In our discussions with CISOs and other security leaders, the same questions are posed to us again and again, so we have a good understanding of what CISOs care most about. Based on that understanding, we’ve crafted 3 tough cloud desktop security questions you must ask vendors as you evaluate the options for moving desktops workloads to the cloud, – a move that is almost inevitable for enterprises because of the agility and flexibility it brings to enable growth. As attractive as that is, you have to make sure technology choices don’t expose your organization to increased risk. Rather than increase risk, a cloud desktop solution should augment your Zero Trust model. To achieve this, here’s what you need to find out.

Top 3 Cloud Desktop Security Questions for CISOs

Here are the top questions that every CISO should ask a cloud desktop vendor to understand the impact of a vendor’s architecture on your security posture:

1. Where is my Active Directory (AD) running?

What you need to know is – where is authentication happening? And what does it mean to your security posture?

What if the vendor you’re evaluating told you that you must copy your AD to the cloud to work with their service?

Most CISOs tell us that moving AD to the cloud is not desirable for security and complexity reasons.  No one wants to touch AD if it is working. No one wants to add more complexity to AD by adding yet another domain controller in the cloud.

What if the vendor told you that their cloud service requires AD authentication to flow through their cloud service?  What if that vendor also told you that your AD is running in their cloud service?

Some “cloud” services are based on Windows servers installed in the cloud.  They require their Windows components, which are not under your control, to have access to your AD to complete authentication. To keep it simple, they may ask you to install a domain controller in their cloud to make it operationally easy to support their cloud service with your authentication. This means that your authentication credentials are outside of your control and passing through a cloud system that doesn’t belong to you.

If this is ok with you, proceed to the next question. If it’s not ok, it’s time to contact Workspot.

2. What systems are shared between customers?

This is a common question from CISOs for whom enterprise data and intellectual property (IP) protection is top of mind. If protecting IP is a top priority, you need to know whether a vendor’s architecture could expose your IP to outsiders. So to protect all of your enterprise data, you need to ensure that the cloud desktop solution won’t introduce compliance, security, governance and reputation risks. Architecture matters in security, so it’s critical to know that not all cloud desktop systems are architected the same.

If you are the CISO for Brand A, would it be ok for your IP to be stored in the same cloud tenant as your fiercest competitor, Brand B? Not too worried? Well, what if a Brand B employee clicked on an attachment that introduced a virus into brand B’s environment? Could your data be at risk too?

Generally, cloud desktop platforms are based on two architectural models:(1) combined data and management plane or (2) separate data and management planes. Here’s what that looks like:

By definition, when the data and cloud desktop management planes are combined, then customer data and authentication systems traverse the same system. The vendor will likely describe the policies that prevent accidental data leakage or unauthorized access. So, a trust model must be established with the vendor, including auditing the vendor for compliance.

In the second model, the management is shared, but the data layer, including the gateway, is completely isolated between customers. Data security risk is greatly reduced with this model. Workspot’s architecture separates the data and management planes

We describe the importance of separating the data and management planes in another blog here.

3. Where does my data live? Who can see it? How is it protected?

The most common answers are TLS 1.2 in flight and AES 256-bit at rest.  However, those are not complete answers., so you’re going to have to double click on this. Architecture also determines the risk to the unauthorized viewing of data in flight and data at rest. Here are more good follow up questions:

1. Who manages the keys for data in flight and data at rest? Are the keys shared between customers? If one customer is attacked and keys are accessed, can the keys be used with my tenant?
2. How do you prevent unauthorized access to active directory and allowing an attacker to access my cloud desktops?
3. Describe how an attacker who successfully accesses another customer’s systems cannot also enter my systems?
4. Can I extend my corporate standard anti-virus, anti-malware, DLP processes into the cloud desktop service? Can I use my corporate standard MFA? Or do I need a completely separate security paradigm for your cloud desktop service?
5. Can you (Vendor  X), gain access to my data on my cloud desktops?

Getting clear answers to these questions enables you to fully understand the level of risk to your company’s security posture.

Workspot’s Answers to Cloud Desktop Security Questions

I can’t say it strongly enough – architecture matters for security. Workspot’s architecture design follows the Principle of Least Privilege (POLP). POLP is closely tied to Zero Trust policy where no one is trusted, either inside or outside the organization. POLP allows for people and processes to only have the bare minimum access to complete a task.  That means that everyone, including the cloud desktop vendors you’re considering, needs to prove how they make your organization more secure. When you double click on Workspot, here’s are the answers to the 5 questions above:

1. All customers are isolated. The keys are automatically managed by Azure key service per customer, so keys are not shared or auto rotated, and no humans are involved. Customers can bring additional keys for an added layer of security.
2. Active directory is fully under your control. Workspot doesn’t have any access to it for security reasons.
3. All customers are isolated. Attacks are localized to just a tenant. You don’t have to worry about your neighbor breaking down your fence.
4. All Workspot customers bring their corporate standard AV, AM, DLP and MFA into Azure. There is no need to create a separate security process, which increases the risk of gaps.
5. Workspot’s architecture leverages an independent security layer to prevent unauthorized access to your data.

Architecture matters for security. From the beginning, we designed our cloud desktop solution to separate the data and control planes. This was a crucial architecture decision, that among many other benefits, allows our solution to stand apart from any other when it comes to security.

Find out more about how Workspot addresses the toughest cloud desktop security questions.  Today, Fortune 500 companies with the most stringent IP protection and governance requirements trust their cloud desktops to Workspot. Schedule a demo so we can discuss your requirements!

The post 3 Tough Questions CISOs Must Ask Cloud Desktop Vendors appeared first on Workspot.

