The Task at Hand
Alscient are working closely with an Insurance organisation to deliver several services including a secure end user compute solution. Key to this was the security of the desktop estate and some key security requirements:
Ensure data is contained – User data must not be held on local devices, and all data should be contained within a centralised infrastructure.
Reduction of attack surface area – The possibility of external access should be minimised with locked down restricted access to the desktop estate.
Segregation of users – The impact of a breach on an individual user account and desktop should not impact others.
Prevent inappropriate user actions – The capabilities of what users can do within the desktop estate must be managed and maintained to eliminate malicious activity.
The Solution – Amazon WorkSpaces
Amazon WorkSpaces was chosen as the solution of choice for the customer in question, in small part down to the fact it could immediately help to address the above requirements. User data remains contained and centralised within the managed AWS VPN infrastructure and user segregation is ensured by means of an individual desktop instance (WorkSpace) per user. The attack surface area is reduced because of the centralised nature of the solution. Users are able to access the service from any device, from anywhere in the world, but additional security functionality can be provided via Multi-Factor Authentication (MFA), IP Access Controls and Active Directory integration. The latter, in conjunction with Group Policy Objects (GPO), can ultimately lock down the end user desktop experience by limiting the actions of that user to anything beyond their working needs.
Additional Security Tooling
WorkSpaces itself though only provides us, and the customer, with part of the security wrap around the desktop solution that’s needed. It is important to remember that additional tools and services are needed to provide a defence in depth solution. With that in mind we introduced Okta for SSO and MFA services, and Trend Micro for Anti-Virus/Anti-Malware services. These services coupled with those inherent within the AWS WorkSpaces infrastructure, Active Directory & GPO management and Symantec.cloud for web and email filtering services allow us to provide our customer with the confidence and security they need across their desktop estate.