Secure

– Enabling work from home (WFH) The next chapter
Are your users really company security compliant?

Covid-19 has been around for some time now, you have probably sent all your workers home taking any measures possible in getting them connected to the corporate network, by enabling remote access to corporate apps and data. Hopefully, you already had some sort of VDI (remoted desktops) in place before Covid-19 hit all of us. Or perhaps you were forced to quickly organized a quick setup of remoting technologies. Either way, you may have already discovered a critical factor when enabling people to work remotely – security.

The solution to successful remote work is spelled secure. What do I mean by that?
Every piece of the chain from the end users home office desk, all the way to the data center and your corporate data needs to be secure. If not, you are taking a very high risk – a risk of data theft, a risk of ransomware, a risk of legal compliance (GDPR and such). How much is that worth? Well, as long as everything run smooth and you don’t get hit, you don’t value the cost of being secure, but when it hits the fan, that is when you see the real value of secure. Because secure will help you avoid getting stuff to hit the fan. Secure is priceless, but it can be attained with a very modest investment 😊

Let us look at a few examples of how corporations can give access to remote users:

VPN

VPN is commonly used to connect Network-to-Network or Device-to-Network, potentially without security filtering. What VPN does is to extend the corporate network to the endpoints (and potentially networks) in remote locations like WFH.

Pre-Covid-19: You had PC’s and laptops in your corporate network allowing access to apps and data for your users. You had some traveling employees accessing the corporate network using VPN connections. 
Post-Covid-19: Send people home, extend the VPN license pool and allow all users now to connect remotely through the VPN gateway. Some brought their laptops from work to the home office, some maybe using personal devices, installed the VPN software and they are good to go. Maybe you shipped new laptops to your WFH users? Great, you managed to give access to all employees in this crisis. But, why are all users complaining that there is long waiting time when working in corporate apps and accessing corporate data? It is time for you to start looking at the benefits of Remote Desktop and VDI – “Server Based Computing” (SBC)
Risk factors:   
You may not know the network where those devices now reside?
Are there other machines on the same network?
Is the home office network exposed to the Internet or are they secured in a corporate manner?
Do you have control of the personal devices and can make sure that they are clean?
You will probably get a few support calls due to software X wont install or function y is not working
Your previous corporate inhouse laptops should now to be treated as being in a hostile zone.
Did you take security measurements on those machines?
Can you manage those WFH devices to make sure they compliant and updated?

Remote Desktop

Remote Desktops/VDI is a concept where the idea is to have the user’s desktop’s running in the data center where the benefit is that applications run close to the backend data/databases. This speed up the execution and user experience as given the very low latency in the local network. The desktops protocols (aka the traffic between the user’s endpoint and the virtual desktop) are thin, which allows the connectivity between the user and the datacenter to be quite slim.   

Pre-Covid-19: You had enabled Remote Desktop/VDI solutions to your users on the corporate network, maybe for your users at remote sites, traveling employees, or for 24/7 access from anywhere.
Post-Covid-19:
Extend the VDI pools with whatever hardware possible or extend using cloud services. You were quite well prepared for the datacenter, but what about the user’s endpoints? Same scenario here, using employees’ personal devices, or send them home with their corporate laptops. Maybe you bought a bunch of laptops and sent to your WFH users? Great, you managed to give access to all employees in this crisis.   
Risk factors:   
You may not know the network where those devices now reside?
Are there other machines on the same network?
Is the home office network exposed to the Internet or are they secured in a corporate manner?
Do you have control of the personal devices and can make sure that they are clean?
You will probably get a few support calls due to software X wont install or function y is not working
Your previous corporate inhouse laptops should now to be treated as being in a hostile zone.
Did you take security measurements on those machines?
Can you manage those WFH devices to make sure they compliant and updated?

Cloud Desktops

Cloud Desktops are similar to Remote Desktops/VDI concept with the difference being that you pay for someone else to have the datacenter available for your users. Examples are “Windows Virtual Desktop (Microsoft – Azure)”, “Citrix Managed Desktops (Citrix – Azure)”, VMWare Horizon (VMWare – Azure)”, “Amazon Workspaces (Amazon – AWS)” and many more. Generally, you get charged for consumption of someone else’s servers and data center.

