App controls are turning workspace-as-a-service into a BYOD security enabler

Companies may have been delivering work desktops to remote users over the Internet for many years, but many organisations are only now discovering how effectively remote-desktop technology can be leveraged to improve the overall security of the new workspace as a service (WaaS) paradigm.

That paradigm was already showing strong growth as a way of enabling workers to access their work desktops from home – but with tablets and smartphones now commonly used for remote access as part of bring your own device (BYOD) strategies, that growth has accelerated even further. Today's employees have become accustomed to accessing their workspaces from wherever they happen to be, on whatever device they are sitting in front of.

Yet while this capability offers unparalleled flexibility for employees, it's also creating new challenges for IT and security managers, who are being charged with establishing and maintaining effective security protections on workspaces that are inherently less contained and predictable than they were in the past.

Indeed, today's workspaces are frequently as much assemblages of software-as-a-service (SaaS) Web apps as they are a projection of a remotely-hosted Windows desktop and Windows applications. The new WaaS paradigm “provides added service opportunity in terms of not only delivering desktops and Windows applications, but in delivering a complete workspace,” explains David Nicol, ANZ director of Workspace Services with Citrix.

“We can give users a simple way to access Windows applications, SaaS applications, and native iOS or Android applications, to remain productive wherever they are,” he continues. Data, once stored safely back in the corporate data centre, might instead reside in any number of online cloud-storage sites – outside of the control of corporate IT staff. “That then presents additional security challenges,” Nicol says.

Secure file sync and sharing technology, like Citrix Sharefile, is therefore also an integral part of the WaaS proposition.

Security through control

Because of the number of elements that might be contained in any particular workspace, organisations implementing WaaS environments need to consider how they can be locked down to ensure that corporate data isn't simply lost to the world after being freed from the protections of the corporate network.

One highly effective answer, Nicol says, has been to leverage the granular application controls built into a platform like Citrix XenMobile and Netscaler. Using this approach, users can be given access to remote desktops and applications on any device, but IT administrators can block or limit the functionality in specific scenarios to prevent BYOD from compromising corporate security controls. Those controls can not only specify the types of behaviours that users can undertake in each app – for example, preventing users from printing or copying data from a particular app – but can also relate to characteristics of the user's connection.

This means, for example, that a particular app can be blocked if the user is accessing it through a Wi-Fi network other than the one at a particular branch office. Printing can be limited to devices on the office network to ensure that all hard copies of sensitive documents can be tracked. And access to sensitive healthcare applications, for example, can be blocked if the user is physically outside of the hospital.

“We've taken what has been a strong heritage of security and application delivery,” Nicol explains, “to ensure that – as we expand to mobile device management, mobile application management and delivery of file and data services – we have the same security orientation to our workspace-as-a-service that includes all of those capabilities.”

A more secure architecture

WaaS architectures offer still other security benefits: for example, the ability for system administrators to apply security patches – a fact of life in every desktop and server computing environment – across every hosted desktop or application at the same time.

This capability addresses an ongoing problem in most corporate IT environments: the lack of compliance to what should be strict patching regimes that prevent compromise from newly discovered vulnerabilities.

Despite some signs of improvement, patching remains notoriously difficult, with even remediation of major bugs like 2014's Heartbleed vulnerability stalling after an initial burst of patching activity. Recent research suggests nearly 7038 new vulnerabilities were discovered in applications and operating systems during 2014 – including 1705 vulnerabilities marked as being of high severity.

With new vulnerabilities being discovered all the time, the threat to companies remains very real – especially with Microsoft set to discontinue patches and technical support for its popular Windows Server 2003 operating system in July.

Microsoft has argued that the need to upgrade to newer versions of Windows Server offers a great opportunity for organisations to commit some or all of their infrastructure to cloud services. This recommendation offers strong support for the WaaS vision and improves overall security by centralising what has often previously been dozens of physical servers, each at different levels of patching and security protection.

“There's a whole range of considerations where the customer needs to look at their security posture and the sensitivity of certain data and applications before making these choices,” Nicol says.

Small business, big improvements

Service providers, he adds, are uniquely positioned to add value to the WaaS proposition by facilitating the creation of consolidated or hosted server farms, seamlessly feeding hosted and secured workspaces to a variety of end-user devices.

This approach is particularly valuable to small and medium businesses (SMBs) that often lack IT teams large enough to drive such change themselves.

“Small businesses don't have the luxury of a CSO or dedicated security staff to design, implement and monitor policies across this range of applications and operating systems and devices,” Nicol says.

“Getting it delivered as a service from service providers that have the capabilities, understand the security policies and can agree with the customer what is the right security posture for them to take, is a strong value proposition.”

Yet for all its benefits to the administration of IT, WaaS can sometimes come up against the biggest obstacle of all: users themselves. Now empowered by the Internet, users are showing time and again that they won't hesitate to choose their own solution if corporate IT providers aren't offering one that they like.

The key to keeping control in such a situation, Nicol says, is to ensure that the WaaS environment is functionally appealing enough – balances security with usability, for example – that users want to use it.

“If IT don't provide functionality that is equal or greater to what consumers can get in the consumer marketplace, they will use their own products,” Nicol says. “The key is to deliver this functionality in a way that is still controlled by IT policies.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Software-as-a-Service (SaaS)ANZ(BYOD) strategiesNetScalerCitrix ShareFileWaaS) paradigmDavid NicolCitrix XenMobileHeartbleed vulnerabilitysecurity managers

More about CitrixCSOMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place