Emergency Enablement for Remote Work: Secure Virtual Desktop Edition
By: Matthew Watkinson
“These are unprecedented times.” A sentiment rendered no less true despite my disdain for hearing this phrase multiple times a day. We ARE in unprecedented times. We live in a world where the majority of the workforce is no longer in secure, cozy office environments, and there has been a substantial migration to where “working from home” is the norm, and no longer the exception.
For the lucky, employees were set up with work-from-home capabilities long before 2020 with laptops and VPNs and Next-Generation Antivirus and DLP and all the fun stuff that comes with an über distributed workforce. For the rest of the workforce, where employees are working from desktops or laptops that are configured much like desktops, organizations are scrambling to figure out how to empower their employees to work from home without sacrificing the integrity of the organization’s data.
Some organizations ordered laptops in bulk and are deploying them into the field. Hardware availability has become limited in some areas due to restricted distribution resources, limited supply chain availability and increased demand pressure from a spike in orders making this a difficult option to execute.
Other organizations are shipping workstations home with employees to enable remote access to systems. In these cases, work assets designed for on-prem office access are now being deployed into untrusted user networks. Allowing remote access tunneling technologies like VPNs can help but unless your VPN client is always-on with split tunneling disabled and/or you have extensive lock-downs on workstations, these systems are at best a fleet of potential data leakage points and at worst, ways for employee home networks to bridge malicious actors into your organization.
There are other solutions too, involving Virtual Desktop Infrastructure, Mobile Device Management and Data Segregation, Public clouds, Private clouds, etc. but so many of the designs that we have seen to empower long-term distributed remote work forces seem to hit the same two snags:
- If your environment isn’t already architected for it, you need hardware. Hardware is limited in availability. If you aren’t already leveraging technologies like VDI and have enough resources in your server farm to support 100% of your workforce leveraging this technology, you will need more resources to run the services that deliver remote access, in addition to the the resources that you are intending to deliver. This increase in demand on resources could lead to extensive hardware lead times if supply chain availability hasn’t already become an issue for your distributors.
- If your environment isn’t already architected for it, you need remote access deployed with a secure-by-design mentality. Security can be done via software (for supply chain reasons) but still needs cycles to design, deploy and manage in your new ultra-distributed workload/world. Without performing due diligence and developing the secure infrastructure necessary to connect to corporate resources, you could be turning all remote access points (e.g. employee workstations) into devices which bypass your well-funded enterprise perimeter security stack. Along with whatever malware is in your employee remote/home networks, you could be subject to accidental exfiltration of data without the appropriate separation between employee home networks and corporate networks, a bridge fundamentally placed when remote employees connect to corporate resources.
With these caveats in mind, we have worked with a few vendors to build a virtually delivered Secure Desktop Service, either self-managed, or as a Managed Service through our Operations Centre. We can deploy any scale of workstation deployment, for any number of users, with integrated network and endpoint security, complete with monitoring for the environment to alert you to when something is not going right.
Deploying workstations into on-prem hardware (pending supply channel availability) or more likely into a public cloud of your choice allows for instantly available workstations, with proxied access to limit data-egress and attack surface from untrusted networks.
We treat this new workstation environment like a remote office. We build remote access VPNs into it, put in firewalls, monitor logging and activities in the environment, deploy Anti-Malware and EDR capabilities and in general deploy a fleet of secure desktops using a build image put together with direction from the customer. Desktops are deployed on demand, custom sized on a per employee basis to suit their needs. When running desktops in public clouds, they are deployed on-demand, reducing use fees.
Remote access into this environment is via VDI HTML proxy, essentially turning any device into a remote keyboard and screen for your new virtual desktop in your environment. This design can proxy USB peripherals such as web cams, microphones and speakers remotely, facilitating many types of knowledge workers. In private cloud environments, the entire aspect of the virtual machine is customizable, in public cloud environments there are a number of VM sizes for every need, from small basic virtual machines with 2 vCPU and 4GB of ram, all the way up to powerhouse workstations with 24vCPU, 224GB of ram and 4 dedicated GPUs powering workloads from call centre and support agents to video and 3-D model rendering.
While finding the perfect solution for each organization ideally requires lead time for planning and design, this model represents an excellent reactive solution for a lot of organizations that find themselves in need of a scalable and security-forward solution right now. This model also has implications for easy to roll out long-term BYOD models with on-use pricing, where the only equipment a remote user needs is an internet connection and a screen, keyboard optional.
Secure Sense has developed a number of secure remote access architectures with the support of our partners and vendors over the years, and with the recent global events have been able to leverage their generous extended trial offerings and discounted services. Please do not hesitate to reach out to us at contactus@securesense.ca to find out more about building a solution around the problems you are facing.
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.