Pre-Covid-19: You had enabled Cloud Desktop solutions to your users on the corporate network with the benefit of 24/7 access from anywhere.
Post-Covid-19:
I believe you were the most well prepared of the three named scenarios. You simply extend the Cloud Desktop pools.  That was easy, just add X amount of dollars to your monthly cloud consumption bill.  And you send the employees home. Same scenario here, using employees’ personal devices, or send them home with their corporate laptops. Perhaps you bought a bunch of laptops and sent to your WFH users. Great, you managed to give access to all employees in this crisis.   
Risk factors:   
You may not know the network where those devices now reside?
Are there other machines on the same network?
Is the home office network exposed to the Internet or are they secured in a corporate manner?
Do you have control of the personal devices and can make sure that they are clean?
You will probably get a few support calls due to software X wont install or function y is not working
Your previous corporate inhouse laptops should now to be treated as being in a hostile zone.
Did you take security measurements on those machines?
Can you manage those WFH devices to make sure they compliant and updated?

Summary: Three different scenarios, each depending on your “best bet” on an earlier stage on what strategy would best suit your company and responsibilities. Remember, this bet was made before you could even imagine that a virus would hit us all. You are not to blame for anything, we are all in the same boat and could not foresee the impact a virus like this can have on people, economics and corporations.
The interesting thing in the scenario are that the risk factors, where I named a few of them, are the same no matter on your choice in the past. People are sent home, “in panic”, and your job as an IT manager is to solve the situation for your employees to continue working with corporate apps and data. As it seems right now no one really knows when everything is back to normal, back to levels of Pre-Covid-19. I heard that the airline industry is counting to be back on 2019 levels of travel by 2024. What?? We are only halfway+ through 2020!

Now is the time to start think about how to take this to the next level, how to remove the risk factors of your WFH user’s endpoints.

Sure, I am an employee of IGEL Technology, but I believe that IGEL has a very strong product portfolio to support you in your journey to “WFH – the next chapter”. This is may be considered by some a sales pitch document, but it will help you decide!

Secure – It is all about control!

Let us start looking at some of the tools that will help you on your journey to a secure WFH strategy.

IGEL OS – next generation edge OS for cloud workspaces
IGEL OS is a Linux based operating system that is built for the specific function of connecting to remote systems. Don’t get me wrong it is more versatile than that, but that is the main purpose.
IGEL OS has 7000+ control points, and it is also scriptable if you do not find those 7000+ points to be enough. I guarantee you can find a way to fulfill your use case. It is a lightweight operating system, taking less than 2 GB of storage and 2GB RAM. It is a 64-Bit x86 architecture, which comply with most PC’s/Laptops that are in the age of 10+ years old. The operating system is read only. Well, what does that mean? Everything in the running operating system is controllable, you can modify anything of the files in the operating system in runtime, but after a reboot, everything will be reverted to unmodified (except for a few parts of the disk structure, which holds dynamic data (configuration, trusted certificates, endpoint certificates and user data). Thus, the writable potion of the disk is not exposed to the user. Nothing is really exposed to the user to be honest. It is up to you as an admin to select what the user can or cannot do. With just a simple configuration you can easily lock down the whole IGEL OS, so that the only thing that a user can do is to connect to the corporate VDI environment. The fine folks at IGEL TechDoc’s have written a guide on how to lock down an IGEL OS-powered endpoint and can be found here: see “Securing IGEL OS endpoints” @ https://kb.igel.com/securitysafety/en/security-safety-2271734.html

Here is a example of a IGEL OS endpoint started to a locked down desktop. The user’s option is to login to, in this case, a Citrix environment, or to reboot the endpoint. Everything else in the GUI is disabled.

But let us have a look even earlier than seeing the running OS for the user. IGEL OS is signed by Microsoft for supporting UEFI Secure Boot allowing IGEL OS to boot on Secure Boot enabled hardware. In fact, all the current IGEL hardware endpoints have secure boot options. Secure boot is a way to verify that only a certified OS loader may run on the hardware device. This also allows for installing IGEL OS on hardware devices from other vendors that are supporting Secure Boot (and of course any system that does not offer secure boot functionality). Read more about UEFI Secure boot @ https://en.wikipedia.org/wiki/Hardware_restriction#Secure_boot and https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#SECURE-BOOT

And, if that is not enough, we can go even one step earlier in the boot process to validate that the system is compliant. The current models of IGEL UD3 and IGEL UD7 which have AMD based processors are now shipped with AMD Secure Processor. Here IGEL even checks to make sure that the BIOS is signed and not tampered with before allowing the system to start up.  Read more on AMD Secure Processor @ https://kb.igel.com/securitysafety/en/amd-secure-processor-24389978.html

If a read-only filesystem, that is only allowed to boot on Secure Boot enabled hardware, that even checks that the microcode on the motherboard of the device isn’t treated as safe, then nothing is safe! 😊

IGEL OS has built in connection agents for most of the remoting protocols out there, including:

  • Microsoft Windows Virtual Desktop
  • Citrix Virtual Apps and Desktops
  • VMWare Horizon
  • Amazon Workspaces
  • Microsoft Remote Desktop Services

