Over the last few years, I’ve seen how organizations can rationalize almost any high-friction, mundane, resource-draining, performance-degrading user experience, simply by invoking the mandate of “security.”
Ever since we began work on Microsoft Managed Desktop, our team has been studying why workplace computing can be so painful compared to the experiences modern personal devices like smartphones and tablets provide.
Working directly with customers and partners in their environments, we identified several outdated security practices that are not only degrading the workplace device experience, but they’re also draining precious resources like device budgets and IT management time. Even worse, they don’t always secure the environment as well as intended.
We’ve applied these learnings to the Microsoft Managed Desktop service and have begun empowering customers with devices that deliver on security – without compromising the end-user experience.
Authenticating what you know vs. who you are
Take a moment to think about all your personal accounts that require passwords for online access: your subscriptions, social media, vendors, bank accounts, and even your Wi-Fi router.
That’s likely a sizable list, which is why password-based access control is not the best way to protect workplace tools and data, such as your VPN connection, in-house apps and tools, third-party expense reporting or sales data apps, and so forth.
Passwords can get stolen as they’re transmitted across the network. Simple passwords can be hacked in seconds using common hacking tools. Stronger passwords are difficult to remember. Many people reuse strong but memorable passwords for multiple accounts. So, when large consumer organizations experience data breaches that expose passwords and identities, your systems are vulnerable if an employee has reused that password for workplace logins.
The Microsoft Managed Desktop service takes a different approach. Instead of only verifying what the user knows, it also confirms who the user is, and what the user has, via several modern technologies incorporated into Microsoft 365 that Microsoft Managed Desktop is optimized to support. When it runs your PC environment, Microsoft Managed Desktop allows you to deploy these technologies consistently across user devices:
- Biometrics like facial recognition and fingerprint scans, which are far more difficult to hack.
- Device PINs safeguard a specific device with a specific PIN, which is authenticated locally using the Trusted Platform Model, and is therefore harder to steal. Wrong guesses lock the device until the user authenticates another way, and knowing the PIN is useless without the specific device.
- Phone-factor authentication adds another layer of protection by asking users to confirm an access request via a quick interaction with their smartphone authentication app.
Not all devices include all the features and functionality required to support these modern security approaches. Environments that include some legacy devices and outdated software will not be able to deploy modern security across the entire organization, which leaves those devices vulnerable. That’s like going on vacation with all your doors locked but leaving your windows wide open.
As part of the Microsoft Managed Desktop service, our team curates a catalog of devices that can fully support the security features of our offering, enabling Microsoft Managed Desktop customers to standardize on more modern authentication techniques.
Hybrid management complexity
Backup and restoration. Data management. Data loss prevention. Remote support. VPN. Antivirus software. To provide these and other crucial functions, it used to be necessary to pay for and deploy a variety of solutions on top of the operating system – because no single vendor covered all the necessary functions.
Each specialized app caters to a specific security function in the environment and triggers a specific response. For example, an antivirus app monitors for files with specific virus signatures and moves infected files to quarantine.
Each app therefore requires its own always-running agent that consumes memory, processing power, battery life, and other system resources. What’s more, security agents often perform redundant tasks, consuming two or three times the resources the function requires. In a sense, you’re permanently giving away part of your company’s hardware capacity – and budget – just to run all these agents.
Deploying many agents can degrade the user experience so severely that we’ve seen many large organizations budget several hundred dollars per device on memory upgrades, just to deliver minimally acceptable performance and usability.
Not only does a hybrid approach to security suites deteriorate the user experience, but the IT management burden is substantial.
- Siloed functions. Agents from different software vendors don't share data with one another. Each has its own specific management console, which increases the manual effort required to manage across all functions. Manual efforts are costly and prone to human error in configuration or updates - which is precisely the sort of thing hackers look to exploit.
- Delayed updates. Integrating, testing, and deploying updates across an entire fleet of devices can be extremely time-consuming for IT admins - and often prompts multiple system restarts that disrupt user productivity. Many organizations deploy updates when the user is on site or connected to the corporate network via VPN. Any delays between update availability and deployment give hackers extra time to discover and exploit known vulnerabilities that the deferred updates are designed to resolve.