The magnitude of the problem requires IT leaders to think completely differently about how they protect corporate apps and data. This is where the concept of “Zero Trust” applies, and it goes well beyond the old “protect-the-perimeter” way of thinking. In a world where people use multiple endpoints every day and are constantly on-the-move, the attack surface is way bigger than it has ever been. Sure, the perimeter needs to be protected, but even good employees go bad, or they do dumb things – like losing a laptop in the airport.  A Zero Trust model essentially means that no one is trusted, either outside or inside the organization, until their identity is proven and the conditions under which they want to connect to corporate systems are known. At that point, just the right level of access can be granted for the user in a particular context.

Workspot and Zero Trust

Among the many benefits of cloud desktops – including less IT complexity and greater business agility – is the opportunity to improve the company’s information security posture. Achieving Zero Trust demands both process changes and smart technology choices. At this point, most CIOs believe that the major cloud providers can offer a stronger defense against security breaches than in-house IT teams can implement for on-premises infrastructure. While this confidence has opened the floodgates for moving workloads to the cloud, the security implications of doing so must still be carefully considered. As we help enterprises navigate the approaches to cloud desktops, one thing is very clear – cloud desktop solutions are not created equal, and understanding the nuances, especially when it comes to the underlying architecture, can have profound consequences on data security, the success of the cloud desktop project, and more importantly, the level of risk faced by the organization.

The following are the primary ways Workspot cloud desktops on Microsoft Azure strengthen information security and help protect your organization from cybercrime. Make sure you drill down on these topics with the vendors you evaluate!

Principle of Least Privilege (POLP)

Generally, POLP applies to processes and people. In our world, when we think of POLP, we are referring to how Workspot’s cloud-native architecture allows us to deploy cloud desktops, apps, and workstations in a way that protects PII and our customers’ data. It’s an architecture conversation, and it’s crucial that you have it with VDI vendors you are evaluating. When we built our solution, we separated the control plane from the data plane. In practice what this means is that once the user has been authenticated and the session established, the user accesses virtual resources directly from the cloud. Unlike other vendors’ solutions, our customers’ application data does not enter, nor is it ever stored, in our control plane. It stays tucked away in the customers’ Azure instance. In the context of Zero Trust, trusting no one, either inside or outside the organization, includes the vendor running your virtual desktops!  As we have said many times when it comes to cloud desktops, architecture is everything, so dive deeply into this topic so you know exactly where your data is.

Conditional Access

As we’ve said, we apply POLP to our architecture and how we deploy cloud desktops for our customers (that’s our secret sauce!). But what about people? How do you defend against bad actors and people who just make a mistake that results in a security compromise? At a high level, this is all about proving a user’s identity and then providing access based on the context of the user’s situation. What is the user’s role? What do they need to accomplish? Where are they located? What device are they using? What network are they on? Based on this context, IT can set and enforce policies around what actions the user can take. Given the context, should they have access at all? Should they be allowed to print? Or take a screenshot? Should an upload from this device be allowed? And more… Operating in a Zero Trust world means that everyone is guilty until proven innocent, and that requires a new way of thinking about information security.

Multi-factor Authentication (MFA)

As consumers, we see MFA being increasingly used as we access a variety of online services. It should be no different for businesses of all sizes because bad actors target large and small businesses alike. Anytime there is data and IP to protect, you need MFA. At a conference we recently attended, MFA was top of mind for a group of IT leaders. Workspot was built for enterprise deployments, and among other things, that means we integrate with the authentication systems you may already use or are evaluating. The majority of our customers use Azure AD, Azure MFA, Okta, Duo and/or PingID.

Better Visibility for IT

If IT teams can’t properly monitor what’s going on with users and desktops, it will be pretty tough to identify risk or an actual breach. Good visibility begins with a single pane of glass to monitor and manage all cloud desktops, workstations and apps globally. Additionally, Workspot’s solution is instrumented at all points, including the client (the user’s workspace), the gateways they traverse and their cloud desktops, so every time the user acts, data is collected about that interaction. A real-time events feed of all user activity provides IT an at-a-glance view to the state of the operation. Additionally, our Network Operations Center team has end to end visibility and can help identify any trouble spots – even those that go beyond Workspot’s solution – and can help recognize patterns that might spell risk.

Microsoft Azure Security

Keeping your corporate information safe is a joint effort between the customer, Workspot and Microsoft. In this age of heightened risk, with more frequent attacks that constantly evolve in their sophistication, it’s an all hands on deck effort to secure information assets. Microsoft has invested billions of dollars into security, including the Azure platform. Workspot leverages the strength of those security investments by using Azure Security Center to gain deep visibility into all activities in a customer’s cloud desktop subscription, across Azure regions worldwide.

Take Action: “Only the Paranoid Survive”

Andy Grove, founder and former CEO of Intel, gave us these words of wisdom. Although he intended it as a business management strategy, it applies to information security as well. CIOs and CISOs cannot be complacent just because they’ve escaped being affected by a security breach thus far. The next attempt from a hacker to benefit by gaining access to your information assets is just around the corner, and a good dose of paranoia, if it compels you to take action that leads to a stronger security posture, is definitely a good thing. Workspot’s inherently secure cloud desktop architecture, combined with Microsoft Azure, is a powerful element of your Zero Trust initiative.

Ready to learn more? Schedule a demo and let’s explore your requirements.

The post Guilty Until Proven Innocent: How Cloud Desktops Further the Shift to Zero Trust appeared first on Workspot.

The post The Secret Sauce of Cloud Desktop Security appeared first on Workspot.