Background

Organizations of all sizes struggle with the new norm of supporting a remote workforce. The first challenge is provisioning appropriate hardware, usually a laptop that can be secured and managed. Then there are the physical security concerns of the remote worker. Where are they setting up? Is the laptop properly secured with a security cable lock? Who can see the screen? What does an employee do with the laptop when not in use or in transit? How about local information security? Just because BitLocker is in place does not mean the data cannot be exfiltrated while the user is logged into the system and connected to the Internet. Data can be exfiltrated once the system is compromised with ransomware or some other zero-day exploit. What happens when the employee is terminated? What is the likelihood of getting the equipment back? So many questions, so many concerns for the business owners and information security officer and clients who entrust your company to secure the sensitive information being provided.

The Solution

Our new culture of accepting a larger remote work force has accelerated real viable solutions that have been around for years; but now the demand has incentivized companies like AWS and Microsoft to provide turn-key solutions for business of all sizes at a price point that makes it a no-brainer decision. The solution is to NOT provision expensive computers to remote workers but require them to purchase and maintain their OWN equipment. Just as companies do not provide a vehicle just for reliable transportation to and from work, nor do many companies automatically provide cell phones to conduct business conversations, nor do companies pay for home internet services with an ISP. The reason is clear, businesses expect that the average household already owns a car, a cell phone and has an ISP for accessing the Internet. The viability of true “bring you own device” (BYOD) is here. Employees CAN and SHOULD be expected to provide their own computer as well. Afterall, what household or individual does NOT have their own computer that they have invested in and care for? If an employee is required to invest in and maintain their own computer, they are far more likely to protect it from physical damage, theft or malware – theoretically.
While the accounting staff is concerned about expenditures toward capital investments of laptops, servers, and other hardware to support the IT infrastructure of the business, the CISO/ISO is even more worried about the corporate risk if sensitive data is compromised or lost due to user negligence or malware; even employee theft of data after separation – or worse – intentional stealing of data while employed.

So what is the solution? Microsoft Windows Virtual Desktop (WVD) just might fit the bill. This solution allows organizations to provide to any employee a full featured Windows 10 desktop environment with access to Office 365 productivity software, storage of data and any-where access while protecting that data from being copied, emailed or otherwise exfiltrated outside the confines of the corporate virtual network. Additionally, no capital expenditures are laid out for the purchase of laptops or other hardware. When the project is over or the employee (or contractor) no longer requires access, the account is simply disabled or deleted. No concern for lost hardware or compromised copies of sensitive data from central file servers.

What about the real-world experience of this solution? Is it really workable? I am writing this article using just such a virtual desktop system in Microsoft Azure. I have Microsoft Teams active and running. I have a huge Excel spreadsheet up, a very large Word document open, as well as this Word document. I am running this across two (2) 25” HD displays. The responsiveness is virtually like working locally. However, NO company data or software is residing or running on this local system. Incoming data is secure screen display updates and outgoing data is secure keyboard and mouse input. Also, I am connected via a MS Azure secured account with multi-factor authentication, ensuring that no one else can access this environment.

In Conclusion

As a 30-year veteran of information technology and security, I could not be more excited by this recent offering from Microsoft. This is a clear opportunity to solve multiple financial and risk mitigation challenges for all organizations. The return on investment in comparison to managing myriad hardware investments is astounding and the ability to control data access and protect from loss and compromise is astounding. There are many YouTube documents from third-party Microsoft Partners as well as vast amounts of online documentation from Microsoft to draw additional detailed information on this.

This document is focused on Microsoft Azure and Virtualization because AARC-360 is already vested in the Azure environment and it made sense to perform our trial in our native platform. However, AWS has also been perfecting their service offering for virtualization as well. Competition is a good thing and these competing cloud service providers will keep making these remarkable services even better as the future unfolds.

Written by Michael Barnes, Senior Security Analyst