MATHIAS THURMAN
Trouble
Ticket
At issue: The CIO’s
goal of allowing more
use of personal devices is
moving ahead.
Action plan: Securely
implement VDI, so that
users can still be identified,
even if their devices are
unknown.
BYOD Planning Gets a Boost
A key technology to allow for the secure use of personal
devices on the network is virtual desktop infrastructure.
WE’RE MAKING big strides toward our CIO’s goal of enabling a “bring your own device” (BYOD) policy. For me, it’s none
too soon.
That’s because employees are increasingly finding ways to connect their
own Macs, tablet PCs and other mobile
devices to our internal corporate environment, both from within the office and
remotely. In the absence of a policy, it’s
been a case of anything goes as long as
you don’t get caught. By
embracing this trend and
setting up guidelines, we
stand a chance of controlling what’s connected to
our network and securing
our environment.
One important technology that will
make this work is virtual desktop infrastructure, commonly referred to as VDI
— if it’s deployed in a secure manner,
that is. This week, I met with the VDI
project team to make sure that’s how it
happens.
One of the benefits of allowing only
known devices to connect to your
network is that you can track a PC to a
user and location because you know all
the IP addresses, machine names and
MAC addresses that are permitted. With
VDI, we can expand the pool of devices
that can connect to the network because
the VDI will identify the user. If, for
example, some piece of malware enters
the network, we can use our audit and
event logs and our security incident and
event management tool to track down
the source.
VDI could also be helpful in managing
the access of our contingent workforce.
This includes vendors, partners, suppliers, distributors, contractors and
consultants. Some of these people need
access to our infrastructure and applications, but providing them with a VPN
client can be a logistical nightmare, since
varying levels of access are needed for
each engagement. VDI will allow us to
set up a “rule of least privilege” (one of
my primary security philosophies) for all
of our contingent workers. Once again,
this will help protect our infrastructure
and limit the compromise of our intellectual property.
JOIN IN the discussions about
security! computerworld.com/
blogs/security
VDI could also help manage the network access
of vendors, partners, contractors and others.
Security Ground Rules
I also told the project team that we need
a login banner notifying users that they
have no expectation of privacy. Our legal
department has demanded that we force
users to click a box indicating that they
accept the possibility that the company
might monitor their activity.
Another of my requirements is that
there be no residual data pertaining to
VDI activity on the host PC after a user
has logged out. This will be especially
important when the PC is untrusted (like
one used in an Internet cafe, for example).
In addition, the VDI environment must
be integrated into Active Directory, so we
can easily make the VDI unavailable to
former employees and current employees
who no longer need access.
Finally, as with all remote connections, any access to the VDI environment
must be encrypted and require two-factor authentication. u
This week’s journal is written by a real security manager, “Mathias Thurman,” whose
name and employer have been disguised for
obvious reasons. Contact him at mathias_
thurman@yahoo.com.
