Performance and Security Considerations when deploying Endpoint Devices in a Work From Anywhere situation (Guest blog by IGEL)
When organisations are considering the type of Endpoint device to evaluate and deploy to Users working in a hybrid situation, accessing their virtual desktops or Desktop as a Service (DaaS) – from the office, from home, from anywhere – two of the primary considerations will be performance and security. Sometimes these considerations can conflict, whereby the performance of an endpoint is reduced due to the security applications and processes required for compliance, leading to the need for higher specification endpoint devices and at a greater cost to the organisation.
Endpoint devices now used in EUC virtual desktops and DaaS scenarios are no longer limited to traditional “thin clients”, but can now include desktop PCs, laptops and “mobile thin clients” (optimised laptops specifically designed for virtual desktop / DaaS use).
Performance Requirements of the Endpoint
Endpoint hardware performance must satisfy the needs of Users performing their daily tasks at work. This is now more commonly known as the “Digital Employee Experience” (DEX). As many more Users now work from outside the office, their workflows have changed from the traditional “office applications” of Word Processor, Spreadsheet, Database, Presentations & Web Browsing; and now rely heavily on Unified Communications (UC) technologies for holding internal and external meetings, sharing data and collaborating with colleagues. UC options include Instant Messaging, Audio Calls, Video Calls, Audio/Video Conferencing, File Sharing, Applications/Screen Sharing – which adds to the performance challenge on the Endpoint. Typically the UC application with client side optimisation/offloading has a recommended specification of a 2.0Ghz CPU with 2 cores. Also, the expectations of the Users will not have changed from when they worked in the office, continuing to demand good performance from audio and video calls, but now working in a more challenging environment, where the network is a Wi-Fi connection at home or on a train or café, and in a different city, country or even continent; and with the added complication of having to managing their headsets and webcams whilst connecting to their virtual desktop / DaaS session.
All these challenges can easily bring IT departments to the conclusion that a high specification, high performance, expensive endpoint device is required for the Users. But as cost is currently a big challenge, there may be alternative and better options available.
How to secure the Endpoint without compromising performance
Now that Users are more often working from outside the office; the normal security practices and methods no longer apply. Inherent security afforded by locating endpoint devices, systems and data in a physical office are made mostly redundant when Users work from anywhere. The risks of data leaks and theft, data loss, equipment loss and theft increases when Users carry their endpoint devices around to connect to systems and data from public spaces using public networks. Not forgetting the possibility of malicious software attacks including ransomware and viruses, this can appear to be a daunting prospect for IT staff.
However, there are systems and technologies available to mitigate the risk of these security challenges. Here are some of the technologies available to secure endpoint devices used by remote workers; Antivirus, Virtual Private Networks, Data Loss Protection, Intrusion Detection, Multi-factor Authentication, Zero Trust Networks. Most of these technologies will require an endpoint software agent to be installed in order to provide the protection offered. This has a knock on effect of increasing the system requirements of any endpoint devices being considered, therefore no longer measured to fit a particular virtual desktop client and /or UC requirement, having additional hardware requirement overheads for each and every additional security software agent (AV, VPN, DLP, ID, MFA).
Some organisations have chosen to take this path and provide Users with high specification, high performance and expensive endpoint devices running a typical PC / laptop operating system. This poses multiple problems; costly asset management, asset loss and recovery, deployment and maintenance of multiple endpoint security systems, servers and agents. As with the performance requirements of the endpoint device, there may be alternative options available.
Suitability of the Endpoint OS to balance Performance and Security Requirements
Choosing an endpoint device operating system can be a simple task, but you need to consider the alternatives in order to balance the performance and security requirements of the endpoint.
The Windows desktop operating system is used in most organisations on their PCs and laptops, also deployed and used within their virtual desktop infrastructure and DaaS environments.
Thin clients are typically supplied with an optimised operating system, specifically designed to connect to a virtual desktop or DaaS session. This operating system is usually based on Linux, so has the advantage of built-in security by design over and above a de facto desktop PC/laptop operating system. Some security examples are:- Stricter user privileges as the superuser (root) owns all privileges and ordinary users are granted only the privileges they absolutely need. The Linux kernel has built-in native security such as UEFI Secure Boot firmware verification and Linux Kernel lockdown. Therefore these operating systems may not require a host of additional security software agents (AV, VPN, DLP, ID, MFA), which facilitates a broader choice of hardware and reduced cost for the endpoint device.
Now that employees are using a variety of endpoint devices including desktop PCs, laptops, thin clients and mobile thin clients to access their virtual desktops and DaaS sessions from many locations, choosing the optimal endpoint operating system for both performance and security needs doesn’t have to be the de facto option. It is now possible to have the best of both worlds – low cost devices with excellent usability and performance. Importantly this can also be the very secure option to protect the business’s key assets of data and intellectual property. Investigate and evaluate the alternatives to suit your current and future requirements.
National Security updates
Sign-up to get the latest updates and opportunities from our National Security programme.
