The (Virtual) Secure Developer Laptop
How the Last 10 Years in ICT Evolution Has Led Us to the Ideal Corporate Platform for Secure Application Development
The need to secure corporate laptops spans across all functions of the organization, and software application development is one of them. In this brief article, I retrace the origins of the secure laptop and explain how recent advances in virtualization and security mechanisms have enabled an entirely online delivery of secure environments for application development, literally putting an end to the necessity for physical incarnations for the secure developer laptop.
Why Do We Need Secure Development Laptops?
At its core, the need for securing laptops in organizations arises from the digital corporate assets that they carry. It’s often data attached to privacy concerns, typically under regulations such as GDPR or HIPAA, or application source code, credentials, and most recently operational data that can have strategic significance.
Threat scenarios attached to corporate data are not only bound to leaking data to outsiders but also preventing insiders with nefarious intent to exfiltrate data. Hence the security problem is multifaceted: it spans from careless asset handling to willful mishandling.
In the case of laptops for software application development, the complexity of the security problem lies in addressing the diversity of the developer’s environment settings. They range from data access needs and environment configuration to the developer’s corporate status, e.g. whether she is considered as an internal or an external employee (e.g. consultant, temporary, etc.)
Security left aside, development laptops have notoriously complex setups, and often require significant maintenance because many applications and data are locally present on the laptop’s internal storage. Take for example the development environment (IDE) and the source code replica (from the online code management repository). This requires these devices to be taken care of independently.
Hence data protection against leaks and exfiltration will target the locally stored assets, i.e. source code, credentials, and potentially sensitive data.
The Billion Dollar Lost Laptop Problem
Let’s first take a quick step back in ICT history and look at the secure laptop problem: an oft-cited 2010 benchmark study is named The Billion Dollar Lost Laptop Problem. It looks at 329 organizations over 12 months and reports that over 86,000 laptops were stolen or lost resulting in a loss of 2.1 billion USD, an average of 6.4 million per organization.
At that time, the use of the cloud as a medium for corporate data storage was sparse, hence the metrics to determine the cost and impact of the loss of a corporate laptop would likely need to be revisited in today’s economy.
For example, for many of the business functions that were likely to be impacted at that time, the Cloud has now brought a solution by removing sensitive data from employees’ laptops through the use of web applications. This has mostly shifted the discussion on laptop security to protecting the credentials required to access cloud (or self-hosted) business resources, rather than protecting locally stored data. Therefore, I reckon that rewriting the above benchmark study today would entail the use of wildly different cost metrics.
There is though a notable exception to the above shift in technology: the laptops used for code development. As I mentioned before, many laptops today have a replica of projects’ source code, corporate secrets such as credentials, web tokens, cryptographic keys and perhaps strategic data to train machine learning models or to test algorithms. In other words, there is still plenty of interesting data stored locally on laptops used by developers. Therefore, the interest in providing secured corporate laptops to developers has not waned.
There are a variety of reasons for malicious actors to go after corporate assets typically stored on these laptops such as access to intellectual property (see the hack of Grand Theft Auto 6 in September), to compromise an application in operation (i.e. customer-facing, accessible online, etc.). Once compromised, the latter might provide access to sensitive data such as personal information of users including credit card numbers. In particular, access to source code provides hackers with a way to determine code vulnerabilities such that the application can later be exploited. See for example the smartphone’s customer angst following the source code hack at Samsung back in March. The intent here is again to leak potentially sensitive or personal data. A recent and notorious hack of this kind was suffered by password manager company LastPass in August of this year. You can check the introduction of another of my articles to understand the importance of protecting source code and read about other hacking stories.
Despite all these potential downfalls resulting from the hacking of a single developer’s laptop, few companies today can accurately determine where the replicas of their source code, secrets and data are (hint: likely all over the laptops of their distributed workforce), and are poorly shielded against the loss of a laptop or a looming insider threat. Recall that, using any online or self-hosted source code repositories such as GitHub does not get rid of any of the replicas on the developer laptops.
Removing the Data from Laptops (Again)
If History provides us with any lesson, then we can expect the next evolution in protecting developer laptops to be the removal of locally stored data.
This began around 10 years ago with the use of development machines accessed remotely. Citrix and VMware have been key actors in this market by enabling developers to remotely access virtual machines hosted by the organization.
