We're making big strides toward our CIO's goal of enabling a "bring your own device" (BYOD) policy. For me, it's none too soon.
That's because employees are increasingly finding ways to connect their own Macs, tablet PCs and other mobile devices to our internal corporate environment, both from within the office and remotely. In the absence of a policy, it's been a case of anything goes as long as you don't get caught. By embracing this trend and setting up guidelines, we stand a chance of controlling what's connected to our network and securing our environment.
One important technology that will make this work is virtual desktop infrastructure, commonly referred to as VDI -- if it's deployed in a secure manner, that is. This week, I met with the VDI project team to make sure that's how it happens.
One of the benefits of allowing only known devices to connect to your network is that you can track a PC to a user and location because you know all the IP addresses, machine names and MAC addresses that are permitted. With VDI, we can expand the pool of devices that can connect to the network because the VDI will identify the user. If, for example, some piece of malware enters the network, we can use our audit and event logs and our security incident and event management tool to track down the source.
We plan to allow VDI access from untrusted environments -- for example, a PC at an Internet kiosk halfway around the world. One of my requirements is that we enable a sandbox mode to ensure that there is no possibility of direct interaction between the untrusted PC and the VDI environment. This way, malware can't be uploaded to the trusted VDI environment, and intellectual property can't be downloaded to the PC. (Some of these restrictions can be waived if the VDI determines that the remote PC is, in fact, a company asset.) I also want aggressive settings for session timeout and screen lock, to mitigate the problems that arise when forgetful workers walk away from a kiosk without logging out of the VDI.
VDI could also be helpful in managing the access of our contingent workforce. This includes vendors, partners, suppliers, distributors, contractors and consultants. Some of these people need access to our infrastructure and applications, but providing them with a VPN client can be a logistical nightmare, since varying levels of access are needed for each engagement. VDI will allow us to set up a "rule of least privilege" (one of my primary security philosophies) for all of our contingent workers. Once again, this will help protect our infrastructure and limit the compromise of our intellectual property.
Security Ground Rules
I also told the project team that we need a login banner notifying users that they have no expectation of privacy. Our legal department has demanded that we force users to click a box indicating that they accept the possibility that the company might monitor their activity.
Another of my requirements is that there be no residual data pertaining to VDI activity on the host PC after a user has logged out. This will be especially important when the PC is untrusted (like one used in an Internet cafe, for example). In addition, the VDI environment must be integrated into Active Directory, so we can easily make the VDI unavailable to former employees and current employees who no longer need access.
Finally, as with all remote connections, any access to the VDI environment must be encrypted and require two-factor authentication.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.