Protecting BYOPC corporate access using conditional access

Yan Aksenfeld
February 11, 2021

The advent of the Bring your own PC (BYOPC) era

This has got to be the most popular phrase in IT blogs in the past year, but yeah, we noticed – 2020 wasn’t a normal year, especially for the workplace. As we all know, we moved the workplace home and started connecting to our corporate assets from home. And yes, organizations have taken the cue, in a few short weeks or months, they have been able to accelerate and enable remote work projects which would have otherwise taken years.

As a result, one important trend has emerged – organizations are increasingly allowing and encouraging employees and contractors to work remotely from personal computers (BYOD or BYOPC). Some people buy a computer out of a company budget, others use a computer they already have at home rather than using a classic corporate PC.

This reduces the operational expense (OPEX) of maintaining and operating a fleet of corporate computers, and their associated software. It also eases remote onboarding of employees and allows employees the flexibility to choose their favorite hardware. All of this improves overall employee satisfaction levels.

On the other hand, securing access to an organization and managing the devices in a world of non-standardized, unmanaged machines that do not necessarily meet corporate standards, has become a major pain-point and even a nightmare for CISOs.

Registering BYOPC computers with Azure Active Directory (AAD)

One of the solutions to the pain is registering the BYOPC machines to AAD. This is less intrusive than a fully managed joined machine, which is not realistic in BYOPC scenarios, such as home machines and contractor scenarios.

This approach allows the organization to know about the devices accessing the network. This allows an organization to apply conditional access policies, and allows single sign-on to cloud resources and an easy way to implement zero trust architecture. All while not fully managing and applying intrusive corporate configurations.

What is Conditional Access with Device Compliance?

One of the main security features enabled by registering machines to AAD, is conditional access. Conditional access is an AAD feature that allows admins to limit access to managed applications according to rules pertaining to the user of the device used to access the organization.

It allows admins the peace of mind that the machines accessing corporate assets comply with basic cyber hygiene standards. This feature is especially useful with cloud-first applications as it is very easy to implement.

An example configuration is to allow access to Salesforce only to users in the marketing department who have a device with the latest version of Windows, an antivirus, and a complex password setup. This allows organizations to establish a concrete security baseline for the devices that have access to sensitive company resources.

In order to validate the device, the Microsoft Endpoint Manager (AKA Intune) device compliance feature is used. (Note that the device needs to be enrolled into the Microsoft Endpoint Manager for this to work.) It makes sure that a device is compliant and applications are accessed from a compliant environment.

Drawbacks of Conditional Access

Unfortunately, organizations are encountering pushbacks from users and contractors/vendors:

  1. They are not eager to register their machines, due to legitimate or preconceived privacy and security concerns (e.g. “will you be monitoring my computer?!”) 
  2. Due to the varied and non-standardized makeup of the BYOPC machines, and the fact users may not always be very technical, OPEX increases significantly. IT teams need to spend vast amounts of time to remediate issues on remote machines, and to get the users to the correct security baseline, which increases user frustration.
  3. The set of checks provided by conditional access and device compliance may not provide the security peace of mind that CISOs are looking for in a fully managed, corporate machine. 
    1. A user with elevated credentials (and who doesn’t have those on their own PC) will be able to bypass those checks and “fool” the system.
    2. Some checks are conducted on a rudimentary, surface level. An Antivirus may be installed, but is it functioning properly?

While having many drawbacks, the feature has become a must in any BYOPC deployment. Organizations cannot just allow free access from any unprotected device into its crown jewels.

Solving the conundrum with Hysolate Workspace

Hysolate Workspace provides an elegant solution to these drawbacks.

With the approach of “isolated workspace-as-a-service (IWaaS)”, users get a local, light, and isolated operating system running on their computers. This isolated operating system is deployed within minutes and managed from the cloud.

This light OS is perfect for accessing corporate applications from a BYOPC:

  • The workspace is easy to deploy in minutes, does not require an image to be delivered, managed, or patched as the OS is “forked” from the underlying host.
  • The workspace is a clean and non-persistent OS enclave isolated from any threats residing on the unmanaged host.
  • The workspace is available offline and provides a superior user experience to remote desktop solutions such as VDI or DaaS.
  • Users and contractors have less objections as the Workspace is a separate OS, while the host is not actually registered/managed by the target organization.

The Workspace OS can be joined to AAD and enrolled into Microsoft Endpoint Manager. Strict device compliance checks can be applied to make sure the Workspace meets the security standards needed to access the corporate applications.

Moreover, an array of measures is applied to the Workspace to improve the security posture even further:

  • The workspace is fully isolated from the host OS using cutting-edge Microsoft virtualization technology.
  • Prevents keyloggers and screen scrapers from monitoring the activity within.
  • Can be limited to access a limited set of trusted network locations.
  • Adheres to a strict transfer policy dictating what can get in or out of the Workspace.
  • Returns to a trusted and pristine state with every restart as it is non-persistent.
  • Can be remotely wiped with a click of a button.

To summarize, it’s critical to register the BYOPC OS with Azure Active Directory and apply strict conditional access and device compliance controls in order to make sure access to organization resources and applications is conducted in a secure manner.

But, make sure to register the correct OS, as registering a wide variety of home or contractor computers will undoubtedly lead to a lot of friction and increase operational costs.

Hysolate Workspace can easily provide a light, non-persistent, and fully isolated OS for accessing BYOPC assets securely, which will be checked by the strictest conditional access policies. To find out more, you can request a demo here.

Yan Aksenfeld

Yan is a Product Manager at Hysolate bringing more than a decade of experience in the software, IT and cyber security industries in both software and customer facing roles. He joined Hysolate in its first year as the first customer facing role as a senior sales engineer. Previously acting as a software engineer and customer success lead in the VMware end user computing business unit, Yan actually began his career in an IDF military intelligence unit where he was an architect and tech lead on large-scale virtualization and IT projects. He holds a BSc degree in Computer Science and an MBA.