As the IT manager at Digital Intelligence Systems LLC, a global IT staffing and consulting firm, I recently initiated the build out of a virtual desktop infrastructure to support our large mobile workforce. Along the way, I learned some important lessons about securing our network, and data, in the bring-your-own-device age.
Before launching our VDI deployment and overall BYOD initiative, our major concerns were securing the devices on our network, and only allowing devices that were sanctioned by IT. However, as the VDI and BYOD initiatives evolved, we became more focused on securing applications, data, and the access to them. Our users are free to use their preferred devices from an iPad to a Windows PC. By focusing more on securing applications and data, while also improving ease of access, IT no longer has to worry about the constant hardware debate they face with users concerning which devices are allowed and why. This article shares some specific tools we are using to enable secure mobile network access. In addition it provides policies, that require the agreement of both employees and network users, which have helped us successfully deploy VDI and aid in the management of BYOD use in our network.
Fundamental Planning Considerations
Before an enterprise can move forward with a VDI implementation, with or without BYOD access, there are several fundamental planning considerations that must be addressed.
First and foremost, it is important to outline what your particular reasons and business goals are for VDI implementation; in our case, it was a combination of cost savings and a reduction in IT support time. For our users it was important to have a system that could be accessed from anywhere on any device.
Second, you have to know your technology environment and make sure you have the correct infrastructure in place. In our case, we were already running a highly virtualized data center, so implementing VDI would not require additional infrastructure. But, can your infrastructure support VDI now and into the future? To answer this question, you have to clearly understand your intended use cases: What are current storage and processing needs? How many users do you intend to deploy VDI? How much storage space do your users require? What will your deployment look like in six months or a year?
Third, it is essential to study the end users at your company. Look at the employees in each department. Make your decision based on usage of different devices and applications, and whether employees in given departments are mobile or rarely travel. This will help you determine ahead of time whether or not a group of employees is a good test case for a VDI pilot program.
Fourth, if the technology environment and the end users are right, execute a pilot VDI program. A pilot will allow you to see what works and what doesn’t, and will help with mitigating risk when a full deployment occurs. In the long run, a pilot will allow you to deploy a VDI infrastructure that is more cost-effective and more on-target with the needs of employees.
Dealing with Key BYOD Concerns
Once DISYS was ready to move forward with VDI, our biggest concern, and main focus, was securing our data against the threats posed by a BYOD environment. In DISYS’s VDI infrastructure, the internal storage system hosts the data, and we have control over managing who has access to what data within that system.
Before employees can access data through their mobile devices, an employee profile is created and hosted on the network that stores information identifying each device.
We control overall access to our applications through the deployment of OneLogin, a cloud-based identity management tool. It creates a direct integration with Active Directory, allows for single sign on and user provisioning to our applications, whether they are in house or cloud based. IT only has to manage user access in one tool, AD, and the users only have to use one portal for access to all their apps.
To enable information sharing on our network, DISYS is using Oxygen Cloud. This app brings the same functionally as Dropbox (News - Alert), or Box, but the data resides within our internal storage systems. Users are able to access their files from anywhere on any device, without the use of a virtual private network. Through AD we are able to designate who has access to the system, and when that user leaves the account, access is immediately disabled and the files are retained within our system.
DISYS uses a VPN, from Cisco (News - Alert), to enable secure, remote access to the network from remote locations. However, unlike other networks, one of the benefits of DISYS’s VDI implementation and BYOD strategy is that users do not have to open a separate VPN connection. Our VDI session connections are secure and can be accessed by any device with a VMware View client or any device with a web browser and an Internet connection. As a result, employees have secure, anytime, anywhere access to their data and desktop.
When it came to developing company policies governing BYOD usage on the DISYS network, DISYS took a user-friendly approach so employees wouldn’t feel like their devices were at risk, or that restrictions were being placed on their personal productivity. To ensure compliance with these policies, obtaining employee buy-in was essential. The policy creation process was very transparent and users were clearly notified before they connected their devices to our network.
Based on our experience at DISYS in rolling out a VDI that effectively integrated mobile devices, we can offer a number of specific implementation suggestions to deal successfully with BYOD-related challenges:
- The focus is on securing the data, applications, and access to them. With this addressed, users are free to use any device they prefer – a win-win for both the users and IT.
- Use authentication tools; this reduces the time and management associated with user provisioning and control.
- Implement solutions that are easy to use and functional. The more usable the tools, the less likely users will be to try to circumvent IT and security controls. Users look to third party apps when they feel the offerings from internal IT are not functionally equivalent to their consumer counterparts.
- To allow for scalability; look at cloud-based solutions. DISYS, for example, implemented Oxygen Cloud and OneLogin. In addition, we are going to further leverage Amazon Web Services (News - Alert) to reduce costs related to the never-ending storage problem. The future of IT is going to be based in the cloud. The process to scale up or down takes considerably less time and money than trying to build and maintain everything in house.
- Find an enterprise-grade mobile device management solution that simplifies mobility for employees while ensuring secure access. In our case, we deployed AirWatch (News - Alert) to manage the mobile devices, including apps and content on those devices. With AirWatch, we can manage any device anywhere in the world, throughout the full lifecycle of that device, using a single console.
- If you don’t have internal IT resources, leverage your partners and vendors to help with solidifying a strategy and implementing technology to implement BYOD.
- Look at the different functions of the team – where they are accessing network data, how they are connecting (via a 3G or 4G network) and what applications they are using.
The bottom line on VDI deployment at DISYS is that it has allowed our company to better secure and manage data – our most vital and strategic asset – while maximizing the advantages associated with BYOD.
Collin Hachwi is the IT manager with Digital Intelligence Systems LLC (www.disys.com).
Edited by Stefania Viscusi