Endpoint security: Keeping virtual desktops safe for the remote workforce
- By Jeff Kalberg
- Jul 05, 2017
Because government performs tasks critical to the health, safety and well-being of its citizenry, public-sector organizations have a particular sensitivity to threats like the WannaCry ransomware attacks. Adding to this threat is the fact that public agencies work in a distributed environment -- one where vast amounts of information are made available through the internet to employees in remote locations using a variety of devices.
This complex puzzle of devices, locations and layers of user access creates an environment ripe for cyberattacks. One curious person opening an email attachment or clicking on a web link can bring down a system.
Public-sector IT teams face significant challenges supporting remote workers’ access to the applications and data they need to be productive while maintaining security controls that protect against the constant barrage of exploits. These controls are taking on greater importance as ransomware attacks are multiplying, and workers and contractors are demanding expanded information access to do their jobs.
Like every other user of technology, government users live on the edge – that is, the devices they use to access information are on the edge of the network. Advanced endpoint management is essential to ensure secure access to these virtual applications and desktops. It gives users the freedom and tools to do their job well, while providing the controls necessary to lessen the risk that they will fall victim to the next exploit or ransomware attack.
A case in point is UNC Health Care, a not-for-profit, integrated health care system owned by the state of North Carolina. The system is comprised of University of North Carolina hospitals, its provider network, clinical programs at the UNC School of Medicine, and nine affiliate hospitals and hospital systems. When UNC Health Care was ready to go to the next stage of virtualization with a complete Citrix rollout, it wanted to find a software-based endpoint solution that could leverage some of its existing assets while controlling new investment costs. The answer was to employ thin-client software that reduced costs, increased endpoint security, centralized IT management and supported the various workflows used in health care. Furthermore, the solution improved the end user experience by providing physicians and staff access to medical records and other information while they roamed between workstations.
Public-sector health care organizations like UNC Health Care are constantly seeking ways to improve application and data access for staff, and virtualization is proving to be the means to streamline access while protecting against exploits and malware. The UNC Health Care solution illustrates best practices for public-sector agencies wanting to secure their remote and/or roaming workforce:
Consider user context. Because staff and contractors will take their work home with them on occasion, agencies must put in place access controls to limit what users are allowed to do based on their location.
Be device and network aware. Thin clients can be profiled according to network, location or user. Using device management technology, IT can lock out devices the same way network access controls work. If devices are found to be operating outside of defined parameters, controls are in place to automatically shut them down.
Enable a roaming mode. With staff moving constantly between locations and workstations in the hospital, IT must provide security controls that support this mobility yet allow fast access to critical files and applications. A roaming mode would allow staff members to simply tap their badge to securely login to their desktop from any roaming endpoint. Additionally, IT could provide a kiosk mode that stays logged into the network but only runs programs under the user’s context. Users are required to type in their password only twice a day; the rest of the time they simply tap their employee badge on the card reader to login automatically.
Deploy certificate-based communication. Using software-driven thin-client technology, IT can deploy certificate-based communication between management servers and virtual thin clients. This protects against denial-of-service and man-in-the-middle attacks.
Consider USB control devices. Where appropriate, IT can give staff members a USB-bootable managed micro thin client. Users simply boot to the USB device to run their PC as a virtual thin client, accessing only the desktop applications for which they have authorization.
Managing security at the endpoint and controlling application and file access in the appropriate user context is of paramount concern. Advanced endpoint management that controls limited-function devices operating as thin clients are a compelling option for public-sector organizations that must balance a flexible, productive user experience with effective, efficient control over the security of the organization and its data.
Jeff Kalberg is chief technology evangelist for IGEL.