Separation anxiety

Virtual desktops can take the risk out of losing mobile devices.
1 November 2011
photo: Suzanne GellLuis Lourenco, UCS Solutions, says if bandwith is a problem, one can continue working on an on-device, encrypted copy of a virtual desktop.

Business managers tend to travel a lot and need mobile access to strategic information. Consequently, their mobile devices are potential leaks of commercially valuable information. Said devices are also at risk of being lost or damaged in a whirl of transport, hotels and events. This leaves the exec and the company with two problems.

Firstly, how to get the traveller, far away from the office, ready for meetings and presentations planned in advance. The other problem is just as niggly – making the lost device a useless brick, rather than a treasure trove, to whoever finds it. Companies are finding new ways to address these problems, some of which enable IT departments to reclaim control of company information.

If a travelling executive loses a mobile device, whether a notebook or tablet, the first pain estimation factor is bandwidth. If the device was lost in a bandwidth-rich area, he should be operational again fairly quickly. If his company’s IT department had set up the lost device beforehand with a remote virtual desktop client (VMware, Citrix or Microsoft), his documents won’t have been stored on the device, but centrally on the company server.

Generally, it should then be a matter of going to the nearest retailer to replace the device, phoning the IT department to allow it onto the company network, and downloading some software. However, enterprise settings can be quite strict about allowing new devices, and authenticating a Mac IP address could also require some extra work, says Eugene van der Merwe at UCS Solutions’ Infrastructure Division.

In Africa, we are not surrounded by high-speed bandwidth yet, so once you leave big cities behind, bandwidth availability can frustrate anyone using a company-issue virtual desktop. There is a way around glacial response times, or lack of wireless signal, however. “With the VMware View remote desktop client, it is possible to ‘check out’ an encrypted copy of a virtual desktop and all its documents, work on it offline and check it back in later,” says Luis Lourenco, at UCS Solution’s Infrastructure Division.

Burn, silicon, burn

You can't guarantee encryption on the device, the right level of anti-virus, or host-based IPS.

Dave Funnel, RSA

Another virtual desktop option tosses dependency on specific mobile computing devices out of travelling plans altogether. The entire virtual desktop operating environment with a secure browser, as well as sensitive documents and connectivity back to the office, reside on a souped-up, encrypted USB stick instead.

None of the information on the stick ever ‘touches’ the device the stick is put into. It is safe to go to an internet cafe, boot the computer off the stick into its own secure operating system, edit a sales presentation and connect back to the office. No trace of company information will be left on the computer, says Jan de Lange, MD at Westcon Security Biodata. Presenting strategic slides in a room without reliable internet access is no problem, since no connection to the company server is needed, and all the financial and sales information is encrypted.

When an exec loses this type of USB stick, 256-bit hardware encryption ensures the information is useless to the person who finds it. But he still needs to call IT to disable its serial number at the central company IronKey Enterprise console. Then, when someone puts the stick into a computing device, and that device connects to the internet, the stick talks to either a cloud or company server, finds out it’s been disabled, and promptly deletes its information. If someone forces open the stick’s innards to lift information from the memory chips, explains De Lange, “it will self-destruct physically, sending a small electrical current to burn out the chips.”

Device, who art thou?

However, James Bond-style tactics won’t help if a user downloads documents from the stick’s virtual desktop to his notebook computer, or other devices that are not encrypted. An option with conventional remote virtual desktop clients is centrally locking a device’s USB ports when the user logs in.

Mobile devices used to access virtual desktops are not fully controlled by companies’ IT departments, says Dave Funnel, sales manager at RSA.

“You can’t guarantee encryption on the device, the right level of anti-virus, or host-based IPS,” he says.

This is the ‘internet banking’ scenario: uncontrolled, unknown mobile consumer devices, confidential information to be protected, and users who don’t appreciate constant security frustrations. Risk-based authentication, which addresses this, was developed for internet banking.

When risk-based authentication is in place, the user has to jump through more authentication hoops when there is something out of the ordinary, or risky, about the log-in attempt. If a combination of parameters, such as device, operating system, browser version, and time zone is unusual for that user log-in, the system can automatically require another authentication step – a PIN sent to the user’s cellphone, for example.

Despite less influence over users and devices, a company can gain better overall control of its information. Where a company implements virtual desktops, the IT department now knows where sensitive information is centrally stored, argues Funnel.

“Then you take control of what you give to the user,” he continues. “I think there will be a big uptake in virtual desktop solutions, not because they are cheaper, but because it gives control back to the corporate entity, in delivering a consistent workplace to devices over which IT has no control.”

Managers travelling in Africa have to contend with widespread bandwidth drought outside their office or home environments, but virtual desktops open up attractive options for securing mobile devices.