Proper Endpoint Security Keeps Virtual Desktops Safe for Mobile Employees | IGEL

Jeff Kalberg
Written by: Jeff KalbergPublished: August 1, 2017

Endpoint Security: Keeping Virtual Desktops Safe for the Remote Workforce

Because governments perform tasks critical to the health, safety and well-being of its citizenry, public sector organizations have a particular sensitivity to threats like the WannaCry ransomware attacks. Adding to this threat is the fact that public agencies work in a distributed environment where employees access data from remote locations using a variety of devices, one where vast amounts of information are made available through the Internet. This complex puzzle of devices, locations, and layers of user access create an environment ripe for cyberattacks. One person curiously opening an email attachment or clicking on a web link can provide the runway necessary to bring down a system.

Information technology teams in the public sector face significant challenges supporting remote workers’ access to the applications and data required to be productive while, at the same time, maintaining security controls that protect against the constant barrage of exploits. These controls are taking on greater importance as ransomware attacks are multiplying, while workers and contractors are demanding expanded information access to do their jobs.

Advanced Endpoint Management Must be Considered for Productivity and Security

Like every other user of technology, the government user lives on the edge. This is to say that the device they use to access information technology is on the edge of the network. For this reason, the endpoint, including all forms of thin clients and virtual desktops, has to be a focus when considering productivity and security. And because users are curious people, advanced endpoint management is essential to helping ensure secure access to these virtual applications and desktops. Advanced endpoint management provides the controls necessary to protect workers while giving them the freedom and tools to do their job well, while further lessening the risk that they will fall victim to the next exploit or ransomware attack.

A case in point is UNC Health Care, a not-for-profit, integrated health care system owned by the State of North Carolina and based in Chapel Hill. The system is comprised of UNC hospitals, its provider network, clinical programs at UNC School of Medicine, and nine affiliate hospitals and hospital systems. UNC Health Care was ready to go to the next stage of virtualization with a complete Citrix rollout. In so doing, UNC Health need to find a software-based endpoint solution that could leverage some of its existing assets, to control new investment costs. The answer was to employ thin client software that reduced costs, increased security at the endpoint, and centralized IT management while supporting the various workflows used in healthcare. Furthermore, UNC Health was able to improve the end user experience by provide physicians and staff the flexibility to access medical records and other information while roaming between workstations.

Virtualization Technology Can Streamline Access and Protect Against Malware

Private sector health care organizations like UNC Health are constantly seeking ways to improve application and data access for its staff, and virtualization is proving to be the means to streamline access while protecting against exploits and malware. UNC Health Care illustrates a number of solution best practices that are applicable for a public sector agency wanting to secure its remote and/or roaming workforce:

  1. User Context. IT has to consider that staff and contractors will take their work home with them, on occasion, thus creating additional security risk. Agencies need to put in place access controls to limit what the user is allowed to do, based on their location.
  2. Device and Network Awareness. Thin clients can be profiled according to network, location or user. Using device management technology, it is possible to lock out devices similar to the way network access controls work. If a device is found to be operating outside of defined parameters, controls are in place to automatically cause these devices to cease to function.
  3. Roaming Mode. With staff moving constantly between locations and workstations locations, IT has to provide security controls that support this mobility and yet allow fast access to critical files and applications. IT can configure a roaming mode which allows staff, for example, to simply tap their badge to securely login to their desktop from any roaming endpoint. Additionally, IT could provide a kiosk mode which stays logged in, but runs programs under the user’s context. Users are required to type in their password only twice a day; the rest of the time they simply tap the employee badge on the card reader to login automatically.
  4. Certificate-Based Communication. Using software-driven thin client technology, IT can deploy certificate-based communication between management servers and virtual thin clients. This protects against DoS and man-in-the-middle attacks.
  5. USB Control Devices. Where appropriate, another method of giving users the productivity tools they need, and further mitigating risk, is providing staff with a USB-bootable managed micro thin client. The user simply boots to the USB device to run their PC as a virtual thin client, accessing only the desktop applications for which they have authorization.

Manage Security at Your Network’s Endpoints For Best Control

Managing security at the endpoint, and controlling application and file access in the appropriate user context, is of paramount concern in the cyberattack era. Advanced endpoint management that controls limited function devices operating as thin clients are a compelling option for public sector organizations that must balance the desire to provide a flexible, productive user experience with the need to have effective, efficient control over the security of the organization and its data.

Note: This article first appeared in the Industry Insight section of Government Computer News on July 5, 2017.