It also contains Web-Browsers where you can choose from Mozilla Firefox or Chromium. If you cannot find support for your very special remoting protocol, IGEL OS includes a function called Custom Partition – a way to install any Linux agent to your IGEL OS endpoint, or why not add collaboration tools like Zoom or Microsoft Teams Linux to run natively on IGEL OS or using offload technologies for Zoom, Skype, MS Teams, Cisco Teams etc. The choice is yours to suit the needs of your organization?
Read more about Custom Partitions @ https://kb.igel.com/igelos-11.03.500/en/custom-partition-tutorial-27245326.html

IGEL OS can do numerous types of authentication mechanisms and Multi Factor Authentication. Examples:

  • Smartcard Support
  • Token based Multi Factor Authentication
  • Tap and Go solutions
  • Yubikey

You will also find tools to measure your users experience from Liquidware, Lakeside, Control-UP and more. You can even test and benchmark your backend infrastructure using the built-in LoginVSI components. Look at the map below of integrations for the partner ecosystem of IGEL OS and the newly released IGEL Ready program allowing even more vendors to align and certify their solution with IGEL OS:

IGEL Ready integration matrix

IGEL UMS and ICG – remote management at a glance

The IGEL Universal Management Suite (UMS) combined with the IGEL Cloud Gateway (ICG) feature the perfect choice for you to maintain endpoint security while keeping you in control of your WFH users. Let’s break it down so that you follow on the components.

UMS – This is the self-playing piano, this is where you create the rules for how your devices should act, behave and determine the user interface for your users work environment and access to their desktops.

With the UMS you are in control! You build configurations using profiles, assign those to endpoints or containers of endpoints, and the UMS forces your endpoints to adopt the configuration. The control points are endless. You have about 7000 control points + scripting support for IGEL OS, so you should certainly find ways to suit the needs for your users. However, don’t be afraid of those 7000 settings! A lockdown profile would consist of about 10 checkboxes checked. That’s it!
A general Citrix/WVD/Horizon or any session configuration is only a few parameters.

The UMS server(s) main task is to make sure that all your devices are compliant to the rules you set up. The UMS server can be hosted on-prem or in any cloud. Pay attention though, the UMS Server is not hardened, so it should not be publicly reachable from the internet. For scenarios where you need to control endpoints over the internet, you should add the IGEL Cloud Gateway (ICG). The ICG is a reverse proxy solution allowing connection from IGEL OS endpoints on ANY network to connect to your UMS server without exposing the UMS to the internet. You can set the ICG up to communicate with endpoints on common ports (like 443 SSL) which virtually allows endpoint real-time management no matter if they are located in WFH scenarios, or if they connect through a locked down network like hotels or internet café’s etc. You do not need to have control of the endpoints local network.

The UMS has “Default Directory Rules” and “Structure tag” support that will help you in organizing endpoints your preferred administrative manner. “Default Directory Rules” will categorize and automatically configure the user’s endpoints when they appear in the UMS based on a number of different criteria’s, while the “Structure Tag” can be used in the same way. Generally I’m using “Structure Tag” for my demo setup of UMS/ICG and IGEL OS, depending of the “Structure Tag” I use when registering my IGEL OS-powered endpoint. With the ICG, the endpoint will adopt a configuration based on the current use case. It is easy to instruct users to provide a “Structure Tag” when connecting to the ICG. The structure tag is no requirement, but it is rather a benefit for me that has multiple demo setups.

By the way, the UMS and the ICG can be installed on-prem or in any cloud. Or you can mix, with the UMS on-prem and your ICG’s in the cloud?
The UMS and ICG also have quite a handy feature. You can remote control the WFH users endpoints using SecureVNC for support assistance, read more @ https://virtualbrat.wordpress.com/2019/10/07/help-secure-shadow-of-remote-endpoints-real-life-experience/

Secure – getting the ultimate solution

Now is the time to invest in real, secure WFH – get your stationary users IGEL endpoints, UD Pockets or reinstall corporate machines with IGEL OS to quickly get in control of your WFH user’s endpoints!

This is a strategic decision, and it’s a very important decision. Your headache of managing your user’s endpoints, no matter if they are in a WFH scenario, or if they have now started to come back to work doesn’t matter, your first endpoint priority needs to be security. It is extremely important to provide endpoints that enables your workforce to continue operations in a secure manner no matter where they are.

IGEL has a few options for you, let’s have a look!

