allows us to deploy cloud desktops, apps, and workstations in a way that protects PII and your corporate data. When evaluating cloud desktop vendors, you need to have an architecture conversation. We made a critical architecture design decision when we separated the control plane from the data plane. In practice, this means that once the user has been authenticated and the session is established, the user accesses virtual resources directly from the cloud. Unlike other vendors’ solutions, our customers’ application data does not enter, nor is it ever stored, in our control plane. It stays tucked away in the customer’s Google and/or Azure instance. In the context of Zero Trust, trusting no one, either inside or outside the organization, includes not trusting the vendor running your virtual desktops!
Grant Access Precisely
Granting each user only the access they need to perform their work can be on a contextual basis, where the level of access may change depending on the user’s conditions, or access can be granted only under very specific conditions.
You must prove a user’s identity and then provide access based on the context of the user’s situation. What is the user’s role? What do they need to accomplish? Where are they located? What device are they using? What network are they on? Based on this context, IT can set and enforce policies around what actions the user can take. Should they be allowed to print? Or take a screenshot? Should an upload from this device be allowed?
Workspot also enables IT teams to limit access to a specific condition. For example, IT can specify that a group of offshore developers in Singapore may only ever access three applications, and they can only access them via a Windows 10 device running the latest OS version. The finance group in New York may only have access to SAP. For this, they don’t need a cloud desktop; they can access just a single app using HTML5, therefore improving security and reducing costs. Granting precise access simplifies end user computing and reduces the number of threat vectors.
The security and business continuity benefits of the Workspot Enterprise Desktop Cloud platform are compelling. Take the next step to explore how you can better protect the company’s sensitive data; schedule a demo and let’s talk through your unique requirements and how cloud desktops address them.