Case study: VDI as a security measure
An employee was provided a company laptop with a VPN, etc, to securely login to their company’s network. However, a big gap in the security measures was that he was never told to use the network drive, so all data was on his machine. This created two threats:
- The laptop disk crashing – all data would be lost, as it was not on the network drive and was never backed up. The solution would have been as simple as giving initial instruction during the induction to save files on the network drive. Since a user can forget these instructions, an audit could be done (e.g., monthly) to see if the user has any activity on the network drive. In this case, it went undetected for about 6 months.
- If the laptop was stolen, the thief could have access to all the data from the laptop disk. In this case, external drives (USB) were not disabled, but data transfer to a USB drive would be encrypted. Is the decrypt key also stored on the USB drive itself? Also, the data on the laptop disk was not encrypted – would this be considered a breach/ lack of control? Due to the costliness of data encryption, did the company think keeping data on a network drive would be enough control?
This employee was then deployed on a client assignment, where they needed access to client systems. As a security measure, the client would enable their access through a virtual desktop infrastructure (VDI) environment on his laptop which would need multiple authentication, etc. The user did not store any files on the network drive for about five months – so there was similar risk to the above case. Sure, the broken or stolen laptop wouldn’t pose any threat to the client’s data, but the data was never backed up. Is there any threat of losing this data?
Later, it was identified that many employees of the client were storing data on their desktops (which perhaps was never backed up) for one simple reason - storing data on the network drive would reduce productivity as it was very slow.
Learnings from the case:
- Training and awareness is important. ‘No one told me, I didn’t ask anyone’ is a threat to security. While the user is supposed to know or ask, the IT team is supposed to tell (on day one) to use the network drive.
- If the network drive solution makes the responses slow and brings down the productivity, users will have the tendency to bypass this control and start storing data on local drives.
For this client’s own employees, there was no VDI environment, so files stored on local drives would be lost (in the event of a crash) or would be available to thieves in case of theft. Whether the client had applied encryption on local drives is not known, but most likely not.
So, we are far from a secure world, it seems! Basic principles are important, as is doing what one is supposed to do!
Daman Dev Sood, FBCI, International Resilience Trainer & Consultant
About the author
International Resilience Trainer & Consultant
As BCI’s Continuity & Resilience Contributor (Global, India & South Asia) Winner 2021, Continuity & Resilience Contributor (Middle East) Winner 2020 and Global Finalist, Merit Award (Global) Winner 2012, Business Continuity Manager of the Year (India) Winner 2009; ILAs’ Global Outstanding Leadership Award Winner 2021; DRII’s Lifetime Achievement Award 2021 Finalist; Finalist in Parivartan Sustainability Leadership Awards 2014, and with over 35 years’ experience in the Industry, I am and Independent Trainer & Consultant. Earlier I worked with Continuity & Resilience (VP, Practice Head, CIO, COO, Advisor); Steria (Head Business Continuity Management - UK, India & Head Green Activities – India; TCS for over 20 years in various roles and positions. I have rich experience in Organisational Resilience, Environmental Sustainability, Business Continuity Management, Risk Management, Crisis Management, Business Excellence and Consulting (BCM, Green IT, Quality/ Process/ Malcolm Baldrige) and Training. I am a Technical Expert & Lead Auditor for ISO 22301 (Business Continuity Management System). I am also an Energy Management Expert (ISO 50001). I am Accredited Tutor for BCS “Foundation Certificate in Green IT” course. I have been a BCI Approved Instructor (2012 – 2021) and a member of the BCI’s Speakers Bureau. I am IEEE Ambassador, Fellow of the BCS (British Computer Society), Fellow of the BCI, Senior Member of IEEE. I am also a member of AIMA (All India Management Association) and Member of DMA (Delhi Management Association). I am a Life Member of the CSI (Computer Society of India). I have served clients in various industries and sectors like IT/ IT-eS, Banking, Finance, Insurance, Retail, Manufacturing, Automobile, Pharma, Real Estate, Marine, Trading, Government, PSU, Telecom, Aviation, Energy/ Oil & Gas, Media, Power etc. I have delivered over 500 talks/ workshops in national and international events. I am an expert in Disaster/ Crisis Simulation Exercises including for the top management of organisations in different countries and industry sectors. With over 9500 hours of training+teaching experience, I am a Certified International Trainer and Certified Corporate Trainer. I am also a Qualified Independent Director. My services cover standards like ISO 22316, ISO 22301, NCEMA 7000, BS 11200, ISO 31000 etc.