At the beginning of 2020, companies faced a drastic and sudden shift in their business continuity planning, where work at home quickly became the only viable solution. This resulted in companies, en-masse, moving devices from location to their employees' homes to continue operation.
This "Lift and shift" method companies were using prioritized speed and accessibility above all else. The most important thing was getting people working, accessing business-essential applications from home. This mostly took the form of a standard windows machine and a VPN to provide a secure connection. However, this method left much to be desired. In this post, we'll be going through some of the challenges companies faced when employing this strategy of work at home enablement, what we can learn from these challenges, and how ThinKiosk provides an endpoint solution that improves companies' business resilience.
What were the challenges?
Security & Control
First and foremost, this method was inherently insecure. The goal was to recreate the on-premises workplace's security standard at home, but this is not what happened. Despite the devices being the same, the employee was no longer under the direct control of IT. Employers had very little visibility on what employees were doing on these machines and no way of actively stopping them from accessing unsafe websites or non-work-related resources. This, of course, is a nightmare for any infosec team, and a breach of compliance standards for most regulatory bodies (see our blog on PCI DSS, HIPAA, and GDPR on the endpoint). Even outside of security, employers had no way of ensuring employee productivity, as there was no way of monitoring or controlling their experience. No more supervisors or co-workers to make up for gaps in productivity management.
Management & Support
Sending employees home with their office machines also caused issues for the day-to-day management & support of devices. As the machines were no longer on the corporate network or any on-premises domain, IT had only two options for the management & support of these devices.
1.) Sending the devices back to the head office to be updated and troubleshot by IT, causing days of downtime for employees.
2.) If possible, using tools like SCCM to re-image the device remotely, this process can take hours and really can throw the baby out with the bathwater (why reinstall windows to solve an application failing to launch?).
Neither of these solutions is ideal ways of managing employee devices. Centralized management of endpoints is even more vital in WaH scenarios than on-premises due to the lack of on-site assistance.
For many companies, device loss is a fear, not only in terms of cost but primarily security. If laptops were sent home with employees, what is stopping an employee from working in a coffee shop for a change of scenery and leaving their device full of access to corporate information behind? Further, there is the risk of employees attempting to swap or sell their devices. Device loss's effect on cost varies based on industry, but it is universal in terms of a security risk.
Devices sent home with just a VPN perhaps were accepted at an early stage, but now that security audits are again becoming a priority, the companies sticking to this model will have to do a lot of work to meet the standards of QSAs.
So is this "lift & shift" idea of providing WaH devices wrong? No, not inherently, but the important thing to take from this is that sending devices alone home is not enough. They need to be sent in conjunction with other solutions to solve those challenges resulting from moving devices home.
When companies return to the office, they need to remember the issues they faced and plan for the quick return of their on-premises employees to home working should there be subsequent waves or even unrelated pandemics in the future.
Companies are strategizing now how they can ensure their future on-premises environments can be easily transitioned to WaH. This planning is the very core of business resilience post-2020.
What can companies do? They should be looking for a solution that will allow them to:
- Easily transition on-premises devices to a WaH environment
- Provide security at the endpoint
- Provide centralized management to all systems
- Prevent device theft and prevent data loss
ThinKiosk: providing true business resilience
ThinKiosk converts existing Windows devices into software-defined thin clients to securely access corporate resources from any location.
Security & Control
ThinKiosk provides companies with a persistent workspace for employees to work within, blocking them from the underlying Windows operating system while maintaining functionality and compatibility. Employees can only access resources that have been defined for them by IT and have no way of getting around the ThinKiosk shell. This means that employees are not only secure with ThinKiosk; they are in a controlled environment when it comes to access and productivity! Non-work-related websites and applications are inaccessible to employees.
Management & Support
ThinKiosk allows IT to manage, update, and audit all employee devices centrally, regardless of the device location. The employee only needs to be connected to the ThinScale Management Platform via the internet, and all aspects of the ThinKiosk End-user experience can be managed by IT. From 3rd party software updates to policy & security profile revisions, IT can edit and deploy en-masse to all employee ThinKiosk machines.
ThinKiosk is a semi-permanent change to the corporate device, it can only be removed by an administrator. These machines are only accessible with employee login credentials, without which the machine is functionally a brick. This makes the device much less desirable to sell. Further, if a device loss is reported, the IT team can remotely remove ThinKiosk and any corporate applications from the endpoint, meaning even if someone outside the company were to get their hands on the machine, all corporate data would be removed.
The "lift and shift" of on-premises machines did serve their initial short term purpose for some companies, enabling access to corporate resources from home, but for many, the lowered security, lack of manageability, and potential for device loss was too much to maintain any sustainable WaH scheme. With things like security audits returning, and no real foresight into what the future will bring, it is imperative for companies to take measures now to not only ensure device security but to provide employees devices that align with modern BCP.
ThinKiosk provides a modern solution to modern challenges. It allows companies to fortify their business resilience in terms of employee devices.