<< Back to article Print this page Loading page, please wait...

Governments reaping security dividends from early action on virtual desktops

David Braue (CSO Online)
18 May, 2015 10:43

They may have originally embarked on thin-client rollouts for remote access, but government agencies' early acceptance of virtual desktops has proved prescient as security models are challenged by growing use of mobile devices and cloud services.

Those services are rapidly becoming part of the technology arsenal for government agencies of all types – particularly those requiring rapid setup of large numbers of computers, whether as a disaster recovery (DR) policy or to ensure business continuity in the event of natural disasters.

The Department of Human Services, for example, used thin-client technology to deliver services to staff using mobile and fixed devices – allowing them to rapidly deliver relief services to victims of Brisbane's recent destructive floods.

More recently, Citrix technology played an integral role in supporting the high-profile G20 Brisbane summit of world leaders. Technology partner Dimension Data, which commissioned a large-scale virtual-desktop environment from its Melbourne data centre, was able to deliver around 1000 simultaneous virtual sessions to users in Brisbane with strong performance and reliability.

That architecture was designed to be able to fail over to Dimension Data's Sydney data centre in the event of a problem, but the event went off so smoothly that the failover wasn't even necessary.

“Agencies will increasingly be able to move their workloads around,” says Mark Hazell, principal account manager for enterprise sales and manager of Citrix's government-focused Canberra branch.

“They can have some capacity on-premise, and some burst capacity in the cloud as well, because we can quickly provide a service from a trusted cloud provider. It provides them with a lot more surety around business continuity.”

Securing the new e-government

Yet business continuity is only one part of the virtual-desktop value proposition for government bodies, who are under increasing pressure to deliver online government services while preserving the integrity and security of often sensitive data about citizens.

The core technology behind virtual desktops has proven to be particularly useful on this count: with many government agencies already using virtual-desktop environments extensively, it has been relatively straightforward to extend this paradigm to mobile devices.

Workspaces can be seamlessly accessed from such devices, but the data cannot because it never actually leaves the server; rather, users interact with an image of the data. Copying, pasting, and other activities related to the data can be disabled to ensure that data interaction is limited.

“Containerisation of the workspace to a container on the phone keeps the data and applications safe,” Hazell explains, noting that this capability will soon be extended to emails – allowing material to be tagged with security classifications and its distribution limited based on those tags.

This capability will allow departments and agencies to restrict the movement of sensitive information through rules enforced by their back-end infrastructure. “Containerisation allows agencies to run the Internet, mail and other apps on the device by connecting back through the corporate infrastructure,” Hazell says.

“The real security component is around not having residual data left on the device, but categorisation means the data can be kept inside the department, minimising the data loss potential.”

This is essential in environments where all data must be strictly classified, such as the Department of Defence's DREAMS (Defence Remote Electronic Access and Mobility Services), a remote-access portal for Defence staff that was built on Citrix technology many years ago.

Much of the groundwork done for that project can now be credited with the ability for government agencies to use the technology in their environments today: to be used in the Defence environment, for example, Citrix Presentation Server technology had to be certified against the Common Criteria security standards required for any hardware or software to handle sensitive government information.

Citrix technology, including the NetScaler application delivery controller and Citrix Receiver client, remains on the government Evaluated Products List (EPL) to this day and Citrix XenMobile is currently undergoing certification.

A head start on new security mandates

Recent mandates by the new Digital Transformation Office (DTO) have strengthened the value of Common Criteria certification, since all government agencies will be required to comply with the 36-point Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) security guidelines in all new projects undertaken from September 2015.

Common Criteria certification addresses many of the requirements in these standards, helping government agencies rapidly ramp up their capabilities to ensure they are appropriately compliant.

“Having a secure pipeline allows us to provide corporate government applications anywhere and to any device,” says Hazell. “It was a real game-changer for us all those years ago, and since then it has involved into helping government agencies look at virtual desktops both internally and externally.”

Ultimately, the seamless delivery of applications and entire workspaces to employee desktops is likely to empower the DTO's vision of online government in a broad range of ways – from use of local asset management applications by local-council field staff, to mobile tools used by state and federal governments at customer-facing physical service points.

Additional capabilities will tie access levels to variables, such as the physical location of the employees or the time of day they're accessing particular applications. Since access rules and access decisions are made and enforced at the server side, security can be maintained far more effectively than when trying to manage the flow of data onto devices and back again.

“Agencies are doing a lot of work inside to make sure their staff aren't seeing things they shouldn't be seeing,” Hazell says. “If you do the total cost of ownership figures right, you reduce cost, consolidate data, and improve security.”

“As granularity increases, you will get into the next layer of control. And, because so many government agencies have already bought their virtual-desktop licenses, they are already well down the path to that destination.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.