By: Justin Venezia, Consulting Architect, VMware and Courtney Burry, Director of Product Marketing, VMware
Looking to support bring your own device within your company? You’re not alone. Today over 65% of organizations are exploring how to embrace BYOD. In fact, it seems as though most customers I talk to have some sort of BYOD initiative in play or at the very least, on their to-do list for the year.
But tackling BYOD in a physical world can be tricky. How do you manage the influx of 2-3X the number of endpoints and images? How do you protect company networks, data and IP-especially when only 20% of end users run any kind of anti-virus software on their endpoints and less than half of employee-owned devices are encrypted. And how do you do all of this without blowing your budget sky high? Because we’ve all heard the stories about companies seeing their costs go up not down when it comes to supporting BYOD with physical devices and infrastructure.
For customers like Foley & Lardner and COLT-desktop virtualization has helped them address these concerns and gotten them on the road to securely and cost-effectively supporting BYOD. However, even these customers will tell you that when it comes to BYOD and VDI there are some best practices to adhere to-especially when it comes to security. So here are a few to consider:
- Network Access – customers who have a BYOD not only need to consider securing the data, but the path to get to their desktop and the data. It is important to work with your security team and develop an access strategy that keeps only the necessary traffic from unmanaged BYOD endpoints entering your data center. In the case of VDI, it would be PCoIP and HTTPS traffic between the endpoint and the desktop or Security Server. Using a “BYOD” dedicated network with authentication will allow customers who are authorized and part of a BYOD program to authenticate to an authorized network, – providing ONLY VDI access to the data center, is one example of how to ensure access-level security. Since the security posture of a BYOD endpoint cannot be effectively assesed or guaranteed (since the user OWNS the device), putting BYOD on the trusted network opens the doors to a myriad of security concerns and exposes critical resources to a potentially unsecured endpoint.
- Clipboard & Printing capabilities – Another item to consider is the movement of data in/out of the virtual desktop session. One of those ways of moving data is the clipboard – providing a way to move data between the endpoint and the virtual desktops. Cut/copy/paste features should be discussed with your IT security group, and in most cases this is disabled – View has built-in controls to manage clipboard access through GPO’s if granular control of the clipboard is needed. Another mechanism for data movement is printing – allowing users to print sensitive documents to a printer directly attached to the endpoint needs to be considered. This is one of the more challenging aspects of a BYOD from a planning & security perspective. Business units may have the need to print to locally attached printers, but IT security may not allow users to print data outside of network printers. Again, consult your business units and IT security team to determine the best approach based on your requirements.
- USB Mass Device Support – Similar to printing, USB device support also provides a mechanism to move data between BYOD devices and virtual desktops or other assets within a corporate data center. Having a mechanism and corporate policy on USB mass storage devices is important. If data transfer is required, customers should look into alternate auditing and compliance mechanisms, like data loss prevention tools, to ensure sensitive data stays within the boundary. However, these tools do provide a noticeable amount additional compute resources in the VDI session. Customers should carefully plan their implementations, taking into account the impact of DLP and data movement between endpoints and virtual desktops.
- Defense in Depth – in addition to controlling traffic coming into the network, it is easily important to control access to the resources BYOD or other VDI users access from within their virtual desktops. Typical implementations provide “unrestricted network access” to other resources on the corporate network. A fault in one layer of security (i.e. Improperly configured perimeter firewall or endpoint/device analysis) could expose the corporate network to a system vulnerability or zero-day exploit. As an additional layer of protection, securing the VDI session is equally important and provides an additional layer of protection for these types of vulnerabilities. vCloud Network and Security provides VM/vNIC-level protection with the flexibility of managing security needs and providing sound auditing and compliance mechanisms. It is also very easy with vCNS to control and fully prevent traffic between VDI desktops. This controls the spread of malware and the ability for attackers to perform pivot attacks once they have compromised an individual VDI session.
- Device Compliance – With some BYOD technologies, customers may be required to enforce specific endpoint standards – such as RAM, CPU, and/or Anti-Virus protection. In some cases, this would require a deeper level of inspection typically provided by endpoint analysis technologies. With BYOD, this topic becomes more sensitive – since the company no longer controls the asset, but it is equally important to mitigate any risks that may be introduced from an unmanaged, potentially insecure and contaminated endpoint. Customers should evaluate and determine their requirements for endpoint inspection; if they choose not to do endpoint inspection – network traffic & peripheral access should be strictly controlled & monitored.
- Acceptable Use Policy – Customers should also remind users even with BYOD, they are still responsible for complying with the company’s acceptable use policy. Although the device may not belong to the company, other assets ands services used by the BYOD user are still the property of the company. It is important to ensure users connecting or using any asset of the corporation – even a public network or “dirty VLAN” user for BYOD access understand and accept the terms and conditions of acceptable use by presenting them a disclaimer or legal notice when connecting to company IT services.
- Authentication & Auditing – One key element with BYOD is ensuring the user is who they say they are, monitoring & tracking what network(s) their BYOD devices connect to, and how they access and use applications. Auditing mechanisms should include methods to capture client information (Device ID, IP Address, etc.) and typically move from the traditional corporate-owned endpoint into the VDI session or using other mechanisms.
- Supported Devices & Features/Functionality – Most customers who have BYOD typically provide a set of minimum requirements and/or an authorized list of BYOD devices that can be used in a BYOD program. This helps with end user supportability and operational issues, as well as keeps any VDI feature/functionality communications crisp and clear – the take home point is the end user, as well as the company know exactly what can be expected and what services can/cannot be delivered.
- End User Support – Customers choosing a BYOD model also should formulate a strategy and support statement around what level of support they will provide for customer-owned devices. This is a paradigm shift from supporting corporate devices today – sine the user owns the device, the ability to service the asset becomes a privilege and is no longer a right. For example, an issue caused by the end user may directly or indirectly impact the user’s virtual desktop performance or experience; as a support organization, you will need to know where the line is drawn around how much you will help, what you can support, etc. In the case of hardware failures, the ease of moving the user to another device is a huge benefit, but the burden of repair is now on the end user. At times, this can be an unexpected expense – some customers with BYOD program may also require their users with BYOD to maintain a support contract – in some cases for up to 3 years.
For more information on how desktop virtualization can help you tackle BYOD-be sure to check out the VMware Mobile Secure Desktop solution
Additional Resources:
Mobile Secure Desktop Whiteboard Video
Mobile Secure Desktop Design Guide
Mobile Secure Desktop Bootcamp Series (covers design considerations and best practices in depth)