Tuesday, 25 October 2011

DaaS and local admin rights

Desktop as a Service (DaaS) has many benefits to an organisation, not simply security. This is of course if it is managed well. Like anything, a system ignored is one that will quickly decay.

Today I will note a major security benefit that DaaS offers.

This is the ability to remove local Administrator rights.

Laptops and tablets can be locked down. The issue is that any system with physical access is difficult to maintain in a secured state. Physical access allows a local user to do many things that they should not be allowed to do. There are always means to bypass even the best physical controls when you own/physically control a host.

DaaS of course removes the ability to access the device physically. More, some providers allow you to encrypt the drives (or at leats the virtualised data. At worst, there are always free solutions such as TrueCrypt as well as a number of commercial disk encryption products that work on cloud based systems.

With group policy (and I will document this step by step soon) in a DaaS system, you can lock local access away from your users and they cannot use physical access tricks to bypass these controls.

The user CAN have local access and rights on a tablet or notebook system. These can be set as the user desires with any silly application they like. This can be a risk to their personal data, but the access to protected data will be held remote.

More, DaaS can be coupled with NAP and NAC. When the user’s system connects, it can be validated to ensure that a firewall is enabled, that anti-malware solutions are up to date and that other controls are at least enabled when the user is working on the secured desktop.

Some of the biggest security issues we see come from the way we see a business system as a personal system. In restricting business use to the DaaS platform, the user can have a personal system when still maintaining a separate access to a secured system.

In adding applications, the user does this removed from the organisation data. There are still ways to attack any system, but the controls are simpler to maintain in a DaaS based solution then they are in a series of snowflakes (that is the range of disparate systems that make up the average IT operation).

Once I am past the current conference schedule and training program, I will document a detailed how to guide that will help you to enable  Group Policy to manage such a system.

1 comment:

Anonymous said...

Awaiting more info on this