Third-Party Risks: Containment StrategyKimber Spradlin of Moka5 on Securing Contractors
Mobility has driven the rise of containerization as a security strategy for employee-owned devices. But what about for contractors? Kimber Spradlin of Moka 5 discusses how to mitigate third-party risks.
Particularly at a time when regulatory agencies are sensitive to security threats introduced via third parties, the extended containerization discussion is welcome, Spradlin says.
"When you're managing just inside that container, you have a lot more freedom to lock down that container," says Spradlin, Moka 5's senior director of product strategy. "You can lock [contractors] out of admin privileges, prevent them from installing any software - even prevent them from doing much in the way of customizing the environment ..."
In an interview about containerization, Spradlin discusses:
- How to secure a contractor's desktop;
- Real-world containerization examples;
- How containerization fits in with overall organizational mobility and end user computing strategies.
Spradlin recently joined Moka5, bringing with her more than 15 years' experience in the Information Security industry. She began her career at Ernst & Young specialising in IT compliance; assisting Fortune 500 organisations to meet both regulatory and internal information security requirements. This included developing risk assessment, compliance, policy management, and software security architecture evaluation programs. Additional assignments in the systems management and security industry include IT consulting and software evangelism positions at Embarcadero Technologies, NetIQ, BigFix and IBM.
Third-Party Risks: Containment Strategy
TOM FIELD: How would you say you see this area evolving in the future, this whole concept of containerization?
KIMBER SPRADLIN: Every month I hesitate now to pull up data or statistics that's even three or six months old, because every month it just seems to be accelerating. The acceptance within the community, both on the IT side and the employee and the individual side, just keeps growing. This idea of bring your own device, merging work and personal lives, I don't see that stopping really any time soon. The question of personal laptops accessing work resources, we saw that come up ten to twelve years ago, long before all of the smart phones and everything on the market. A few folks might have had company-owned blackberries, but we just laughed it off, we said, "No, that's never going to happen." Why would you buy your own computer and bring it to work when the company is supplying you with one? Mobile devices have really driven that idea of containerization though; they started coming in to the corporate environment. Organizations said, "Okay fine, you can use your phone for email and other applications, but we want to put some sort of security on it." At which point employees went, "What? You [could] wipe my entire device, brick my phone, [and] see where I've been. I don't think so; I'm not that comfortable with it."
We were in a little bit of limbo between productivity and balancing employee privacy, and the rights they had to their personal device with the needs of the organization for security reasons. That is when we started seeing containers become even more popular in the mobile world. You had the company with their corporate container on the mobile device. They managed just the container. Everything inside of the container, if anything happened to that device, [it would] lock down or could be deleted and wiped out. At Moka5 what we've done is take that same concept and start applying it to PCs and laptops. In the intervening years, employees have become much more accepting of that idea. They've got a really nice MacBook Air at home, or they are a Mac user and the company only offers Windows, or they really just like their tiny, super-lightweight Asus Ultrabook, right? So that idea is becoming much more popular, and now we've got to find ways to enable it from a security perspective.
Securing a Contractor's Desktop
FIELD: What can you tell us about some of the ways that Moka5 secures a contractor's desktop?
SPRADLIN: We talk a lot about employees and BYO, and yet there is this whole world of contractors and even within that term, contractors that are pretty much employees except for the financial legal tax relationship, but they've been there three to five years. That is the only place they work. Then there is your more federated kind of arms-length type contractors, outsourced or off-shoring, maybe that have multiple accounts. They have multiple customers; independent agents, you see that a lot in the insurance industry. That population is even more likely to have their own machines, their own computers supplied either by [themselves or] their contracting firm. It's a great place to get the company out of the hardware business. It really is BYO; it's just with these independent contractors. I think containerization is even more important with this group because you have a little bit more of a distance in the relationship between the organization and the contractor. Managing the corporate desktop, when you're managing just inside that container, you have a lot more freedom to lock [it] down. You can lock them out of admin privileges, prevent them from installing any software, [and] even prevent them from doing much in the way of customizing the environment. That's much more acceptable because they can always hop out of the container into their custom environment.