  • IGEL hardware endpoints with IGEL OS – Allows for rapid trouble-free deployments of devices. Just connect keyboard, mouse, monitor, power, and network. Anyone can do this!
  • IGEL OS Creator – Reinstalls PCs/laptops/thin clients. It overwrites the current operating system and installs IGEL OS on the machine. It’s an ideal solution when using non-IGEL hardware. Can be installed virtual on your users home-PCs too!
  • IGEL UD Pocket – Turn any 64-Bit x86 PCs/laptop/thin client into an IGEL OS-powered endpoint in runtime. Insert the USB Stick, boot the device on USB first and enjoy an easy controllable and up to date endpoint. The IGEL UD Pocket is a bootable USB stick that is isolated from the machine’s internal storage, so even if the installed operating system is infected, the UD Pocket will not be affected.

I would argue that the easiest solutions are to send your users an IGEL hardware endpoint, monitor, keyboard, mouse and a network cable. Write an instruction (with pictures) on how to connect required cables, and how to walk through the first boot wizard to get the endpoint registered with your UMS and ICG.  As you see in the chapter “Enrolling brand new IGEL OS endpoint” video below, it is a very easy task. I would say 10 minutes after unboxing, the user will be up and running. Taking a look at list-prices of a “Task workerIGEL UD2 endpoint and the “Swiss army knifeIGEL UD3 with built in WiFi, the total sum of IGEL endpoint, 1 year – Maintenance and Enterprise Management Pack (EMP), a standard 24” FullHD monitor and a set of wireless keyboard and mouse would be about 670 € for the UD3 and 465€ for the UD2.
The IGEL UD3 is strong enough to handle graphics intensive loads, but if you feel that isn’t enough, IGEL have the even stronger UD7, or you just buy whatever hardware you want and install IGEL OS.

If you already bought PC’s/Laptops with Pre-Installed operating system, you are the lucky one. You can put your investment to IGEL OS and have your users to reinstall those endpoints. It is easy to create a USB stick for reinstallation of those laptops to IGEL OS. You would end up in the cost of about 169€ for the license of IGEL OS,
1 year- maintenance and EMP. Reinstall and register IGEL OS with your UMS!

If the reinstall isn’t an option (users private computers etc.), go for the UD Pocket! It will add 25€ and you will have a preinstalled IGEL OS bootable USB stick. Users plug them in, tell their machine to boot from USB and they are good to go – and ready to register the UD Pocket with your UMS.

Reflect those investments compared to what it would cost your company if ransomware hits, if there is a failure to be GDPR compliant due to unprotected PCs.
I would say, easy buy-in!

When investing in the above, you have

  1. Secured your users WFH workplaces to a secure booted, read only endpoint
  2. Taken control of the WFH environment
  3. Drastically reduced management efforts needed to maintain WFH endpoints
  4. Taken pre-cautions to avoid malware and ransomware on the edge
  5. Eliminated conflict of “other software”
  6. Assigned an easy to install single purpose endpoint for your WFH user, enhancing the simplicity for your users.
  7. Set the future strategy for your in-house and WFH workers.

WFH Enrolling a brand new IGEL OS endpoint

The video below will take you through the user experience from enrolling the endpoint to user log-in, in this case, a remote Citrix environment. The recording is made with a virtual IGEL endpoint, created with IGEL OS Creator. The experience is exactly the same if you are using an IGEL hardware endpoint or UD Pocket instead. The UMS and ICG in this case both reside within Microsoft Azure. The firmware is updated using a Microsoft Azure storage blob.
Here are the steps taken:

  • IGEL First Boot Wizard opens
  • User selects the language for the user interface
  • User selects the language for the keyboard layout
  • User selects the Time zone and Location
  • User applies Time settings
  • User selects managed License Deployment as the company’s UMS will provide a license for the endpoint.
  • User enters his/her email address, which is resolved by a DNS TXT record to the company’s ICG, then a structure tag and password are entered.
  • IGEL OS Endpoint registers with the IGEL UMS through the IGEL ICG
  • The UMS detects that the IGEL OS endpoint isn’t on the required firmware level, so it applies a lockdown profile to prevent user intervention and starts a firmware update to the company’s baseline firmware (fast forwarding the firmware update process to avoid you to get bored), and then the endpoint reboots.
  • When the endpoint boot and register with the UMS to fulfill the company’s requirements, the UMS provides the user with a Citrix login
  • User logs in and can continue working, now with a secure work environment from anywhere in the world!

From first power on until the endpoint achieved a fully operational state was 5 minutes and 20 seconds. Have you ever enrolled an endpoint in a non-controlled environment and got the user ready to connect to work in that short time before? And the company are now in control of the WFH endpoints and can easily manage the endpoints and support users remotely

Enjoy, make wise decisions and #staysafe

/Fred