Cyber Security

Don’t throw out your prohibited thumb drives: Liberate your workers who need more IT freedom

Published

on

The Unofficial Law of Endpoint Security Proportionality: The security measures taken to protect an employee’s endpoint are proportionate to the proximity of the employee to the company’s most valued assets. Or, put in simpler terms, the more closely an employee works with a company’s crown jewels, the more essential it is to virtually eliminate the possibility of an endpoint security breach.

The Curse of the Dual Laptops

At many companies, workers who need to access vital corporate assets or sensitive customer data are used to having workstations that are heavily restricted in terms of what the end users can do on them:

  • No free-range web browsing
  • No access to risky or questionable email attachments
  • No downloading, installing, and running third-party applications
  • No admin rights for developers or power users to the machines they work with
  • No use of portable hard drives (thumb drives) to transfer data from one endpoint to another

There are some scenarios where this highly restrictive environment is appropriate — call center workers, for example, can often effectively do their jobs without engaging in the above activities and by using non-persistent virtual machines that always revert to a pristine state upon boot-up. For so many others, however, like developers, human resource staffers, financial systems administrators, operations personnel and others, a normal day’s workflow can include many, if not all, of the above locked-down activities while also centering around vital corporate assets that must receive the highest level of protection.

The solution often employed involves restricting the use of a company-provisioned endpoint to just this highly sensitive corporate work and then relegating all other activities to a completely separate machine. Taking this dual-laptop approach of isolating work with high-value company assets from everything else an employee might do in the course of a normal day has been considered one of the surest ways of protecting corporate assets. This is the predominant model among contractors, too, who are likely to carry multiple laptops in order to do the work of their client on one machine while waiting until they can switch devices to take on the work of their employer.

All this switching between endpoints is a workplace productivity problem. Having to use two different machines — one for highly sensitive tasks and another for other essential but less secure activities — greatly curtails operational efficiency. Further, without the right security measures in place, even limping along with a dual endpoint strategy can leave enterprises at risk of falling victim to cybercrime. When workers try to move data from a governed device to a non-governed device, corporate assets move outside of the corporate domain where they are no longer protected.

Endpoint Vulnerability: Corporate Attack Surfaces Are Expanding

Endpoints have long been known to be the source of the majority of corporate security breaches. Estimates from before the pandemic pegged the endpoint as being responsible for upwards of 70% of all breaches. Endpoint security spending has increased year-over-year, too, but this is just an arms race. Bad actors know that compromising an endpoint with malware is a direct route to a company’s invaluable data.

Now, with the paradigm shift that the pandemic has induced, so many people are assuming that expanded remote work is going to be the way of the future. They’re likely not wrong. For IT organizations, the prospect of remotely managing exponentially greater numbers of devices can be more than just a headache. For end users, needing to rely on technology to fill in the gaps for face-to-face communication when their IT freedom is severely limited is an express trip to frustration. For CISOs and the rest of the executive suite, this expanded attack surface is the stuff of nightmares. And for the bad actors these executive leaders are worried about, the massive shift to remote work is a bonanza.

Supporting Distributed Teams in the Post-Pandemic Business World

The world is not yet beyond the COVID-19 pandemic, but IT organizations should be well beyond their initial responses to the shutdown of in-office work. Over the course of the past year, every company that could enable distributed workflows found a way to do so. For workers requiring privileged access and others whose work was less sensitive, COOs and CIOs enabled remote work by whatever means seemed to be most immediately accessible, even if the short-term strains on IT resources and CapEx and OpEx budgets were severe.

For many companies, this meant dramatic scaling of virtual desktop infrastructure (VDI) or desktop-as-a-service (DaaS) solutions. VDI and DaaS have been around for years now, with most large enterprises having invested in one or the other (or both) for at least a subset of their employees. With the overnight push to work from home, upping the ante on these legacy remote work solutions seemed like the obvious play.

And it was… at first. But while these remote workspace approaches provided a short-term fix and a surface-level solution, expanded VDI and DaaS deployments exacerbated some inherent problems that are common across enterprises utilizing these approaches:

  • VDI utilizes company-owned infrastructure and often involves complicated deployments. User experience degrades, too, when backhauling saps bandwidth and lag time increases.
  • DaaS can suffer similar problems with lag time causing poor user experience, especially when running intensive workloads or working in low-bandwidth environments. Further, virtual desktops are inaccessible when users are offline.

In all cases, the greater number of remote workers increases the threat exposure companies are facing. Some have turned to web isolation, which operates on a simple concept: Move Internet activity away from a company’s local networks and infrastructure and allow users access to the web via a browser application running on a locked-down virtual machine in the cloud. Browser isolation has its merits, but it only solves a small part of the endpoint security problem because it only covers a narrow range of typical worker activity. There are too many other ways to infiltrate the endpoint and therefore the company network.

At this point, companies should be looking to institute a much more mature and complete solution for supporting remote collaboration while ensuring corporate security — one that maximizes IT freedom for workers and promotes operational efficiency while minimizing the company’s threat exposure.

Accelerating Digital Transformation with Isolated Workspaces

Just as COVID-19 forced a new way of thinking about remote work, there’s an opportunity for a different sort of paradigm shift — one that changes the way we think about establishing secure workspaces. Workspace isolation — splitting a single endpoint device into higher-risk and lower-risk isolated environments so users can work freely without compromising security — is an approach whose time has arrived, and it’s the answer to the dual-laptop conundrum.

Workspace isolation establishes a separate, virtual operating system on a user’s endpoint. The notion that a single laptop or workstation can accommodate multiple operating systems, preserving a pristine environment for sensitive corporate work while relegating higher-risk activities (including accessing third-party content) to the other environment is a new concept for many.

The beauty of workspace isolation is that the behavior of the workspace is managed from the cloud, while the VM workload is running locally on the user’s machine. For the IT administrator, remote management is the key feature, allowing for instant provisioning of an additional hypervisor-isolated operating system, splitting the physical device into two environments. For the worker, the user experience is native, free of the lag and bandwidth issues that can plague legacy VDI and DaaS solutions, and free of restrictions on activities they need to engage in to do their jobs. And for executive leadership, isolated workspaces offer peace of mind in knowing that endpoint security is greatly amplified even as the number of remote workers jumps by an order of magnitude.

Workspace isolation, with its ability to protect company networks and assets from cybercriminals preying on workers whose normal business activities include accessing sensitive corporate resources, ushers in true digital transformation. Isolated workspaces liberate all workers to utilize their endpoints to their greatest capacity, while empowering IT organizations to respond with agility to the wide fluctuations in demand for secure remote workspaces the business world is sure to continue seeing now and into the future.  

Source: https://www.securitymagazine.com/articles/94765-dont-throw-out-your-prohibited-thumb-drives-liberate-your-workers-who-need-more-it-freedom

Click to comment
Exit mobile version