How Vodafone’s End-User Computing Strategy Keeps Remote Workers Connected

Vodafone’s lead architect for remote access describes how virtual desktop technology leverages hyperconverged infrastructure and public cloud to empower the telecom company’s large, highly distributed workforce.

By Stan Gibson

By Stan Gibson April 10, 2020

As businesses worldwide reel from the COVID-19 outbreak, many are looking for proven technologies to keep remote workforces connected to critical business operations. One example in the large enterprise is Vodafone, which relies on virtual desktop technology running on highly scalable hyperconverged infrastructure (HCI) and public cloud.

The $62B UK-based telecommunications provider’s virtual desktop infrastructure (VDI) serves approximately 50,000 concurrent employees scattered across a wide range of corporate locations in a number of different countries. Faced with the unprecedented strains of a pandemic, that implementation is now providing a high degree of resilience and reliability.

“Many of our Vodafone retail stores and shops across the globe are closed or will have to close soon,” said Michael Janssen, lead architect for remote access at Vodafone. “Contact center functions for our customers are shifting more and more to work-from-home scenarios.”

Traditional security models alone are no longer effective, warns Wyatt. When cyber attackers get past corporate firewalls, like in the Target breach, they have capabilities to slowly and quietly move within the environment undetected.

The great risk reduction to this issue, said Wyatt, is to secure the data itself, so that no matter where the data travels and who has it, it can be locked down and protected.

Laying the Right Foundation for a Secure Environment

Before Wyatt was able to secure his networks and data, he needed to lay the foundation for a single secure environment. Given his overall 28 year background in technology, a Bachelor in MIS, Masters in IT and Cyber Security, combination of 16 years in IT Audit, Financial Audit, State Audit computer investigations, and audit IT infrastructure management, along with certifications in CISSP, CISA, MCSE, CCNA, CCSA, CEH, CHFI, and Azure foundations, Bill had the appropriate expertise to know what he needed to accomplish in his new role.

“When I first came to where I am working now, there was plenty of opportunity for improvement which is not unusual when working with state government entities, especially during challenging economic times when entities may have limited funding through State appropriations,” he said. “Initially, I had to take a shotgun approach and implement controls and bandaids to bridge immediate gaps. I've been working, and building a rock solid IT team, since day one, to whittle that away and simplify, consolidate, innovate, and keep cutting edge as much as reasonable. At the same time, I’m hoping to save costs while improving services, availability and security.”

Prior to being able to set up and manage the security framework needed to secure data across federal and state, Wyatt had to move to a cloud-based infrastructure to give him the flexibility, cost savings, agility, security and services he needed to execute a comprehensive ZTA security plan.

“While locally I had strong support to move to a cloud-based infrastructure, there was no shortage of  red tape outside, especially at the state level,” he said.

“It took me two to three years to get through most of the red tape. Once I was able to quantify the risk regarding $28 billion in assets, and provide clear and concise information regarding risk, we finally got buy-in at the state level that was needed. Providing that clear picture of risk to state leadership was critical in removing that red tape. We simply could not put the complete set of security controls in place with the way it was architected. Since then, from an on-prem hybrid infrastructure perspective, we have settled on Nutanix, at the core.”

Wyatt has relied on Nutanix software since 2015 and is moving to HPE hardware running the Nutanix. In addition to cost-savings from moving off of VMWare, Wyatt moved all support under Nutanix in order to have a single point of contact for all issues. 

“Now we don’t have to go all over the place to other vendors to get the support we need,” Wyatt said. “They are going to handle all the tiers in one place under the Nutanix hypervisor.”

[Related story: Hybrid Cloud and IT-as-a-Service, Forces Behind the HPE and Nutanix Partnership]

Once he set up a cloud-based infrastructure, Wyatt could now focus his attention in securing all the data across his network, and leveraged the ZTA concept to get there.

Strong User Identity, Device Validation are Core to ZTA

“Zero-Trust Architecture (ZTA) for me has a few major components,” explained Wyatt. “First and foremost is the user identity. Our goal was to harden that identity and have confidence in it. If controls and mechanisms around identity management aren’t strong, it puts at risk everything else.”

In addition to focusing on user identities as the first layer of ZTA, Wyatt wanted to ensure devices that are connected to the network are validated and only approved to access data on a need-to-know basis.

“We are looking at the devices that are connected to the network, as well as the health of such devices to ensure they are validated before connecting,” he said.

“We need to validate those machines before they are onboarded and connected to the environment.  We use conditional access and MFA (Multi-Factor Authentication) as part of that in our environment. All the data that is architected in our environment has been designed around a need to know.”

In the end, it is all about protecting all forms of data. If ZTA is applied at the data/file level, protecting the frontier of the network becomes less crucial and concerning.

“While those are the major components of ZTA, it is all about the data,” Wyatt said. “The data should know who is supposed to be accessing it. The ability to control that data throughout its lifecycle is what I care about.”

“If an employee has moved to another job, they cannot authenticate and open protected data that may have found a way out of the environment via thumb drives or other personal cloud services,” Wyatt explained.

“We need the capability to prevent unauthorized access to all that data when employees leave, no matter when or where they put it,” he said. “The information protection is tied to the files themselves. Not to the structure of the environment, or the folders.”

For Wyatt, ZTA is a core strategy to strengthening the network by focusing down to file level security. He embraces ZTA and is hoping to finish evolving in the coming months totally away from one of his remaining risk reductions, passwords. Hardware FIDO 2.0 token based solutions provide a great improvement to Identity management. MFA and other controls are in place today and do a great job at identity management risk reduction. These controls are very important and timely to emerging programs such as the office's new Remote Work from Anywhere program.

“We don’t have VPN at all,” he said. “There is no outside access whatsoever into our local network. No wireless access into our environment. We do have wireless, but it is a completely separate environment. We are testing passwordless right now, we are close to being fully password-less. That is something we are really focused on, which is eliminating risk and threats from password use.”

Brian Carlson is a contributing writer. He is Founder of RoC Consulting and was Editor-in-Chief of CIO.com and EE Times. Follow him on Twitter @bcarlsonDM.

© 2020 Nutanix, Inc. All rights reserved. For additional legal information, please go here.

Related Articles