Improving Security for Remote Workers with Amazon WorkSpaces

Cybersecurity matters. We know this, but the uptick in high-profile ransomware attacks like the SolarWinds and Colonial Pipeline hacks of this year are stark reminders of why. These attacks are standouts, but they are a part of a growing trend. Cyberattacks have jumped in the last year, with reports showing that ransomware attacks are up 400%, and the cost of a ransom has increased 171% since before the pandemic. With attacks on the rise and showing no signs of slowing down, now is a great time to check in on your security. 

The rise in cyberattacks can be attributed to the COVID-19 pandemic and our collective shift to remote working. You likely remember organizations scrambling to set up remote work models last March. Cybercriminals took advantage of the fast turnover, security vulnerabilities, and our increased digital reliance. 

Many organizations turned to traditional virtual desktop infrastructures (VDI) last year, and they may have missed emerging Desktop-as-a-Service solutions like Amazon WorkSpaces. Amazon WorkSpaces is completely hosted on the AWS Cloud, which removes upfront investments in hardware and continual infrastructure maintenance. WorkSpaces is built for growth– you can scale from a handful of users to thousands in minutes. AWS also uses a pay-as-you-go model, which bills on an hourly or weekly basis, removing excess costs on unused resources. Bundles are available, which package different levels of CPU power, CBs of RAM, GPUs, video memory, SSD root and user storage, and software. In addition to these benefits, Amazon WorkSpaces’ security makes it stand out on the market. Here is a break down of all it has to offer security-wise:

Infrastructure

AWS divides security into two main areas: security of the cloud and security in the cloud. AWS is responsible for maintaining the security of the cloud, or the infrastructure that runs AWS services in the AWS Cloud. They have third-party auditors regularly test and verify their security protocols, so you can be sure that your data is safe.

Your team is solely responsible for security in the cloud, which is determined by the AWS service that you use. You handle data sensitivity, your company’s requirements, and applicable laws and regulations. Not only does this model simplify security for your team, but it’s also more cost-effective too. Your team doesn’t have to make an upfront investment in server farms that are expensive to run and difficult to manage. 

Manage Access 

A key element of a sound cybersecurity strategy is managing data access. Controlling who has access to what data, particularly sensitive data, reduces the risk of something going awry. On Amazon WorkSpaces, you can control what data each user can see or edit with AWS Identity and Access Management (IAM). 

On AWS IAM, you can seamlessly and quickly change data access according to a user’s IP address, device type, or digital certificate. 

Encryption

Encryption is the method by which information is converted into secret code that hides the information’s true meaning, and it’s the bread and butter of cybersecurity. A key issue with traditional VDIs is the security of end-user devices. Is an employee’s phone as secure as an on-site company computer? Is the information encrypted? Behind a firewall? With WorkSpaces, you don’t need to worry about that. Data is never stored on the device itself, only on the AWS Cloud. 

AWS customers using WorkSpaces can encrypt data in two different places: in transit and in storage. Data in transit is encrypted using TLS 1.2 encryption and SigV4 request signing. AWS’s PC-over-IP protocol ensures that no sensitive data is stored or sent to end-user devices. You can also encrypt the storage volumes for your WorkSpaces using customer master keys (CMK) from AWS Key Management Service. 

AWS’ encryption is strong enough to meet these compliance standards:

  • HIPAA BAA
  • SOC 1,2, and 3 
  • PCI DSS
  • ISO/IEC 27001:2013, 27018:2019, and 9001:2015
  • FedRAMP Moderate and High
  • DoD CC SRG IL2, IL4, and IL5 
  • IRAP 
  • MTCS 
  • C5 
  • ENS 
  • OSPAR 
  • HITRUST CSF
  • GDPR

Resiliency and Reliability 

Isolation is another key part of cybersecurity because it ensures that the problem is contained if one part of your infrastructure is compromised. AWS has worked isolation into both their global infrastructure network and their recommended method for deploying WorkSpaces.

On a global level, AWS Regions provide multiple physically separated and isolated Availability Zones which are connected through low-latency, high-throughput, and highly redundant networking. This model allows you to architect your environment so that it automatically fails over between zones without interruption, reducing downtime and revenue loss.

For individual organizations, we recommend that organizations deploy WorkSpaces in a virtual private cloud. This ensures that the WorkSpaces are on the same physical host, but are isolated from each other through the hypervisor. It is as though they are on separate physical hosts. This isolation can make a huge difference should an issue arise.

How are customers using Amazon WorkSpaces?

Amazon WorkSpaces is designed to be flexible and customizable for all different types of customers. There are many scenarios where WorkSpaces could be a great fit, including:

  • Provisioning desktops for remote, mobile, and contract employees
  • Ensuring that an organization’s Bring Your Own Device (BYOD) model is secure
  • Scaling new WorkSpaces to accommodate changes in organizational structure, like mergers or acquisitions

The cost-effective and secure benefits of Amazon WorkSpaces make it a standout solution on the DaaS market. It’s flexible and reliable, creating a consistent desktop experience for employees while ensuring top-to-bottom security.

How can I get started?

Our team often helps customers get started on Amazon WorkSpaces, and from now until July 31, 2021, AWS is offering 50 free WorkSpaces to new customers. Contact our team to start exploring your options!

Leave a Reply

Your email address will not be published. Required fields are marked *