Security Past the VPN

“Our remote workers use a VPN, so we’re secure.”

This is a statement we hear often when discussing remote worker and BYOD programs. If this is your approach, you might be leaving a giant vulnerability wide open. VPNs secure the connection between the corporate network and the users’ device, but where’s the security once the data hits the endpoint?

This is a particular concern if contractors or remote workers are using personally owned endpoints or the organization allows BYOD (bring your own device). While a company-issued laptop might have specific security controls instituted by IT, companies have little to no control over the security measures set up on personal devices.

What Can Go Wrong?

Without the ability to implement security controls on the endpoint (because it’s a personal computer), users can manipulate, capture and save your sensitive data in a number of ways:

• Print screen
• Snippet tools
• Keystroke logger
• Screen recording
• Printing

Any of these methods puts your data at risk of mishandling and out of your control. This is the “final frontier” that VPN security does not touch. It’s also an extremely easy way for end users to unintentionally mishandle data or maliciously steal sensitive information.

You also have no control over how personal endpoints are maintained and if up-to-date antivirus and OS updates are implemented in a timely manner. Written policies may outline expectations around these basic security practices, but a policy is not the same as someone actually implementing the updates (like IT can on in-house computers).

If the data being handled is protected information under a compliance standard like PCI or HIPAA the situation is even more pressing. In some cases this lack of control can itself constitute a compliance violation. In other cases, such as HIPAA, you may have signed a Business Associate Agreement that leaves you liable for proper security, control and compliance.

Locking Down Data Past the VPN

Virtual desktops give you control over the desktop environment no matter where it’s accessed from or which device end users are on. Security controls are implemented at the golden image level and this consistent environment is delivered to users on company-issued devices or personal devices. This provides IT with an easy way to ensure all users (regardless of endpoint) have the privilege-appropriate controls in place, protecting data at the endpoint. Within the virtual desktop environment, IT can restrict users from high-risk functions like screen capture, printing and external saving (to both USB drives and cloud storage solutions like Dropbox).

In addition to controls, virtual desktops offer another level of security in that the environment is isolated from the endpoint. No data is ever stored on the device, allowing you to rely on the security of a protected cloud environment rather than personal security practices. Any malicious software installed on the endpoint (such as a keylogger) will not “cross the barrier” into the virtual environment.

User error remains one of the biggest sources of data breaches. With so many people thinking a secure network connection equals security, it’s no wonder user error still poses such a big problem. If you have remote employees, contractors or allow BYOD, it’s imperative that you think beyond the data center and network all the way down through individual endpoints. They pose a large risk but an easy one to control with the proper solutions in place.

You may also like:

• 6 Questions CIOs Should Ask About Patching
• Top 5 Reasons to Evolve Your Desktops 
• 2017: The State of Cybersecurity