Ensuring employee privacy with BYOD Ensuring our employees’ privacy with BYOD
You’ve probably heard of the Log4j exploit that can give malicious actors control of your systems, or even desktops. Our head of IT shares how ExpressVPN’s IT team keeps our employees' devices protected, so they can keep users safe and secure online.
Meet our head of IT
I’ve been in this role since September 2020, and previously worked in the IT field for around 20 years in various industries including pharmaceutical, manufacturing, paper, and tech.
All of these roles have had similar challenges, with the key differentiator being how we approach those challenges and the senior leadership’s appetite for risk and their security stance. I remember a colleague once telling me about a biscuit factory where they managed the IT infrastructure–when trying to obtain a budget for a security tool, the response from the owner was, “Why do we need that - we just make biscuits?!”
Of course, IT and cyber security are much higher on senior executives’ agendas these days. High-profile security breaches like the Facebook/Cambridge Analytica data scandal, the Capital One hack, and the Experian data breach have all made major headlines.
But one of the key differences, from an IT perspective working here at ExpressVPN, compared to other organizations I’ve experienced, is the full commitment by the business to employee privacy. As a business we pride ourselves on the privacy we offer to our end-users, of course, but this also applies to our internal team. However, from an IT perspective, this commitment to employee privacy does present some unique challenges. One specific challenge comes from our internal privacy policy to not push any self-signed root certificates to our employees’ devices.
Join me on our journey of selecting and deploying a Mobile Device Management (MDM) platform to enable Bring Your Own Device (BYOD) for the ExpressVPN team.
Online protection is our priority
For an organization, incidents like the Log4j exploit can create huge challenges in the response effort. They can also cause massive headaches for the IT teams managing these devices to plug the hole before it causes a leak. Fortunately, at ExpressVPN our desktops are covered with WorkspaceONE MDM and the investigation and closure of this exploit were relatively painless because of it.
Why an MDM solution? It’s best for the cloud
We run a predominantly cloud-based application stack, and with that, we carry the inherent additional risks of SaaS/cloud services. The services no longer reside in our own data centers—by their very definition, cloud services are wholly available from the public internet (with some exceptions).
Thus IT admins no longer have the ability to secure the perimeter and allow only trusted users/services to access these services. This means we need to rely on alternative mechanisms to secure our services. One part of this is using a cloud-based Identity Provider (IDP) to securely authenticate users and assign roles.
So you’ve authenticated against your cloud IDP using your secure token, and you have access to the application—all good right? Well, to some extent, yes, but what if your laptop or mobile device is compromised, or you’re just connecting from an insecure endpoint?
All of the data you have access to is potentially compromised as well. We have a greater dependency on the security of the endpoint—and to ensure the endpoints meet certain compliance policies (password complexity, patches, firmware versions, etc.), we either need to hope 100% of users will be able to personally enforce these rules, or we need a tool to help us enforce them. Enter an MDM solution.
Why WorkspaceONE? It hit all our hot buttons
During our evaluation we had some basic requirements that the solution MUST meet:
Support for Mac and Windows (Linux is a nice-to-have)
No self-signed root certificates needed to be installed on endpoints to enable key functionality
Control of what data is and is not collected (and can demonstrate such)
Push compliance policies
(Near) Zero-touch deployment of endpoints
Remote locking and wiping of compromised and/or lost/stolen endpoints
Software management: the ability to automatically install and update client applications, and block unwanted applications
The key to our success: Deploying in stages
Stage 1
First, we took a staged approach to deploy. We started with a very basic policy that enforced some essential compliance controls such as password complexity, drive encryption, and anti-virus installed. Initially, we also wanted no enforcement from Okta (our IDP) to check that WorkspaceONE is installed, so as to reduce the initial impact of deployment.
We deployed to just our corporate laptops initially. This gave us a low-risk platform to be able to test our applications and hardware without risking restricting users’ access to key systems. We also had several iterations of demos and privacy audits (which re-occurs each year) to ensure we were—and could remain—compliant with our privacy policy.
In tandem with this, we also allowed employees to enroll their own personal devices into the system, once again with no enforcements in place so people could still easily access everything they needed to.
There are many ways in which you could, intentionally or otherwise, encroach on a user’s privacy. We are lucky in that we can be open with our employees and they challenge us to ensure we meet their expectations.
On several occasions, we altered policies or configurations based on end-user concerns. This makes our platform better and massively increases the company’s trust in the team managing it—and the solution itself.
Stage 2
The second stage applied the enforcement layer on corporate laptops. This took several months of publicity and policy tweaking, but the end result was very effective. Using WorkspaceONE and Okta, we leveraged a feature called “device trust,” which enables Okta to validate with the endpoint that WorkspaceONE is installed and compliant.
Only once this check is complete is the staff member allowed access to the application. This is a recent feature in Okta, and it took some level of effort to get it to a point where it was stable, but it’s now a really slick process and working well.
Final stage
Our final step was to apply these changes to our employees’ personal mobile devices. Again due to privacy concerns, we also offered people the option of corporate devices if they were not comfortable having corporate software installed on their own phones after our demonstrations of privacy expectations.
What benefits do we get?
So we have deployed an MDM, what do we get for our troubles? If we look back at the requirements, we've accomplished all but Linux management.
So now can deploy MacBooks and Dell XPS laptops Zero-touch (Dell is the only vendor who can support this by the way); we can manage apps and operating system updates to each centrally; and we can remotely wipe any compromised devices. We do all this without compromising our employees’ privacy. Mission success!
But wait, there’s more: this most recently discovered exploit of Log4j brought about mass panic in the industry. We, however, were able to respond within hours to evaluate our endpoint traffic and deploy a policy to block the suspect ports. Without a secure MDM in place, our task as administrators of many endpoints, networks, and systems would have been a mammoth undertaking, and the response would have been measured in days or weeks rather than mere hours.
In short: I encourage anyone considering an MDM solution to jump in and try it sooner rather than later.
What's next?
What’s coming in the future? There are many more things we can do. As cloud products evolve at such a fast pace, we must adapt our implementation to adopt these updates and improvements. In the near future, we will be able to deploy device trust to laptops in addition to the mobile devices already protected by this technology. Continual review and improvement are key to the ongoing success of any MDM solution.
If you are someone who finds challenges like these exciting and impactful, our IT team is hiring across the globe. We would love to hear from you. Check out our current job openings for all the latest info.