You covered your bases and protected your client devices – complex passwords, two factor authentication, application white lists, client firewalls and anti-malware. You also have taken measures to ensure that if a device is lost the data will not be compromised – encrypted hard drives, remote wipe capability, and encrypted VPN tunnels for information transfer. Now you are feeling pretty good about your client security posture. Of course, if you are not doing these things, then later I’ll have to write about why they are still important.
Now, let’s explore a very real scenario where all this security preparation will not and does not matter. While this scenario focuses on U.S. Policy examples, this applies to any governmental action in any part of the world.
Let me set the scene. You travel outside the United States, visiting a client or international branch of your organization. Everything goes well, however upon entering back into the United States, you are pulled into a room by Department of Home Land Security (DHS) personal, who kindly ask you to “power on” your device and enter your password to decrypt the contents.
Oops – Complex passwords; two-factor authentication; encrypted contents, doesn’t matter you have just handed over the keys to the kingdom. Most people in this situation may be a bit nervous, but not overly worried, because they do not believe there is anything to hide. However, as recently reported by David Kravets of Wired Magazine (http://www.wired.com/threatlevel/2013/02/electronics-border-seizures/ ), the DHS office of Civil Rights and Civil Liberties published a two-page executive summary of its findings in regards to DHS suspicion-less search-and-seizure policy pertaining to electronic devices.
The executive summary of this report included this statement, “We also conclude that imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits,”
What does this mean?
Well, it means regardless of what you have done or not done authorities can take your equipment. If they do so after you have given them access to the machine, then they now have access to all data without a warrant, and you no longer have any control over it.
The article illustrates a real world example of this in action. Mr. Abidor, a PHD student was held while DHS agents went through his computer – and what the article doesn’t point out is that Mr. Abidor had to file a lawsuit to get the computer back. DHS held it for over two weeks, though there were no charges filed against Mr. Abidor, nor any suspicion of wrong doing alleged.
What is on your company laptops?
How much financial information, patented company information, personal identifiable information (PII), personal health information (PHI), credit card account information, among other sensitive data, are you, your colleagues, or your employees carrying around? You may think even in an extreme scenario like this, the data wouldn’t be compromised in a way that would hurt your or your company, after all the Government has protocols and processes that should protect what they have seized.
Are you ready to bet your company on it?
Today, I know of no known instances where a border seized asset led to leaking of corporate data or privacy breaches. That doesn’t mean it has not happened, or that it will not happen. How do you protect against this scenario, or even a similar one, say, in another country, where you have even less recourse against it? I outline a few options below:
How about the Public Cloud?
Be careful on the what/where/how of your provider. International and national providers are inundated with requests for access to data hosted in their “cloud” by both foreign governments, U.S. federal government, and countless other local government entities. Of particular concern is that some companies, most visibly those major communications providers, have deals in place where they make millions of dollars by sharing your information with the government. How much do they really have vested in your privacy?
Even with the spotlights put on these programs in recent years, it appears the future will be even more “cloudy” in this regard. As an example, the recent ruling of the sixth court of appeal in United States v. Skinner (http://www.ca6.uscourts.gov/opinions.pdf/12a0262p-06.pdf) ruled that police do not need a warrant to access GPS data of individuals. This data is of course held by your telephone provider, or navigation service provider. What type of doors will this open to other types of data you are storing in large national public clouds?
It is still possible to gain the efficiencies of a public cloud, while avoiding the conflicts of interest of the big players. Look for an established local or regional partner that is offering services comparable to the big players in availability and security, but is without those entangling agreements that were not made in the best interest of your data.
What about a Private Cloud?
Clearly, there is more control here. You have the most control when you own not only the servers, but the location they are housed in. At least in this scenario any entity will need a legal warrant to retrieve data from servers in your private infrastructure. Many companies are jumping on the private cloud band wagon. Companies with big data center experience, like EMC for example, are taking that knowledge to deliver reference architectures like VSPEX that blueprint a flexible and tested solution utilizing a host of technologies that can deliver on the private cloud promise. Microsoft, VMware, and even traditional network players like Cisco are offering private cloud solutions.
How do you access your data in the cloud?
Really there are two choices here, although the technology to deliver them will vary.
Encrypted VPN tunnels are the traditional method for gaining access back into a corporate network. These will work in this scenario as well, but you have a lot of issues with where data will be saved, how working copies are managed, and what is kept on a personal device. You have a wide range of choices in how this is delivered – Microsoft Direct Access, Citrix NetScaler Access Gateway, and a variety of Cisco solutions – just to name a few. The options in this space are nearly limitless, and chances are you already have one in place, even if it’s not in use.
