The case for disappearing desktops

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Paul McCloskey
 

Connecting state and local government leaders

By Paul McCloskey

|

Workspace-as-a-service platforms that incorporate desktop virtualization features are among the latest technologies to support the burgeoning government mobile workforce.

An ongoing boom in support for mobile workers who want to bring their own devices to work has led to expanding demand for virtualization tools designed to make the job faster, cheaper and more secure.

Workspace-as-a-service (WaaS) platforms  that incorporate desktop virtualization features, designed to provide access to data from ‘anywhere, any time and any device,’ are among the latest technologies to support the burgeoning mobile transition -- and promise organizations security and back-end benefits as well.

Systems integrator Unisys Corp., for example, offers government customers a WaaS-oriented virtualized Windows environment with an office productivity suite, email messaging, video and voice collaboration tools as well as enterprise social media tools.

With the platform, employees log in and are provided a virtual workspace desktop that looks and operates like their actual physical office desktop. “Right now, users feel more comfortable in a virtual desktop because that’s the transition from a physical desktop,” said Shawn Kingsberry, Unisys’s global public sector director of digital government.

The WaaS platform has also been a workbench of sorts in the development of tools for avoiding malware and other threats by virtually disposing of, or “disappearing,” virtualized browsers that may have been contaminated or only needed for specific users.

Pete Kofod, CEO of The Sixth Flag said he first recognized the need for more dynamic security tools -- especially to protect network end users -- when he was contacted by the chief security officer of a large aerospace company whose Microsoft Active Directory had been compromised.

The attack turned out to be aimed at an executive of the firm who was the victim of a ploy involving a vulnerability triggered by a PDF file. When the file was opened, the malware harvested credentials that led eventually to the Active Directory contamination.

Unraveling the case took three months but eventually led to development of tools designed to protect remote end users. The Sixth Flag's resulting solution allows them to work with a virtualized browser that can be “thrown away” at the end of each session.

The virtual browser works by passing executable code on to a virtual machine on the server where it gets wiped after each session. “All of our desktops are ephemeral,” Kofod said.

Should desktops or mobile devices get contaminated, “we’ve thrown away every trace of users’ data, settings get saved and we’re just storing encrypted data at rest,” he added. “The next time they log in, they’ll get a brand new fresh copy of the gold master image. ”

The tool is completely cloud orchestrated and can moved to any infrastructure-as-a-service platform, Kofod said. All users get their own virtual machine stored in the data center, powering their session and eventually discarded. 

The application is accessed exclusively by a browser. “There’s no client component, so basically anything that has a current browser,” Kofod said. “Whether it's a tablet or a Chromebook, as long as it has strong HTML 5 support, we’re in business.”

“We truly try to treat the desktop as just a place to temporarily do some work, essentially ‘work-space,’” he added.

The throw-away desktop is a security tactic Kofod calls a ‘guerilla network,’ designed to fully impede the attacker. “The idea is if you get into the desktop it won’t get you any closer to the crown jewels, which is always going to be the directory server.”

“If we can get to the point where no matter what you take off this guy’s desktop, it will never get you closer to complete organizational compromise, that’s really the Holy Grail for us,” Kofod said.  “That’s why we designed it the way we did.”

Virtualized mobility

The ability to offer users a secure browser that can be used for a limited time and then disposed of makes the virtual browser a good fit for transient users, according to industry analysts. It also helps agencies web-enable legacy applications and provide inexpensive devices for mobile users. 

“For government, it’s ideal,” said David Laing, research manager for IT service management and client virtualization software at IDC.  “It allows them to look at dynamic access, change of mission [and] address things like emerging requirements, change requirements without having to worry about the funding cycle.”

Those flexibility goals are also being shared by developers looking for ways to manage other workspace features, including new “virtual mobile infrastructure” options where mobile apps can be virtualized.

“The same way you can virtualize a browser as a throw-away, you can also virtualize an Android device --  either the whole thing or a workspace of Android apps,” Laing said.

Some apps “are really made for mobile devices, whereas some other apps are meant for the desktop and then they try to optimize them for mobile,” Laing said. To reconcile the differences, developers are turning to virtual mobile virtualization. Additionally, Android can be problematic because it is not always “homogenous” across sets of apps and versions of the operating system. While new versions are introduced, carriers tend to support them for a limited amount of time.

In this case, the Android app sits on a centralized server, and the device -- either an iOS or Windows device -- runs the virtualized apps behind a firewall.

WaaS for policy enforcement

Browser virtualization has allowed firms to take different approaches to WaaS in the last few years.

Authentic8, a company created by founders of email security firm Postini, jumped into the WaaS market in 2010, looking to concentrate on browser-based innovation.

In developing Silo, its virtual browser tool, the firm added features designed to provide options for managing complex workspaces. Instead of virtualizing the desktop by running virtual desktop infrastructure,  “which would have just doubled the management overhead,” the firm embedded more sophisticated management controls directly inside the browser, CEO Scott Petry said.

Yet “as important as virtualization is, the management capability and ability to define policies around who can access what from which devices is more important,” Petry said.

The modifications endow the Silo browser with enhanced uses and features, Petry said, including improvements in the ability to conduct data research, participate in collaborations across teams and pursue projects that require blending work and personal activity.

For instance, to support people doing data research on the Internet, a browser can be configured to appear as if it’s coming from a variety of destinations in order to digest content from those areas.  Those same functions can help law enforcement investigators explore suspect sites without disclosing their digital identity.

“I could literally tell the browser to look like it’s coming out of Singapore, pretending to be a Windows device with the local time zone set and with the Asian character keyboard being presented,” Petry said. Once fetched, the content could be translated from Chinese or Korean to English – inside the browser.

The Silo browser can also be used support groups participating in sensitive negotiations, Petry said, such as a mergers and acquisitions. Compliance, legal and finance staffers might access a deal room configured as an inherently secure environment.

“It feels like they are using their local browser,” he said, “but they use our browser, so any malicious content, any desire to go to Facebook in another tab while they’re in that browser, all of that capability can be managed so you have a single function browser for that team of people using web services for that deal room.”

The federal government is one of Authentic8’s top three markets, Petry said, especially agencies with national security requirements that use virtual browsers as a way to securely access web data and prevent data leakage or loss.

“What we’re seeing now is that government is just like any other large employer where there’s tension between what IT allows people to do and how users expect to balance their work-life,” Petry said. “In that case, we can let them browse the web through a one-time-use virtual environment that can be thrown away when the session is over.”

Last year the company reached out to victims of the breach at the Office of Personnel Management, offering the use of its browser for free.

“The idea here is to say our product is so easy to use and we make it available to so many people, we should also make it available to the people that are most vulnerable and those who lost data in the breach,” Petry said.

NEXT STORY: Tool helps track data center optimization

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.