Using Virtualization To Enhance Security, Save On Infrastructure
Gone are the days when employees joined the organizations with lifetime commitment. There are competing priorities including family considerations, children’s education, job of the spouse etc. in addition to age old considerations of better salary, better career prospects and so on, compelling them to look out for a change. Moreover, workforce has become mobile and people prefer to work from wherever they are rather than adhering to strict physical attendance within office premise.
This is suiting well to the organizations also and they have geared up to deal with this dual challenge of enabling global work access and ever volatile workforce. Application security, data security, information security, network security etc. have become much more relevant than these were there a decade back. Firewalls, IDS, IPS etc. have been there to ensure that no unauthorized person is able to intrude the network and reasonable application design considerations were made to avoid DDoS attacks, SQL injections etc. Techniques like threat modeling have been used for more than a decade to simulate the behavior of potential threats and strengthen the security posture accordingly.
The problem domain has now significantly changed from external threats to internal threats. Incidents of employees privy to sensitive information compromising the data security and integrity are increasing. Attrition is a big potential threat to transport sensitive information to the competition. People prefer to use their own devices rather than the laptops and blackberries given by the employers. It ensures continuity of work from wherever they are and also enables smooth transition from one organization to another. Many people work part-time for many organizations and it is not practical to keep multiple laptops.
Technology has found the answers to all these problems in a single stroke. Bring Your Own device (BYOD), Virtual Private Network (VPN), Single Sign-on (SSO), Virtual Desktop Infrastructure (VDI) etc. have all come to a fusion to enable users to use their own devices and enable organizations to strictly guard their data and information.
The moment an employee (or a contractor) is given access to a set of applications, a user profile is created in the domain. Once a device is trying to connect to a network, it is required to be registered and associated with a user profile. A container called virtual workspace is created inside the device. This workspace uses only physical resources of the device to carry on the work. Everything involved in transactions is stored inside a server residing in the captive data centre or on cloud. Once inside this container, the user cannot go out of this container until he/she dis-associates from the virtual workspace (container) allocated for the business being transacted by the employee having access of the information resources of the organization. From inside this container, the only freedom of navigation is as per strictly defined by the job role. No information sharing from outside to inside or inside to outside is possible. Nothing is saved in local storage of the device. Once the user leaves the container, everything is automatically wiped out from the device and the full context is saved in the VDI server. Next time, user may use a different device, register it into the network and continue the work from where it was left in the previous session.
My advice to the CIOs would be to look into the problem (rather opportunity) of virtualization and security in a holistic manner. These two appear to be on the opposite side of the spectrum whereas; the reality is that both go hand in hand. The security should not be considered as additional layer of torturous access controls on every gateway. Rather it should be ingrained in the fundamentals of the Infrastructure and Application Architecture. CIOs must look for integrated products that cater to the needs to Virtual Desktops, BYOD and Information Security in one single integrated technology solution.