, , , ,

As a consultant working with clients, we always need to address security considerations for clients, their networks and data. Typically this might mean ensuring I could connect to the correct network through a VPN with the secure client software installed. Then work through a Citrix set-up for the tools we’re allowed to use.

Since the start of the pandemic, there seems to be a marked shift towards issuing consultants with customer provided laptops that have been configured and locked down. This means I can’t use the client laptop to connect to my employer’s network to interact with our own systems – making it easy to leverage our existing resources to support the customer and conversely no trust or contractual position that might allow our company devices connecting to a VPN or ring-fenced part of a network.

Interestingly there seems to have been a drift away from the ideas of BYOD (Bring Your Own Device) which may come from the fact that outside of smaller very tech-savvy organizations, BYOD can be seen as challenging to support.

As this Google Trends report shows over the last five years the trend has been until the last couple of months showing a generally downward trend. Not authoritative proof, but hints that it hasn’t accelerated as you might expect given remote working.

By the customer supplying a laptop, there is an effort to control intrusion and other security risks. But the problem is, now I have a device that I could easily take off-line and work to defeat the security setup and the client would be non the wiser, or worse it is another laptop that could ‘get lost’ or ‘stolen’ with a greater chance of having sensitive material. Every new device is without a doubt an elevated risk for the client and a cost to support (this of course is also an argument for not applying BYOD).

From a more practical perspective, as I happen to support several clients, I have a number of laptops pilled up on my home desk and end up wasting a lot of time switching between machines just to keep an eye on both internal and client events (particularly challenging for simple things like meeting invites clashing etc). Not to mention unless you’re on a plane or train you’re more than likely to be (at least wanting) to use one or more additional monitors. Unless you shell out on an expensive KVM switch you can’t take advantage.

Aside from the human errors that can creep in trying to manage this (one organization will not even allow meeting invites to be forwarded between client and employer systems to ensure diaries as sync’d). There is an issue of being a little more environmentally aware – multiple machines on consuming power, idling for part of the day purely so a screen can be checked. All the rare materials (and toxic for manufacture and recovery) used in creating a laptop. Then, of course, the security risks the device can present.

Is there a better answer?

I have been fortunate enough to work with security architects and CSOs (Chief Security Officers), not to mention having to help develop solutions that can operate in sensitive environments. But I do not claim to be a security specialist. So if you know better, please comment, show me the flaws in my thinking.

I would argue that there is, the cost of virtual desktops (or Desktop as a Service to be more in vogue) is really dropping and Microsoft have been made some significant progress in this space to further the cost reduction. But the real benefits come from the control the client has. All clients machines can be monitored at all times. Any concerns about suspicious activity and the machine can be cut, shut down remotely and further access denied. No physical devices to worry about being lost or compromised. Controls for data egress and ingress are comparable if not better.

The question about securing the connection from a device needs to be considered. But this can be controlled. Consultancies will be providing their staff with secured devices as we need to work with internal systems such as accounting, development of internal resources through to internal communication. Like the client, the company needs to protect the laptop. This means I need to connect to services in a secure manner, which then connects to the client from a known origin (yes IP addresses can be spoofed but the are additional measures that can be applied).

This network route also means there is a greater stake held by the consultancy provider, as a failure there could make it easier for a case to cancel a contract rather than any breach being attributable to an individual.

If the VDI is cloud provided through either different providers or separate tenancies re is segregation from systems, allowing again further controls through segmentation.

Cost savings

The cost saving of this approach also means expenditure is a direct correlation to how many third party staff engaged. With the laptop approach, you need enough devices for the peak demand, so if you’re not working at peak, you have hardware being idle, but still needing to be maintained and the investment not providing any return.

Likewise, consultants are not restricted in the value they can provide waiting for a client laptop to be readied and shipped, or collected. The time comes down to provisioning access to the VDI environment. If the process takes a week, you could be wasting several thousand pounds or more per person in lost productivity. With the current chip shortages, procuring new hardware can be challenging, and possibly take longer than expected.

Greener, you’re not operating or paying for the computer power – when someone stops for the delay, that virtual machine is stopped and the compute power is retasked. So the environmental impact of the materials used is offset against greater utilization. The hosting of the VDI platforms will be subject to far greater pressures of environmental awareness, security and so on, meaning greater effort and economies of scale to control the impact.

What about those without a suitable device

The pandemic has obviously meant a change for those people who would normally only use a fixed workstation in a company office and now need mobile devices to enable remote working. As any horsepower needed is being met by the cloud, so lower end machines can be used. Chrome devices can be used that don’t store anything locally and have a software footprint less vulnerable to attack present a cheaper better option. You could go as far as providing people with a Stick PC or Raspberry Pi like device that can be plugged into an employee’s screen, giving you the freedom to source a suitably sized screen rather than be bound by the limits of the laptop dimensions.