Delivering security on employees’ personal laptops

To refresh, or not to refresh? This is the dilemma that many corporations are facing. In an effort to reduce IT budgets, companies are cutting capital expenditure on new purchases in order to squeeze more useful life from existing equipment, and to drive down overhead cost across all areas of the business.

Computing equipment clearly stands out as one of the biggest portions of a company’s IT spend. Analysts estimate that maintaining a modest fleet of just 50 corporate laptops can cost a company thousands per laptop, per year in software licensing, management, maintenance and support. And that’s in addition to the initial purchase price.

With this in mind, it’s not surprising that many organizations are considering giving their employees a one-off allowance to buy their own laptop for both business and personal use, rather than invest in a fleet of new corporate laptops.

Benefits of bring-your-own
This approach has benefits for everyone. Giving workers a stipend allows companies to remove the laptops and some of their associated costs from their books, which helps tighten up the balance sheet. And allowing employees to choose their own preferred laptop can be seen as an incentive to help keep staff motivated.

Yet, while this option is certainly attractive from a financial and practical viewpoint, it also raises another issue. By relinquishing centralised management over corporate laptops, businesses sacrifice rigorous, uniform control over network, device and data security.

Security drawbacks
Let’s look more closely into the potential security issues. If employees use their personal laptops for work, businesses will need to ensure secure remote access to the office network from a large variety of machines, from Windows laptops, Macs and other netbooks. Which VPN method and VPN client should they choose?

Second, what disk, data and device encryption software should they deploy across the variety of remote endpoint machines that their staffs are using? Businesses need to maintain consistent protection of the corporate data stored on these machines in case of loss or theft of the laptop.

Third, how can they ensure security compliance on each endpoint? Organizations have to trust that employees will install and maintain up-to-date protection against malware and apply the latest security patches. Without these, malware can infiltrate their remote sessions to attack the corporate network or Trojans can capture sensitive information on the laptop itself.

Meeting all the requirements is expensive and complex in terms of management. Businesses need to deploy conventional point security products – such as separate VPN, anti-virus, data encryption, personal firewall and intrusion prevention – on a large number of employee-owned PCs.

These large-scale deployments end up counteracting the potential savings and benefits gained by the organization from offering personal laptop allowances. What companies need is a different approach to endpoint security that combines data encryption, session virtualization and secure VPN connectivity on a simple, plug-in device, like a USB drive for instance.

They need a security solution that can a) deliver enterprise-grade data and device protection across a wide range of different endpoints, and b) is easier and cheaper to deploy and manage than a corporate laptop fleet.

Plug-in security
USB drives have long been used to store and carry office documents and other working files, between different computers. And while the concept of giving users a personal “PC on a USB stick’ is not completely new, multi-gigabit thumb drives are easily affordable so the idea has been growing in popularity amongst enterprises.

In order to comply with corporate security policies, the USB device needs to support both remote access and security applications, such as anti-virus and encryption. This wasn’t the case with conventional USB sticks until recently.

However, a new generation of flash drives are now available on the market, integrating both VPN connectivity for secure remote access to the corporate network and on-board, automated hardware encryption to secure stored data against drive loss or theft. In addition, these devices are also centrally-managed by IT teams so that corporate policies can be applied and drives re-provisioned if lost.

This type of advanced device can transform what were portable “storage-only’ thumb drives into fully-secure solutions for remote connectivity. For the company, the support and management overhead is far lower than for a managed laptop. In addition, using such device removes the headache of controlling a large number of endpoints, while delivering large-scale secure remote access, and keeping confidential data secure.

Virtual workspaces
From the employees’ perspective, the ideal endpoint solution would just “clone’ their office computer and deliver it on their home computer. All users would have to do is simply insert the device in their home PC or laptop, type in their passwords and start working as if they were in their regular office environment.

For the duration of the session, the host PC transforms into a virtual office workspace and a trusted endpoint, with a secure VPN connection for accessing the corporate network. When in use, the virtual workspace segregates data from the host PC, while strictly controlling applications and file transfers. When the user ends the session, the virtual workstation disappears without a trace as all data is encrypted directly to the flash drive, bypassing the host. Both the local data and the corporate network’s integrity are protected, and remain safe from malware, hacking attempts and data loss or theft.

No data is written to the host laptop and, furthermore, potential malware on the host PC cannot access the secure workspace. Even when the solution is not in use, all information is automatically encrypted on the flash drive, so that user credentials, files, documents, and other confidential data remain protected in case the device is lost or stolen.

Assessing the benefits
A secure virtual workspace solution of this type would enable businesses to overcome the cost and complexity that they usually experience when delivering uniformly secure, remote access to the corporate network from a variety of employee-owned laptops.

Enterprises deploying this USB stick solution can leverage their workers’ personal computers in order to fulfill corporate demands without compromising security, and at lower cost than an equivalent corporate machine. It is possible to make the business, personal – and vice versa.