The other option is to keep everything in the cloud, including the working environment, so there is literally nothing on the device. How is that done? Virtual Desktops.
Utilizing private cloud to deliver virtual desktops provides the best combination of usability and security. The environment is controlled completely by the organization, and no data is kept on the client device. Popular choices in this space are VMware View and Citrix XenDesktop. In addition to fully virtualized desktops, another popular option is to utilize virtual applications.
Virtual applications can be delivered like a desktop, and still benefit from saving data in the cloud. This can sometimes be easier for IT departments to deploy if they will not be able to standardize on specific desktops, and can actually be combined with virtual desktops for the most dynamic scenarios. Again, the options in this space are VMware with their Horizon Application Manager, along with Citrix and its flagship product XenApp.
In addition to the leaders, there are a multitude of startups in this space, as well as established companies that are trying to break into the market – and as such the quality and price run from free to astronomical, and everything in between.
Coming back to my initial story, during a border seizure event or similar incident, you can unlock a device and allow the ability to browse and search with without having to worry about exposing the data. If a device is lost, it can be replaced and you can get back to work immediately because your working environment is separate from the piece of hardware you are carrying around. It’s simply a usability device that acts as a stepping stone to the non-resident application execution and data storage environments.
There are many risks to your personal data, your company’s data, and a client’s data that we probably have not even thought of or experienced yet. The good news is that there are many technologies available to assist with mitigating these threats.
Over the last five years, virtual technologies have matured economically so that businesses of all sizes can take advantage of them. Indeed, even individuals can find solutions tailored to their budgets.
Virtualization can be a great platform for savings, but an even better one for protecting your data when deployed correctly.
South Carolina Farm Bureau Insurance Delivers a Better Desktop Experience to its Users
eGroup collaborates to replace SC Farm Bureau’s clunky and costly desktop PC environment with VMware View
MT. PLEASANT, S.C. – January 16, 2013 – eGroup, the Southeast’s leading provider of cloud, application and end-user computing services, today announced the South Carolina Farm Bureau Insurance Companies (SCFB Insurance) have successfully deployed their virtual desktop infrastructure (VDI) program across the enterprise, saving time and money.
Given the initial success of the project and positive feedback from the first 100 users, SCFB Insurance plans to roll out its VDI program to the remainder of the company’s user base in 2013.
Facing the prospect of having to refresh several hundred desktops at an estimated cost of $300,000, SCFB Insurance’s information technology (IT) department decided it was finally time to adopt a VDI strategy.
With the consultation of eGroup’s End-User Computing team, SCFB Insurance identified administrative personnel and QuickBooks™ users as a good target group to replace their clunky desktops with Dell Wyse P20s. The benefits were instantaneous, according to Dave Riberdy, Infrastructure Architect, SCFB Insurance.
“Our administrative personnel were severely burdened by 30 minute log in times to QuickBooks and chronic latency issues given the amount of staff using the application. Moving QuickBooks to the cloud and having staff access through View on their Wyse P20s improved log in times to mere minutes and significantly improved application performance,” commented Riberdy.
The IT department also experienced immediate productivity benefits. For example, using View they no longer had to audit each and every machine for software versioning, nor did they have to push Adobe Reader updates out individually to each machine. Riberdy now has a golden version of the desktop that can be delivered with a press of a button.
“We were fortunate we had a few idle servers and some extra SAN space to get the pilot off the ground. Once we did, management witnessed just how powerful VDI can be and the impressive time and cost results that are realized almost immediately,” said Riberdy. “We were thrilled to have eGroup support us. Given View’s complexity, we needed experts to get it up and running quickly and successfully. There really was no margin for error in the eyes of management.”
SCFB Insurance even captured non-tangible metrics over the course of the project, such as a 90 percent reduction in help desk calls related to specific desktop PC hardware issues, or having to waste time removing harmful, non-business related software from individuals’ machines.
“One of the key validations that our VDI strategy is working is that employees who have yet to be converted keep asking when we’ll get to them,” commented Riberdy. “What IT team doesn’t like happy, productive and content users?”
The next phase of SCFB Insurance’s VDI strategy involves its field agents. In the near future, agents will be able to use View on their iPads to access claims applications while consulting with a client.
Mike Carter, Principal, eGroup, said: “Working with SCFB Insurance on their VDI transformation has been a wonderful experience. Living and breathing technology all day long, we understand the impact that comes from the deployment of innovative end user computing strategies that guarantee a defined outcome. Many times, customer leadership does not recognize the immediate value of enabling technologies like this until it’s ‘in production’, which is why we’re thrilled to ensure the project’s success from pre-planning, to rollout, to end-user education, and ultimately in the hands of the users and being effectively utilized.”