- Compatibility issues. Agents from different publishers can experience compatibility issues that disable functions of other apps or the operating system. They can even block system updates, leaving the device exposed until the publisher resolves the compatibility issue.
- Expertise. It takes specialized knowledge - if not expertise - to manage each different publisher's agent effectively. Specialized security experience increases the talent cost, and ongoing training to stay current with major app updates can further increase management overhead.
A modern alternative is to choose a tightly integrated suite of tools instead of a complex, hybrid mix. The Microsoft Managed Desktop service uses the built-in security capabilities of Windows and Microsoft 365 along with our managed monitoring services to provide value and savings to our customers for a more streamlined experience. With Microsoft Managed Desktop, any Internet connection enables an update to user policies, a check for device compliance, and deployment of any required updates.
By simplifying the environment, we transform the challenge of managing outdated devices into an intelligent, data-driven, and highly automated service that makes updating safe. This is part of our responsibility in Microsoft Managed Desktop.
"Castle first" or "cloud first"?
If you typically work on site, you may access data seamlessly inside your organization’s firewall – which protects your systems like a moat around a castle. But what happens when you travel, or when you need to work on a report from home?
Maybe you connect to your corporate systems via a password-protected VPN, which secures the Internet connection and encrypts the data in transit. Or maybe you try to avoid using the VPN because it’s unstable, or because it makes all your applications run slower due to additional routing and high latency networks. Or maybe your company uses software to disable certain ports once your device leaves the corporate environment potentially hindering functionality and productivity.
In the face of such limitations, have your people ever:
- Saved necessary files to a thumb drive or to their laptops before they left the office?
- Emailed themselves a working draft via an unsecured personal account?
- Created version control issues because teammates edited the centrally stored file while a remote user was working on a local copy?
Whenever security measures add friction to the user experience, you can count on users to develop creative workarounds – and that can undermine productivity, collaboration, and security, while presenting new operational risk to an organization.
Moving your data to an appropriate cloud storage provider enables a “cloud first” approach to security. Once you supply your PIN or biometric login, your device uses the Internet to authenticate your corporate credentials securely via cloud directory and verify your current access privileges, without further password prompts.
Is a user signing in from an anonymous IP address, an unfamiliar device, or a device that's infected with malware? Is a user attempting to log in from Brussels ten minutes after connecting from Vancouver?
Centralizing control of every user's permissions anytime, anywhere, empowers cloud-based security to monitor the device for suspicious access conditions. That’s why our team has designed Microsoft Managed Desktop, leveraging our cloud directory, management, and cloud storage to accelerate our customers’ transformation to this new “normal.” But first, organizations must recognize that legacy security tactics are holding them back.
Is security your core business?
Despite the tolls on user experience and security, many organizations continue to use outdated security tactics. Why?
Many organizations treat IT as a maintenance function, not a key component of business innovation and collaboration driving core business priorities, so IT leadership lacks resources to research, test, transform and deploy new solutions. Some organizations outsource the work, and transformation is difficult to drive from outside in. And some organizations just find it easier to rubber-stamp last year’s budget than to advocate a major change. This results in an antiquated computing environment and user experience which may also be less secure than expected.
When security is not your core business, other priorities get in the way. But you owe it to your company’s employees, customers, and shareholders to work on a modernization strategy, because your data might be more vulnerable than you realize.
Microsoft invests more than one billion dollars each year in security R&D and operational functions that many organizations don’t even know they should be pursuing, including security monitoring, threat detection, threat intelligence, penetration testing, data loss prevention, automation, and machine learning. We continue to evolve our security platform and services because doing so is core to our business.
If you don’t spend a billion dollars per year on security – let’s face it, few companies could – I have good news for you. By extending our core business investments to protect your organization, the Microsoft Managed Desktop service enables these security investments for you and thereby empowers you to invest more in your core business.
If you’re interested in learning more, please subscribe to the Microsoft Managed Desktop blog. Over the coming weeks, my team and I will be sharing more details about the complex challenges organizations face on the path to modernization. We’ll also share more on how we’ve accelerated that path by delivering more holistic security as part of the service than many organizations or vendors could afford to achieve on their own.
Learn more about Bill Karagounis
Welcome to the Microsoft Managed Desktop Blog!