App controls are turning workspace-as-a-service into a BYOD security enabler
- 05 May, 2015 10:40
Companies may have been delivering work desktops to remote users over the Internet for many years, but many organisations are only now discovering how effectively remote-desktop technology can be leveraged to improve the overall security of the new workspace as a service (WaaS) paradigm.
That paradigm was already showing strong growth as a way of enabling workers to access their work desktops from home – but with tablets and smartphones now commonly used for remote access as part of bring your own device (BYOD) strategies, that growth has accelerated even further. Today's employees have become accustomed to accessing their workspaces from wherever they happen to be, on whatever device they are sitting in front of.
Yet while this capability offers unparalleled flexibility for employees, it's also creating new challenges for IT and security managers, who are being charged with establishing and maintaining effective security protections on workspaces that are inherently less contained and predictable than they were in the past.
Indeed, today's workspaces are frequently as much assemblages of software-as-a-service (SaaS) Web apps as they are a projection of a remotely-hosted Windows desktop and Windows applications. The new WaaS paradigm “provides added service opportunity in terms of not only delivering desktops and Windows applications, but in delivering a complete workspace,” explains David Nicol, ANZ director of Workspace Services with Citrix.
“We can give users a simple way to access Windows applications, SaaS applications, and native iOS or Android applications, to remain productive wherever they are,” he continues. Data, once stored safely back in the corporate data centre, might instead reside in any number of online cloud-storage sites – outside of the control of corporate IT staff. “That then presents additional security challenges,” Nicol says.
Secure file sync and sharing technology, like Citrix Sharefile, is therefore also an integral part of the WaaS proposition.
Security through control
Because of the number of elements that might be contained in any particular workspace, organisations implementing WaaS environments need to consider how they can be locked down to ensure that corporate data isn't simply lost to the world after being freed from the protections of the corporate network.
One highly effective answer, Nicol says, has been to leverage the granular application controls built into a platform like Citrix XenMobile and Netscaler. Using this approach, users can be given access to remote desktops and applications on any device, but IT administrators can block or limit the functionality in specific scenarios to prevent BYOD from compromising corporate security controls. Those controls can not only specify the types of behaviours that users can undertake in each app – for example, preventing users from printing or copying data from a particular app – but can also relate to characteristics of the user's connection.
This means, for example, that a particular app can be blocked if the user is accessing it through a Wi-Fi network other than the one at a particular branch office. Printing can be limited to devices on the office network to ensure that all hard copies of sensitive documents can be tracked. And access to sensitive healthcare applications, for example, can be blocked if the user is physically outside of the hospital.
“We've taken what has been a strong heritage of security and application delivery,” Nicol explains, “to ensure that – as we expand to mobile device management, mobile application management and delivery of file and data services – we have the same security orientation to our workspace-as-a-service that includes all of those capabilities.”
A more secure architecture
WaaS architectures offer still other security benefits: for example, the ability for system administrators to apply security patches – a fact of life in every desktop and server computing environment – across every hosted desktop or application at the same time.
This capability addresses an ongoing problem in most corporate IT environments: the lack of compliance to what should be strict patching regimes that prevent compromise from newly discovered vulnerabilities.
Despite some signs of improvement, patching remains notoriously difficult, with even remediation of major bugs like 2014's Heartbleed vulnerability stalling after an initial burst of patching activity. Recent research suggests nearly 7038 new vulnerabilities were discovered in applications and operating systems during 2014 – including 1705 vulnerabilities marked as being of high severity.
With new vulnerabilities being discovered all the time, the threat to companies remains very real – especially with Microsoft set to discontinue patches and technical support for its popular Windows Server 2003 operating system in July.
Microsoft has argued that the need to upgrade to newer versions of Windows Server offers a great opportunity for organisations to commit some or all of their infrastructure to cloud services. This recommendation offers strong support for the WaaS vision and improves overall security by centralising what has often previously been dozens of physical servers, each at different levels of patching and security protection.
“There's a whole range of considerations where the customer needs to look at their security posture and the sensitivity of certain data and applications before making these choices,” Nicol says.
Small business, big improvements
Service providers, he adds, are uniquely positioned to add value to the WaaS proposition by facilitating the creation of consolidated or hosted server farms, seamlessly feeding hosted and secured workspaces to a variety of end-user devices.
This approach is particularly valuable to small and medium businesses (SMBs) that often lack IT teams large enough to drive such change themselves.
“Small businesses don't have the luxury of a CSO or dedicated security staff to design, implement and monitor policies across this range of applications and operating systems and devices,” Nicol says.
“Getting it delivered as a service from service providers that have the capabilities, understand the security policies and can agree with the customer what is the right security posture for them to take, is a strong value proposition.”
Yet for all its benefits to the administration of IT, WaaS can sometimes come up against the biggest obstacle of all: users themselves. Now empowered by the Internet, users are showing time and again that they won't hesitate to choose their own solution if corporate IT providers aren't offering one that they like.
The key to keeping control in such a situation, Nicol says, is to ensure that the WaaS environment is functionally appealing enough – balances security with usability, for example – that users want to use it.
“If IT don't provide functionality that is equal or greater to what consumers can get in the consumer marketplace, they will use their own products,” Nicol says. “The key is to deliver this functionality in a way that is still controlled by IT policies.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.