Governments reaping security dividends from early action on virtual desktops

They may have originally embarked on thin-client rollouts for remote access, but government agencies' early acceptance of virtual desktops has proved prescient as security models are challenged by growing use of mobile devices and cloud services.

Those services are rapidly becoming part of the technology arsenal for government agencies of all types – particularly those requiring rapid setup of large numbers of computers, whether as a disaster recovery (DR) policy or to ensure business continuity in the event of natural disasters.

The Department of Human Services, for example, used thin-client technology to deliver services to staff using mobile and fixed devices – allowing them to rapidly deliver relief services to victims of Brisbane's recent destructive floods.

More recently, Citrix technology played an integral role in supporting the high-profile G20 Brisbane summit of world leaders. Technology partner Dimension Data, which commissioned a large-scale virtual-desktop environment from its Melbourne data centre, was able to deliver around 1000 simultaneous virtual sessions to users in Brisbane with strong performance and reliability.

That architecture was designed to be able to fail over to Dimension Data's Sydney data centre in the event of a problem, but the event went off so smoothly that the failover wasn't even necessary.

“Agencies will increasingly be able to move their workloads around,” says Mark Hazell, principal account manager for enterprise sales and manager of Citrix's government-focused Canberra branch.

“They can have some capacity on-premise, and some burst capacity in the cloud as well, because we can quickly provide a service from a trusted cloud provider. It provides them with a lot more surety around business continuity.”

Securing the new e-government

Yet business continuity is only one part of the virtual-desktop value proposition for government bodies, who are under increasing pressure to deliver online government services while preserving the integrity and security of often sensitive data about citizens.

The core technology behind virtual desktops has proven to be particularly useful on this count: with many government agencies already using virtual-desktop environments extensively, it has been relatively straightforward to extend this paradigm to mobile devices.

Workspaces can be seamlessly accessed from such devices, but the data cannot because it never actually leaves the server; rather, users interact with an image of the data. Copying, pasting, and other activities related to the data can be disabled to ensure that data interaction is limited.

“Containerisation of the workspace to a container on the phone keeps the data and applications safe,” Hazell explains, noting that this capability will soon be extended to emails – allowing material to be tagged with security classifications and its distribution limited based on those tags.

This capability will allow departments and agencies to restrict the movement of sensitive information through rules enforced by their back-end infrastructure. “Containerisation allows agencies to run the Internet, mail and other apps on the device by connecting back through the corporate infrastructure,” Hazell says.

“The real security component is around not having residual data left on the device, but categorisation means the data can be kept inside the department, minimising the data loss potential.”

This is essential in environments where all data must be strictly classified, such as the Department of Defence's DREAMS (Defence Remote Electronic Access and Mobility Services), a remote-access portal for Defence staff that was built on Citrix technology many years ago.

Much of the groundwork done for that project can now be credited with the ability for government agencies to use the technology in their environments today: to be used in the Defence environment, for example, Citrix Presentation Server technology had to be certified against the Common Criteria security standards required for any hardware or software to handle sensitive government information.

Citrix technology, including the NetScaler application delivery controller and Citrix Receiver client, remains on the government Evaluated Products List (EPL) to this day and Citrix XenMobile is currently undergoing certification.

Read more: A10 Networks works with RSA Security to provide enhanced interoperable threat protection capabilities

A head start on new security mandates

Recent mandates by the new Digital Transformation Office (DTO) have strengthened the value of Common Criteria certification, since all government agencies will be required to comply with the 36-point Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) security guidelines in all new projects undertaken from September 2015.

Common Criteria certification addresses many of the requirements in these standards, helping government agencies rapidly ramp up their capabilities to ensure they are appropriately compliant.

“Having a secure pipeline allows us to provide corporate government applications anywhere and to any device,” says Hazell. “It was a real game-changer for us all those years ago, and since then it has involved into helping government agencies look at virtual desktops both internally and externally.”

Read more: 5 reasons why using a VDC (Virtual Data Centre) can improve your organisations Physical and Logical Security

Ultimately, the seamless delivery of applications and entire workspaces to employee desktops is likely to empower the DTO's vision of online government in a broad range of ways – from use of local asset management applications by local-council field staff, to mobile tools used by state and federal governments at customer-facing physical service points.

Additional capabilities will tie access levels to variables, such as the physical location of the employees or the time of day they're accessing particular applications. Since access rules and access decisions are made and enforced at the server side, security can be maintained far more effectively than when trying to manage the flow of data onto devices and back again.

“Agencies are doing a lot of work inside to make sure their staff aren't seeing things they shouldn't be seeing,” Hazell says. “If you do the total cost of ownership figures right, you reduce cost, consolidate data, and improve security.”

“As granularity increases, you will get into the next layer of control. And, because so many government agencies have already bought their virtual-desktop licenses, they are already well down the path to that destination.”

Read more: Three considerations to ensure your network is ready for the Internet of Things

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Governmentsdisaster recovery (DR)Citrixdata centresNetScalerInformation Security Manual (ISM)dimension datamobile devicesCitrix XenMobilevirtual desktopsMark Hazellsecuritycloud services

More about CitrixCSODepartment of DefenceDepartment of Human ServicesDimension DataEnex TestLabISMNetScalerTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place