IT security considerations during COVID-19
During the current COVID-19 global pandemic many companies are considering methods by which they can empower their employees to continue to work from home (WFH).
These methods could be as simple as allowing access to a corporate server via an IPSec tunnel Virtual Private Network (VPN). Or it could also include a method of no VPN access and communication between the employee and the company would be conducted exclusively via email, instant messaging services like Slack™ or video chat services like Zoom™.
More mature IT departments might be deploying or extending their existing Virtual Desktop Infrastructure (VDI) or adopting a cloud-based Desktop as a Service (DaaS) solution, or, as these technologies have collectively come to be known, End-user computing (EUC) solutions.
When it comes to assessing each solution's merits for your organization, the ability to secure the endpoint has to be entertained. Now, if your organization has no need for secrecy, or can facilitate the loss of data for extended periods or, indeed, permanently, then security might not be high on your list of priorities when considering what method to employ as part of your WFH strategy. However, I know very few companies where the loss of data would be considered a minor event.
Advantages of Bring Your Own Device (BYOD) for WFH
It is reasonable to assume that some, less experienced IT departments, during this time would surmise that the best execution of this strategy is to allow those remote employees to bring your own device (BYOD) and perhaps, for the more security-conscious businesses out there, connect to the corporate network via a Virtual Private Tunnel (VPN). The advantages (at first glance) seem compelling:
No initial outlay for all those company-issued laptops, complete with software licenses for the most basic of operations like document writing and performing spreadsheet activities. Not to mention eliminating the cost of setting up those machines with directory service authentication and removal of distracting applications like Solitaire or Pinball wizard (many an hour I have lost on such activities!)
Employees like using something familiar. Perhaps you might incentivize the use of BYOD by way of a stipend, another perk for the would-be participant of this program.
I am slightly dubious if productivity is indeed increased by allowing a BYOD strategy, but I have heard that familiarity with the folder structure and existing applications on the device might increase the efficacy of the remote employee.
Risks of Bring Your Own Device for WFH
The weight of these "advantages" has to be measured against the potential for risk. I believe there exist major security liabilities in this method if not given the due care and consideration that it deserves. This due diligence is often costly to implement, it requires more sophisticated security solutions, architecture, assessment, and continuous monitoring but to address some of the concerns with above strategy let me again put them again, into a list:
Probably the most salient concern from myself as a Security Architect is that of malware (shocking I know). Allowing the remote worker the freedom with which to use their own device is a ticking time bomb. Just imagine the types of applications they might have run in their downtime, peer-to-peer file sharing like BitTorrent, Vuze, uTorrent, etc. Furthermore, browser activity is more difficult to restrict with a BYOD strategy, (not that I support such Orwellian corporate oversight) but prevention of execution of harmful URLs is a legitimate IT security strategy?
In short, how are you, as an IT dept, able to ensure sufficient protections against Phishing,
implement endpoint security with antivirus and antimalware, how will you address lack of visibility into version control? I.e. How can you be sure they’re not using Windows XP with Java 8. Obviously I could go on here but I think I’ve scared you enough.
- Exit procedures and DLP:
How can you be sure that the remote worker hasn’t completely copied the entire HR or accounting folder, prior to their exit? What Data-loss Prevention (DLP) or Data recovery capabilities can you implement? i.e. How will corporate documents and data be retrieved from the remote workers' device, not just in the event of termination but what about inadvertent disclosure? If you issue machines, how will those machines be recycled for new employees or disposed of securely?
“Hello, IT. Have you tried turning it off and on again?” - ‘Roy’ The IT Crowd. All joking aside, support issues are commonplace in an office environment which is one where you’ve got maximum control. Support for a BYOD with a VPN strategy has to cover multiple operating systems, each with multiple and varying applications. What about licensing? Patch management? and the latency that will inevitably be observed by reaching across a network of various inconsistent speeds to a back-end corporate database.
BYOD vs. End-User Computing for WFH
If I were to address my concerns in a singular issue, I would like to take a look at the risk of malware in a BYOD strategy versus EUC. Before we do, however, I'd like to take a moment to emphasize what I see as the biggest attraction to Advanced Persistent Threat (APT) actors and therefore one element of the security strategy that can be negated, thus removing it as a threat vector: Data persistence.
When data is stored on an endpoint in a persistent state it will undoubtedly accumulate and the value of that data increases over time. EUC technologies can come in two consumable formats, persistent, i.e the environment and data are maintained throughout the process of power cycling, and non-persistent, the environment is blown away after the user logs off.
For those now considering EUC solutions that can 1) do not have existing VDI infrastructure, and 2) can accommodate it, Impermanence or non-persistence is a more attractive temporary solution. If we take a quick look at one of the more prevalent pieces of malware that afflict companies today, Encryption malware/ file encryption ransomware, We can potentially anticipate the threat vectors and architect a solution of avoidance.
What is Malware?
Encryption malware typically is downloaded onto a host machine by a user opening an attachment (phishing) or clicking a spurious URL. Background activity then ensues whereby The malware Either lays dormant or immediately begins to try and spread itself via common ports and protocols or the malware searches for files and folders to begin encrypting with strong military-grade encryption. After this process is completed, in order to try and extract money from the target, the perpetrators display instructions to the end-users for them to pay a ransom typically by means of a cryptocurrency like bitcoin.
BYOD strategies clearly, given the caveats discussed above, fare poorly against these types of attacks since control is relinquished by the IT dept in favor of simplicity. Even recovery strategies are negated by such a WFH deployment since we have no method to reliably and predictably back up the lost data.
Persistent vs. Non-persistent End-User Computing
Persistent EUC, with its ability to deploy a controlled desktop environment, is much more resilient to these types of attacks since the IT dept now has granular control on the applications deployed to the end-user, including version control, patch management, and secure connectivity.
Non-persistent EUC provides yet more protections for those capable of adopting such a framework, as the data exists in an impermanent state removing the desire for a threat actor to attempt to compromise such a system. Or if they do, the impact on the organization is minimal as the environment can be blown away and another takes its place with a new IP address and authorization credentials.
If you are currently a Nutanix™ customer, you may already be using us for VDI, perhaps also with our fantastic partner Citrix™. This has long been a critical workload for Nutanix and our performance with it has been well documented, however, scale might now be an issue with which you have to wrestle given the current urgency to deploy more workstations. This is an instance where you should speak with your account representative so we can properly manage expectations for the acquisition of more nodes.
Nutanix Desktop as a Service (DaaS) for WFH
Desktop-as-a-Service (DaaS) is one way you can eliminate all of the concerns listed above with simple BYOD and VPN strategies while also allowing those same workers access to a corporate created environment via a web browser. Xi Frame™ is a Nutanix™ DaaS solution that supports 1-click desktop instances on AWS, Azure and the Nutanix™ private cloud. This intelligent digital workspace can be configured to meet your requirements and rapidly scaled to any size, meeting the demands and urgency of mass WFH mandates. One more great thing about Xi Frame™ is you can try it right now and deploy it within minutes.
If this article has sparked an interest for you to explore some of these EUC strategies you can start a test drive, begin a free trial or just read about more information visit: https://www.nutanix.com/uk/in-this-together
© 2020 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo and all Nutanix product, feature and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s). This post may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such a site. Certain information contained in this post may relate to or be based on studies, publications, surveys and other data obtained from third-party sources and our own internal estimates and research. While we believe these third-party studies, publications, surveys and other data are reliable as of the date of this post, they have not independently verified, and we make no representation as to the adequacy, fairness, accuracy, or completeness of any information obtained from third-party sources.