Built-in encryption makes removable USB-based desktop images intrinsically more secure against loss or compromise than conventional desktops, but a virtual-desktop expert warns that companies must still look to two-factor authentication and innovations such as biometrics to ensure security is easy enough that employees won’t circumvent it.
The issue of employee participation in security initiatives has come to the fore as a growing number of companies embrace mobile desktops using capabilities such as Windows 8’s Windows To Go, which stores an entire Windows desktop image on a removable USB drive.
Those drives are winning popularity in some environments as a totally portable way for employees to bring their desktops in the field. However, without appropriate controls, that approach decentralises corporate data and desktops, and creates a virtual honeypot for hackers.
As a result, Imation Mobile Security chief architect Larry Hamid told CSO Australia, it’s incumbent upon CSOs and CIOs to ensure that mobile employees are given a mobile desktop that can be protected even away from the controls of the network.
“When you’re bringing your laptop into work, you’ve got all the controls that the organisation puts in place around you,” he explained.
“In that situation your desktop can be like any other desktop you’ve had issued to you. But with travellers heading around the globe, they don’t have the corporate network to protect them. They’re completely on their own. That’s why these products need to be fully integrated with company workflows: it’s a desktop, and needs to be managed as a desktop.”
As a precautionary measure, he added, desktop images should be limited to restrict the number of applications that are allowed to be run on those images, and what type of data can be stored on it.
On-board encryption – as found within a new breed of USB sticks like Imation’s IronKey range, which automatically encrypt data based on stored passwords or biometric signatures – offers an additional layer of protection, particularly since the security hashes are stored deep within the hardware and cannot be retrieved through conventional brute-force tactics.
“With a hardware device,” Hamid said, “you only have so many times to try a password before it locks up, and there’s nothing you can do to the device when it locks up.”
Yet while hardware security may be improving, users are still focused more on productivity than on security – and when the two clash, productivity will always win out. This leaves mobile data and desktops potentially compromised, with users prone to looking for ways to simplify their day-to-day work experience – for example, by storing data in unmanaged cloud services rather than on heavily controlled virtual desktops.
“As we talk to customers, we’re starting to see that there are all kinds of interesting nuances within these use cases that we never even knew about,” Hamid said.
“You can stop them copying data onto USB devices or storing data in the cloud, but the more you do this the less productive everybody is because you’re cutting off things that make your work easier and more efficient.”
That’s why users always need to be kept on board as companies explore new security paradigms, such as virtual desktops.
“The best security is still to have an educated user,” Hamid warned. “If your employee knows why certain measures are being followed, they’re going to be more likely to follow them. If anything is a burden, or you make the security more difficult for the user, they’re likely to resist it and go around it. It’s not so much that they don’t care; it’s just that they’re going to take the risk.”