By Dave Waterson, CEO, SentryBay
Governments in the Middle East are tackling unprecedented political, social and technological changes that have prompted remedial actions, particularly when it comes to data sovereignty.
Throughout the Middle East, the influence of digital transformation on social infrastructure, public services and the financial sector has transformed citizen’s lives, but the flipside to this is an increased exposure to cyberattacks. In June of last year the UAE’s National Computer Emergency Response Team repelled more than 100,000 cyberattacks against Federal Government entities in the month of June alone.
To mitigate this, several governments in the area have focused on keeping citizen’s data within their national borders and introduced data sovereignty laws authorising both national and global organisations to store data locally.
Where these laws are most zealously being enforced, challenges are arising for internationally focused organisations. Instead of being able to transfer data securely across global borders, or even to use data centres strategically positioned to serve the needs of several nations simultaneously, pressure is mounting to build facilities in each separate country and stop data from being transferred at all.
VDI delivers granular control
The pandemic has only served to exacerbate the situation, especially for executives forced to work outside the country in which their organisation is headquartered. The oil and gas industries in Middle Eastern countries have been particularly hard hit. To help manage this, many companies have turned to Virtual Desktop Infrastructure (VDI), a popular choice for delivering granular control over secure remote access to virtual desktops, applications and data when employees are outside the corporate (and in this case national) perimeter.
When it comes to data sovereignty, businesses can still support information sharing across borders using VDI primarily because users are not downloading potentially sensitive data and can only see what is displayed on their screen, which can be watermarked to prevent data theft.
VDI utilises a secure gateway (such as Citrix NetScaler, VMware UAG or F5), which provides multi-factor authentication and proxies the session traffic to the backend systems. This works well, however, to ensure companies are not at risk of attack or breaching data sovereignty rules, they must consider the security of their employees’ devices. If these are unmanaged, not only are they at risk, but the corporate network is rendered vulnerable too.
The most significant threat to data is from screen scraping and keylogging malware, and worryingly any hacker adept at writing code can capture confidential data. Zeus variants using browser attacks can also exploit the logon process of remote access systems to gain entry. Other threats come from configuration files (such as ICA files) being intercepted either in flight or from the endpoint device’s file system and re-used in a timely fashion elsewhere, RDP Double-hop or VNC attacks, and even the Windows printing sub-system can be manipulated.
While VDIs do deliver a high degree of security, and remote access environments in general are not disproportionately vulnerable to risk, this depends very much on the devices that they are being connected to. Unmanaged endpoints are notoriously easy for malicious actors to attack, which is why they result in 70% of breaches according to research.
The main issues arise from the lack of control that the corporate entity has over the security posture, operating system level or application versions being used before accessing VDI platforms.
In an effort contain risks and remain compliant with data sovereignty guidance, organisations are providing secure corporate laptops for employees to use when accessing VDI platforms, but once outside the corporate perimeter, these endpoints are still challenging to manage. Some businesses implement compliance checks which enforce the use of an agent which can be supplied and configured by the gateway that is connecting to the VDI client. Pre- and post-authentication access policies can also be used to check for minimum system or application levels or versions and this gives a degree of assurance before granting access. If compliance, such as with data sovereignty is essential to an organisation, however, these do not guarantee an endpoint is secure which means compliance regulation audits will not be satisfied. While endpoint compliance checks generate support overhead and require additional licencing, they can add value.
Additionally, companies can use bootable USB devices with ‘thin’ operating systems that can provide a secure environment to access the VDI. To be effective a physical device must be issued to each employee, and they must boot the operating system from the USB on their own PC or laptop, but there is no control over how the BIOS is configured. Challenges can arise logistically because the employee must remain connected to the VDI platform and cannot use their own device for any other activity unless they disconnect.
Securing the VDI, meeting data sovereignty laws
Organisations working in Middle Eastern countries can successfully reinforce their VDI platforms if they use solutions designed precisely to protect endpoint devices. These build a shield around the VDI client defending it from malware such as keylogging and screen scraping and at the same time, protect the browser and the logon process.
They should research the leading, ideally patented, technology that secures endpoints, regardless of their security status when a VDI session is running. This ensures uncompromising confidentiality, allows the user to have full access to their normal desktop by easily switching, without having to close the VDI session, and gives the organisation a high level of control.
With the right kind of security solution in place, companies will also find they benefit from constant updates, which means that browser and VDI client compatibility issues are addressed.
The cybersecurity threat in the Middle East is growing, and with it the increased focus on enforcing data sovereignty regulations. Protecting VDI deployment with solutions that are fit-for-purpose creates armour that is difficult to penetrate and puts companies on the right side of the law.