In the security world, it's not always been about what was possible, but what could actually get done. We've been able to do a lot of these security things for a very long time, but socially and culturally, have been prevented from implementing that because it was just not the environment employees wanted to work in. The container kind of flips that on its head, as well as revoking access remotely. You can even kill or wipe the container remotely. With Moka5, you can put in a time bomb so if the system doesn't log in after thirty, sixty, ninety days, it's revoked or killed. That gives you quite a bit of flexibility. You can set all sorts of security policies centrally, such as no copying and pasting between the container and the host machine. Of course, [if] there is a very determined user, [they] will find ways to get information out of that container, but make it clear that [you] don't want them to do that. Make it fairly difficult, to where it's obvious that they are having to work around the system, and that will shut down a lot of that kind of activity.
As you have contractors, there can often be a higher turnover rate. In the case of provisioning a container, you're not shipping them a machine, having to set that up. You simply point them at a webpage, they download the container. If they are in your active directory system, you utilize existing security capabilities for access control, you existing VPM for connectivity back into corporate applications. Relying on a lot of existing security, and then layering on top of that, as well as the ability to easily update them as security patches come out. I think there are a lot of really great things about this containerization approach that apply to [the] contractor population.
Containerization and Third-Parties
FIELD: Can you offer some real-world examples of what you're seeing out there with containerization and third-party service providers?
SPRADLIN: We've got a great example in the financial services area. [One] organization had offshore software development, third-party non-employees of the company, and it was BYO within that organization. It wasn't even that the contracting firm was supplying those laptops. It was very difficult to secure those laptops, and here you're talking about source code. Something that is very sensitive, very valuable from an intellectual property perspective, and they were losing a lot of intellectual property as these contractors would move over to competitors and take that source code with them. So, they implemented Moka5; that saved them from having to purchase thousands of laptops and ship them overseas, worry about having to get those back and de-provision [them] when somebody left the organization. They went to the container model and now, as soon as someone leaves, they issue that kill command which wipes out all the data that was kept inside the container. All that source code, while it's lost, you certainly hope it's been stored within a source code repository, but at least you're preventing it from moving on to a competitor or being found in the event of a lost laptop. That was their primary concern.
In a different sector of global energy, they have a lot [of] percentage of contractors as their workforce and are operating all over the globe, all the way in to deep-sea drilling platforms, so their connectivity is not as strong. That kind of prevents them from using any sort of VDI type solution to tackle this problem, because from an offshore drilling platform, you're bandwidth is not high and the connection can have a lot of problems with it. A locally run container, again, all those same benefits encrypting the container, being able to revoke it, being able to get it loaded on to those systems has saved them quite a bit of money. In the case of one customer, they had a contractor population of about 60,000, and had been previously purchasing laptops for all, and in many cases their contractors were carrying two laptops. The contractors also appreciated this container approach getting the weight down on their travel bag.
FIELD: What is one of the hidden benefits we don't think of?
SPRADLIN: Any time you can sell the benefits to the end-user as to how this might benefit them [it], just makes it that much easier to get something implemented. The acceptance of the end-user is a big component, and that doesn't have anything to do with the technology, although certainly a great user experience like Moka5 where it's three clicks [to] install and you're ready to go helps. But, there is the positioning of it with the end-user as well.
End-User Computing Strategies
FIELD: How do you see this entire strategy fitting in with the overall organizational mobility and end-user computing strategies?
SPRADLIN: I think this contact, or population, is a great place to start. BYO on the mobile device, nearly every organization has that addressed. I know there are lots of security concerns and we continue to evolve that in that area, but on the PC/laptop, we're not nearly so far along. [The] contractor population is going to be very accepting of this idea. It's not going to be a major burden to them, they already have additional hardware that they are using. [It is a] great place to learn where the problems are and roll out implementation from your processes' perspective, any kind of corporate cultural-type issues, policies. Are there any policies in the organization that might need to change? From there you can take those lessons learned, have all of your infrastructure in place, and begin to offer this as an optional benefit to your full employee base and kind of just work and see who takes you up on it. There are those that are predicting that in another five to eight years the company laptop will go the way of the company car. That it just won't even occur to us that [it would] be supplied by the organization. That seems pretty strange, and like I'm taking on a financial burden, but I know I personally prefer it that way. If I were to move to another company, I wipe off the company data, the container is gone, but I still have the same computer that I've been using, that I'm comfortable with, that has my personal data on it, and I appreciate being able to take that with me from job to job.