Roughly 12 months ago, when the world shifted seemingly overnight to work-from-home, few companies were well-positioned to seamlessly scale their remote work solutions. Legacy remote desktop solutions, like Virtual Desktop Infrastructure (VDI) and Desktop-as-a-Service (DaaS) were pressed into wider service than they had been custom fit to provide.
Security policies governing remote working and secure access were either scaled up or slapped together in an ad hoc fashion to keep operations going, but they often interfered with worker productivity.
Along the way, too many companies struggled in a tug of war between IT freedom for employees and robust security for the company. CIOs, CISOs, and others within executive leadership were right to be concerned: prior to COVID-19, 70 percent of security breaches started at the endpoint. Those responsible for security at companies of all sizes are taking it day by day, waiting and watching to see whether their current security profiles are up to the task of protecting invaluable customer data and company intellectual property.
The problems with unanticipated demand for secure remote work
At the start of the pandemic, many large enterprises had VDI or DaaS solutions in place for a subset of their workforce. Many medium-to-large enterprises did, as well. Even so, as companies tried to scale these remote work solutions overnight, they realized they were ill-prepared:
- Most weren’t ready to enable a wider range of remote worker tasks involving a larger set of corporate assets
- Some had to accommodate a new or broader BYOPC approach
- Most needed to expand remote access to the company’s more sensitive systems and data
- Many feared that current restrictive security policies would limit worker productivity
- Most have had a difficult time easing the increased strain on IT personnel working to support such a rapid and all-encompassing transition
According to our own survey of CISOs conducted in Q3 2020 in tandem with Team8, the scramble to “enable remote by any means” prompted a range of responses:
- 35 percent of enterprises relaxed their security policies to expand IT freedom for their employees
- 26 percent went the other way and tightened security policies
- The rest – 39 percent – made no changes, perhaps unsure of exactly what they should do to maximize worker productivity without compromising corporate security.
Employee IT freedom vs. corporate security: The wrong question and a false choice
Figuring out where to draw the line between giving employees IT freedom to browse, download, install and store as needed and asserting security policies that adequately protect assets from the wide range of corporate activities comprising the enterprise workday was anything but obvious. There’s a good reason for that: the question isn’t “Which should the enterprise favor?” Instead, we should ask ourselves “How do we get both greater freedom and enhanced security at the same time? “
Enterprise leaders that view IT freedom and corporate security as opponents in a zero-sum game are looking at this business challenge through the wrong lens. It is an understandable posture, though, since older methods of securing legacy infrastructure were formulated around the idea that the best way to maintain control over corporate assets was to severely limit what end users could do on their computers. Lock down user activity = maintain security. Loosen end-user restrictions = increase vulnerability.
VDI and DaaS: Rethinking remote working in the cloud era
Fortunately, new technology approaches to remote work have proved the freedom-versus-security way of thinking to be archaic. Advances in isolation technologies, in particular, are helping enterprises scale their remote work operations, broaden the latitude workers have to access digital tools and information, and increase defense of the corporate network, data and other intellectual property.
Many IT administrators are already familiar with web isolation, which allows end users to peruse websites freely in an isolated remote environment, like a virtual machine or a sandbox, that won’t allow malicious code to infiltrate the endpoint’s browser. The concept of isolation is sound, but the range of tasks that comprise most workers’ daily activities extends well beyond web browsing, and managing at scale an incomplete solution like web isolation is very difficult.
Remote workflows have required end users to install video conferencing applications to collaborate with team members. Workers routinely depend on numerous different line-of-business applications. Developers download, install and update various types of software. Employees frequently rely on peripheral devices like thumb drives to upload, transfer and download files. Cloud applications often offer full desktop clients that provide superior features and convenience. And the list goes on. If even a subset of the above activities applies, web isolation is going to fall short of what’s needed to fully protect corporate assets.
OS-based isolation: Providing the best of both IT freedom AND corporate security
Today, there’s a different approach to isolation that extends the protections and benefits of web isolation beyond browsing activity to cover most anything a worker has to do in the course of a normal business day. OS-based isolation creates an instantly provisioned virtual machine on a user’s device, establishing a second, entirely separate and pristine environment on the endpoint.
With OS-based isolation, whatever happens inside the VM cannot in any way affect the underlying OS (or vice versa). In this way workers can browse less secure websites, but they also have the freedom to download and experiment with necessary web-based applications and tap into all the commonly used tools and solutions that make work easier, without risking infiltration of malware or exfiltration of business-critical data.
Further, OS-based isolation can make VDI or DaaS connections even more secure. Unless an enterprise is enabling VDI or DaaS connections exclusively through thin client endpoints, there’s a real risk that a remote worker will access the corporate network from an already-compromised non corporate managed or personally owned laptop or workstation. In this scenario, malware can have direct access to the enterprise’s most sensitive assets.
But utilizing OS-based isolation in conjunction with one of these legacy remote desktop solutions obviates that threat, allowing unrestricted access to the internet, email and non-privileged information via an “unlocked” OS (which may pick up malware in the course of engaging in these activities), while reserving a second, privileged OS for accessing high-value corporate assets, including sensitive data and other systems, through the VDI or DaaS session.
OS-based isolation will take the place of VDI and DaaS
It’s worth noting that OS-based isolation can now (and someday likely will) fully take the place of VDI and DaaS. But with so many enterprises having one or the other of these legacy remote desktop solutions firmly entrenched in their IT stack, it’s far more likely that enterprises will choose to “layer on” OS-based isolation atop their VDI or DaaS instantiation to expand worker freedom while improving corporate security, at least until the incumbent remote work solution is due for a refresh.
With enterprises now having to enable a broader range of activities in a work-from-home scenario, security leaders would be wise to consider tapping OS-based isolation to establish multiple isolated operating systems on a single endpoint. With HR, developer, financial, customer service and other call center activities now having to be conducted from workers’ kitchen tables or living room couches, reserving a pristine environment for handling such sensitive business has become a mission-critical imperative.
And seeing how remote work at scale is very likely here to stay long after the pandemic has faded to nothing more than a bad memory, it’s time for enterprises to wake up to the reality that IT freedom and corporate security can perfectly co-exist in the new enterprise remote work toolkit.