To hear Dave Riberdy detail the project in depth, you can listen to this recent eGroup Roundtable Webinar.
In eGroup’s latest Roundtable Series, we sit down with Dave Riberdy, Infrastructure Architect, SC Farm Bureau Insurance Companies.
SC Farm Bureau VDI Keys to Success
If you’re considering desktop virtualization options for your enterprise and want to know how to do it successfully, we strongly recommend you listen to this eGroup Roundtable. Dave outlines the reasons why his team finally took the plunge with VMware View, how they secured funding, created a business case, addressed user change management issues, overcame technology challenges and, ultimately succeeded with the project.
In fact, it’s gone so well that the next phase will be to roll out to the field agents on their iPads. Dave explains.
So, go ahead and carve out 60 minutes for this Roundtable. You’ll be glad you did!
SC Farm Bureau VDI Keys to Success
For those of you that haven’t seen my previous post on Quest Desktop Authority, you may not know that I am a huge fan of the product and how it easily centralizes management of the entire user environment.
It handles everything from patching, desktop and server policies, customization, to application deployment (I think the only thing they left out was the kitchen sink). That being said, my experiences with this product have always been positive, the flexibility it gives you when making customizations was always a huge value add but with end user computing constantly changing the way we do work and Firefox becoming more and more pervasive, I was quite concerned Desktop Authority may not be able to keep up.
I must confess – I was wrong.
Desktop Authority 9 was released in June and I’ve finally had the time to talk with our customers about their upgrade experiences as well as take it for a test drive myself.
Thus far, the feedback I have received has been extremely positive. The all new user interface is now web based for ultimate access but still gives you that familiar feel that old school Desktop Authority users are accustomed to.
The Web UI wasn’t the only big change, of course. Below are a few of the more relevant ones I wanted to call out:
- Multiple Editions to suit customer needs: Desktop Authority Standard Edition is the right choice for customers who need user environment management functionality to complement their existing management solution. Desktop Authority Essentials is ideal for basic user environment management or logon script replacement. Desktop Authority Professional is the right choice for companies with limited IT infrastructure. What does this mean? We have a heavy, light and in between version for those that need the little extra or not quite as much, saving you valuable dollars should you only need a few of the features.
- A high-performance console customers can access from anywhere, using only a web browser: Install of a full Windows client just to change a setting or add a user is no longer required. The web console offers seamless support for dozens of concurrent administrators that allows, for example, one admin to edit a single element while another one moves the entire profile to another location. We live in a mobile world these days so it’s important to be able to access the console from anywhere on any device, and what better way to do that than through the web?
- Virtual Desktop Infrastructure (VDI) support in Validation Logic: Customize configurations based on whether a user is on a physical machine, a Terminal Server, or a virtualized desktop. To me this is HUGE – it’s not all servers and physical desktops anymore! The VDI initiative is very popular (just ask John Flisher) and having the ability to customize your environment for VDI is a must!
- Internet browser management object with exclusive support for Mozilla Firefox: Administrators can configure the web browser home page, tabbed browser settings, privacy settings, restricted and approved sites and pop-up blocker settings for both Internet Explorer and Firefox (only Desktop Authority offers central configuration of Firefox). Finally! IE haters raise your hand… Okay, okay put them down, Desktop Authority now supports Firefox, go download the upgrade now!
- Updated settings for Windows 7 and Office 2010 to support common folder redirection for Windows 7 (Music, Videos, Contacts, etc) as well as the new features in Office 2010: IT admins can easily make use of these this functionality and features through Desktop Authority and quickly migrate users to these newer platforms. This one is pretty self explanatory if you are using redirection now. If you are not, why!? Surely you hate roaming profiles as much as the next guy so take advantage of this and let Desktop Authority ease your pain.
In my humble opinion, Desktop Authority is absolutely ready for prime time. That said, don’t just take my word for it. This is what one of our Healthcare customers had to say:
“I’ve been using Scriptlogic’s Desktop Authority at version 8.1 for a little over a year now. I was initially very impressed with the product so much so that I recommended it to some of my former colleagues. My impression hasn’t changed, however, I did find a few shortcomings with the product that have now been rectified in version 9.0. Specifically folder redirection on Windows 7 and Internet Explorer management, both have been greatly improved from their previous limited states. I’m also excited about the introduction of validation logic for VDI and the ability to craft policies specifically for our VMware View desktops. Overall Desktop Authority 9.0 is a tremendous product that would be a welcome addition to any IT Administrators tool set.”