For many cloud-first companies, workstation imaging isn’t “a thing.” The notion that an IT organization might need several days – or even weeks – to onboard a new employee by provisioning an imaged laptop with correct security policies and only approved applications on it is absurd. The constraints of operating in an admin-centric model for IT service delivery would completely erode the agility that cloud native engenders.
But let’s say your company was born before the cloud era. Or, suppose your company operates in a highly regulated industry, like financial services or health care, for example. For your company, workstation provisioning may still be a very real thing, and it may be weighing you down. That’s why a bring-your-own-PC (BYOPC) policy could be the answer.
Now, take that basic provisioning problem and multiply it by a few orders of magnitude. That’s what happened to many companies in the crush to support remote workers in response to COVID-19. Most weren’t ready for the scale of the problem, and some had no means to enable secure remote work for their privileged users. So, when it came time to pivot to a remote-first stance, many IT organizations were unprepared, unprotected and overwhelmed. Between budgeting, acquiring endpoints and the provisioning of those devices, many companies incurred enormous opportunity and financial costs.
But what if that didn’t have to be the case? What if, instead, there was an option to enable every new employee or newly remote worker instantaneously? What if the company didn’t have to bear the capital expense of purchasing new laptops for each employee? And what if the company didn’t have to carry the operating expense of having an army of IT admins whose job requirements are little more than commissioning and decommissioning workstations as new hires come on, as existing employees pivot from working in-office to working at home, and as others leave the organization?
Scaling and Simplifying Enterprise Endpoint Provisioning
Companies can unburden themselves by instituting a bring-your-own-PC (BYOPC) policy. BYOPC allows companies to scale back on investments in new laptops while allowing them to scale up their support for remote work. BYOPC provides employees the freedom to work how and from wherever they want, on whatever endpoint makes them most comfortable. Allowing employees to use their laptop of choice also offers the side benefit of helping to maximize worker productivity.
At the same time, BYOPC helps companies to reap significant capex and opex savings. Permitting employees to use non-corporate devices reduces demand on IT admins’ time while also avoiding cost attributed to the purchase and maintenance of corporate endpoints. BYOPC, then, is a rare win-win for employees and the IT organizations that must support worker productivity, as long as the IT organization can effectively operationalize it.
Gartner recognizes that BYOPC is on the rise, saying that companies need to “… support BYOPC practice, as it will be necessary for a long-term work-from-home strategy.” Further, our own research bears this out: in a survey we conducted recently in conjunction with Team8, we found that more than three out of four companies (78%) allow employees to access corporate networks or applications from a non-corporate device.
Pairing BYOPC with a New Model for Endpoint Security
Of course, a company can’t simply institute or dramatically scale a BYOPC policy without deploying or commensurately expanding a robust endpoint security policy. And this is where things get interesting: according to Forrester, spending on endpoint security had been rising, year-over-year, even before COVID-19 pushed so many companies to expand their remote access policies. During 2020, that investment has soared. However, we also know that 70% of security breaches start at the endpoint. So, it’s reasonable to conclude that something in the endpoint security ecosystem has to change, regardless of whether companies institute BYOPC or stick with traditional provisioning of corporate-managed devices to provide secure remote access.
Companies have traditionally relied on a variety of isolated workspace approaches to provide corporate security while permitting workers to download questionable applications or visit dubious websites. Think app sandboxing or legacy remote access solutions like virtual desktop infrastructure (VDI) or desktop-as-a-service (DaaS). VDI and DaaS separate desktop images and applications from the user’s device. The images and applications reside on servers that are usually positioned in the cloud.
Authorized users access VDI or DaaS resources from thin clients, corporate-managed laptops or user-owned devices, leaving no corporate assets vulnerable on the endpoint. With app sandboxes, threats that come in from the sandboxed application are contained within the sandbox, preventing malware from affecting the operating system (OS).
These isolation methods have provided some level of protection, but each has shortcomings that experienced bad actors are able to exploit. Likewise, browser isolation is yet another strategy that works well within its confines – blocking malicious web content – but browser isolation also leaves other vectors completely exposed. Given that each of these isolation methods has significant gaps that leave corporate assets vulnerable to attack, the isolated workspaces market has been ripe for disruption.
That disruption has come in the form of OS-based isolation. OS-based isolation allows an end user to have multiple operating systems on a single endpoint, allowing unrestricted access to the internet, email and non-privileged information via an unlocked OS while reserving a second, privileged OS for accessing only high-value corporate assets, including sensitive data and other systems.
This privileged OS restricts internet access, prevents the user from installing or running unsanctioned applications, and rejects all peripherals. Corporate data is encapsulated on the same endpoint in the isolated environment and cannot be exfiltrated.
From an enterprise perspective, key attributes of an enterprise-grade OS isolation solution must include purpose-built tools to centrally manage isolated environments remotely, supported by a robust and fine-grained set of networking, clipboard and data security policies such as access control, application management and insights across the entire workforce. With OS-based isolation, breaches may still happen in the non-corporate environment, but there’s no possibility of exfiltration of malicious code, meaning the corporate environment remains protected.
There were days when every employer provided its workers with company-managed mobile devices. In many cases, those days are long gone. It may still take a while before the expectation of working on a company-provided laptop becomes nothing more than a memory, too. But the time is right to give workers the freedom to use an endpoint of their choice without opening up the company to security threats. Doing so will make workers happy, relieve the budget pressures on IT, and still allow security teams to sleep at night. That’s what we call a win-win-win trifecta.