Editor’s Note: Welcome to our weekly Reality Check column. We’ve gathered a group of visionaries and veterans in the mobile industry to give their insights into the marketplace.
Virtualization was the “it” trend of 2010, much like bring-your-own-device (BYOD) is the dominant trend right now. Looking back at 2010, the inhibitors of virtual desktop infrastructure are remarkably similar to the concerns around BYOD.
In 2010, an Enterprise Strategy Group survey highlighted that 60% of enterprises had a VDI strategy, yet adoption was still slow due to concerns regarding security and performance. In 2013, depending on which of the latest BYOD surveys you’re reading, anywhere from 60% to 80% of businesses state they’re moving forward with BYOD despite concerns about security and performance.
The only difference between then and now is that VDI has been able to cross its security threshold and become common place in the enterprise. So much so that it’s now being looked at as a potential security solution for BYOD. For organizations considering BYOD, this can be a critical mistake.
There is no doubt that VDI makes life much easier for IT. VDI separates the user/employee environment from the physical machine, enabling IT to deliver an image of the application, processes or data to the end-user and their device. In a VDI environment, IT only needs to manage and update one or two images, as opposed to managing and updating thousands of end point devices. The time and management savings are clear – and are an important part of the evolution of IT. Moreover, a VDI environment does in itself create a more secure overall environment because it minimizes potential damages and data leakage if devices are lost or if the hardware fails, since the data and applications reside on a server and not the device itself.
But while virtualization provides tremendous benefits for desktop management, it fails to address the most basic and fundamental aspects of a secure BYOD policy – the principal of which is understanding exactly who and what is connecting to your organization’s network. This is also referred to as the “4 Ws” of BYOD security: identifying when devices connect, what devices are connecting, where the devices connect and who uses the devices. In today’s age of advanced attacks and malware proliferation, this lack of visibility creates network blind spots that put your organization at risk.
Network access control addresses these network blind spots. Let’s look at the most common use-case for how an organization uses virtualization, the security holes created by BYOD and how NAC can be used in tandem to strengthen security.
In the most common VDI business scenario, the desktop image lives in the data center and provides access to a limited, isolated network that the company makes available to BYOD users. It varies by organization, but this separate network could include access to the internet and to certain enterprise applications which require access to specific critical data. Users click on the lightweight app delivered to their laptop, smartphone, tablet or other endpoint device to launch the virtual desktop.
With this approach, organizations often assume they don’t need visibility and control of the devices connecting to the network because the BYOD users only have access to a small, isolated network, while the main network is off-limits.
The assumption is incorrect and fails to account for the human element of BYOD, which is about users being able to use all the applications on their devices for both personal and business use.
Employees do not bring their own devices to work to simply turn them into a corporate asset with a corporate owned operating system (usually Windows-based). This limits the functionality, look and feel of the BYOD device and is fundamentally the opposite of what BYOD stands for. Employees want to use their own devices to their full capabilities, accessing the Internet and other applications via the corporate network. This requires full network connectivity.
This is where an organization relying on VDI for security is putting itself at risk. Because BYOD calls for full connectivity, IT needs full visibility and control of endpoint devices on their corporate networks. One device that lacks the proper security controls connecting to the network can bring the entire organizations down – it only takes one infection to spread.
Technology such as NAC can plug these security holes without impacting employee choice or productivity by providing:
–Network security and device profiling: NAC ensures that only devices that fit a specific security profile are allowed network access. The profile can be determined by the organization, but typically focuses on defined devices, OS level, up-to-date AV and other critical security postures that impact network security.
–Role-based access: NAC automates the provisioning of appropriate resource access, based on the user and their device. For example, when an employee connects to the network using a company device, they can access a broad set of corporate resources according to their credentials. However, if the same employee logs on using a personal device, NAC can limit network access to just the virtual desktop environment.
Virtualization is a great technology that has matured to deliver much needed cost savings and management benefits to organizations. But it’s not the basis for a sound policy on BYOD. Virtualization needs to be used in conjunction with technologies like NAC to identify and secure the blind spots inherently created by BYOD.
Frank Andrus is the CTO at Bradford Networks, overseeing all strategic technology functions, which includes evolution of the current product line, new product and services development and setting the future corporate R&D strategy.
