Using cloud to improve endpoint security


For most organisations the desktop remains essential for delivering applications and services to users. According to Gartner’s Market Guide for Enterprise Desktops and Notebooks 2018, PCs continue to be the primary devices that most businesses rely on for day-to-day operations. They point out that business PC shipments grew by 3.3 per cent in 2017 after two consecutive years of decline.

Delivering and supporting those desktops takes up a large part of an organisation’s IT budget, so having the right strategy is crucial. Organisations have to consider two factors: how best to deliver applications to the desktop, and how to provide security for those desktops. Those who have not yet migrated to Windows 10 also need to consider how to handle the end of support for Windows 7 in 2020 – in other words, how they are going to roll out the replacement. Desktop as a Service (DaaS) could help them address both these issues.

The move to decentralisation

In recent years we have seen a move to centralisation, using VDI to make implementation and management of an organisation’s desktop estate easier by streaming either each application or a dedicated desktop from the data centre to each user. However this requires considerable investment in in-house infrastructure, and it can be difficult to package legacy applications. By moving back to a decentralised model and providing managed end user devices to each employee through DaaS, users get the benefits of a desktop whilst their organisation no longer requires extensive in-house infrastructure. Costs are further reduced by the use of a subscription model for applications, rather than a per user licencing model.

What is less often discussed about DaaS are the security benefits it offers. User devices have long been seen as a vulnerable target, and the improved security DaaS offers can make it particularly attractive as a desktop strategy.

Maintaining endpoint security

First, when using DaaS data is held on the cloud server and backed up centrally instead of being held on the endpoint device. Users can log in whenever and from wherever they want, removing the need for staff to store documents and data on memory sticks if they wish to work on a different device. If a device is lost, there is no data stored on it. And because DaaS is administered centrally, it is easier for administrators to manage each desktop.

DaaS is particularly helpful when establishing a ‘Zero Trust’ environment, in which nothing is trusted inside or outside the organisation’s perimeter. With zero trust there is no default trust for any entity—including users, devices, applications, and packets—regardless of what it is and its location on or relative to the corporate network. Running a verified and approved DaaS can help to mitigate the impact as zero trust can be designed into it.

There is still of course a risk that users will store documents locally. This can be addressed by implementing Data Loss Prevention (DLP): the ability to maintain a network-wide inventory of data and have visibility of data movement both over the network and on mobile devices and removable media, using cloud-based DLP tools, which can be added to DaaS to help organisations monitor, manage and back up their data. The organisation should also have appropriate security policies in place which should be explained to each employee and rigorously enforced.

Second, with DaaS a consistent set of security controls can be provided across all devices. Centrally managed desktops can be easily patched and updated to keep them secure, which is particularly advantageous for organisations where some employees spend most of their time working remotely. There is no need to physically see the device in order to update it. The devices can also be hardened to make them more secure and less vulnerable to malware and malicious attack.

A further security benefit is that the applications are all sandboxed. This means that if there is a security problem on one device, there is a much smaller risk of the problem spreading.

Some cloud providers can effectively split DaaS into two by separating application deployment and device management. This means than an organisation could choose cloud-based applications, taking advantage of lower costs and economies of scale, and use a separate supplier to manage its actual user devices by providing services such as patching, endpoint management and updates.

Cloud providers can also deliver security monitoring, spanning both the services they deliver and other services, whether delivered via the cloud or in-house. Such services can correlate and prioritise events and then report on the overall environment security. They can also identify unusual patterns of behaviour and flag them for investigation.

Identity management via the cloud

One of the security issues DaaS does not automatically address is identity and access management, which can become an issue when users need to sign on to many different corporate systems, each with its own security requirements. The ideal solution is single sign-on, which reduces security and compliance risks while increasing productivity and reducing costs. Cloud offers a solution, as it can provide an authoritative source of identity to authenticate against almost all IT services available today. This enables single sign-on to all key corporate systems from any location.

Cloud identity and authentication management adds three benefits to DaaS. First, it enhances application security by externalising authentication and authorisation to applications, web resources, web services and data. This protects systems from direct exposure. Multi-factor authentication, such as security tokens or challenge-response systems, can be incorporated for extra security.

Second, having a single secure login standard and basing access to all systems on established policies and audited practices eliminates non-secure user practices and ensures all systems have compliant authentication levels.  By providing complete visibility into identity and access management and providing a formal audit trail it can also help organisations achieve and maintain compliance.

Thirdly, by providing user self-service for routine issues single sign-on can increase productivity and reduce costs, freeing up Service Desk staff to work on other issues.

Single sign-in does not absolve an organisation of responsibility for security and compliance. The organisation needs to ensure security and compliance at all times, which requires an authoritative source of digital identity which can be used as collateral for all generally available web services.  However, it offers significant security and productivity benefits, and by using standard SAML protocols can reduce the total cost of integration for new applications.

Remember your own security responsibilities

Should you decide that DaaS is the best solution for your organisation, remember that moving data to the cloud does not negate the need to take proper data security precautions. You have to take responsibility for asking the cloud provider to deliver the appropriate levels of information security, and need to measure and audit the supplier yourself to ensure that the relevant security is applied.

Aftab Ahmed, head of sales and marketing, Fordway
Image Credit: Chaiyapop Bhumiwat / Shutterstock