Such a (heavy) mechanism is needed because of the complexity of a development environment. It has been, until recently, very difficult to provide online access to a development environment outside the scope of an entire machine. This is in contrast to more pedestrian data processing applications, such as Customer Relationship Management (CRM) software and other business productivity apps that can easily be implemented as a web application running in a browser.
In this context, the developer works on the remote machine via the streaming images of a remotely executing desktop. More recently, the ubiquitous use of the cloud has now provided an alternative in the form of a streaming desktop-as-a-service (in short, a DaaS) based on a virtual machine executing at the cloud service provider. In both cases though, running and accessing a virtual machine remotely has many drawbacks in particular on the developer’s productivity. This is because the streaming nature of the environment also results in irritating lags when typing code. It also requires significant bandwidth to be truly usable. Finally, it is complex to set up and costly to maintain and operate.
Only recently, advances in virtualization technology allow organizations to replace the use of virtual machines in specific contexts such as code development. Virtualization has evolved from emulating entire machines to the granularity of single processes with the technology of software containers. Containers bring a mechanism to quickly start a virtual process such as a running operating system. This operating system can be pre-configured such that it includes all necessary software dependencies that are needed for the development of an application.
The Use of Containers as Lightweight Virtual Machines
At first, containers are a tool for developers to isolate all dependencies related to a specific project in a way that the source code can be compiled and executed without interference with potentially unwanted settings on the developer’s laptop. Using a container, the source code can be sent to a co-worker with a complete specification of all the dependencies needed to run it, in the form of a container definition. Containers can be used on any development laptop locally and a popular implementation of such a mechanism is Docker.
The great thing about containers is that they don’t have to remain a locally used development tool. They can be run online and become an alternative to a virtual machine. In this context, developers connect to the container via network and work “inside of it”. This basically provides them with a lightweight, pre-configured environment that is ready for development and code execution. In contrast to virtual machines, containers start much faster and will have far lower maintenance needs. The counterpart is that they do not provide a desktop from which a development environment can be provided. Hence the remaining piece of the puzzle is to enable access to online containers in a convenient manner. One way to do this is to access them via a cloud IDE, i.e. a development environment that executes in the web browser.
Running containers online has been one of the most exciting recent trends in virtualization aligned with DevOps practices where containers are staples to enable efficient testing and deployments.
In addition to the platform that we have developed at my company Strong Network, multiple vendors such as GitHub (Microsoft) Codespaces, Gitpod and Coder have been developing online container management platforms that can be accessed using a cloud IDE, i.e. a code development environment running in a web browser. A cloud IDE allows a developer to access a remote container with a locally executing code editor (in the browser used for the access). This has the benefit that no environment needs to be installed on the local development laptop and the access to the remote container is done transparently. In addition, discomfort due to a streaming environment does not apply here since the IDE is executing locally. Hence the developer will not suffer display lags in particular in low bandwidth environments as is the case with VDI and DaaS.
In addition, developing on remote containers is also now possible from many popular IDEs even when installed locally. Look at Microsoft Visual Studio Code and the JetBrain Gateway product for that.
Security Models: VDI vs DaaS vs Cloud IDEs
So far I only discussed protecting data by removing it from the developer’s laptop. This is necessary but not sufficient, since this does not guarantee any protection against potential leaks and exfiltration. Let’s briefly review the security models provided by the different options to realize a secure developer laptop that I discussed so far.
In the case of VDI, as provided by Citrix and VMware, data loss prevention is baked into the solution by monitoring the developer’s actions such as the data copied into the clipboard.
However, any developer routinely consumes resources such as source code from code repositories, data from online folders and other services such as rest APIs, databases and others. Access and monitoring to these resources must be separately set up since VDI security focuses only on protecting the client side of the application. All backend traffic control is a concern for the remote virtual machine.
In the case of DaaS, as provided by Amazon Web Services and Microsoft Azure, the remote desktop also provides clipboard monitoring and network policies to filter network access.
Yet logging the activities of the developer such as access to code repositories and other resources has to be configured with separate services unless a specific mechanism is provided by the cloud provider.
In the case of cloud IDEs and container-as-a-service providers, such as GitHub Codespaces, GitPod and Coder, the focus of these vendors is on providing infrastructure and not security.
Hence, their Cloud IDEs do not provide any protection against data leaks or exfiltration of code. The use of network policies to control traffic or any mechanism to monitor access control to development resources is neither in their scope.
This is where the container management and Cloud IDE platform of Strong Networks fills a market gap: we see an opportunity to provide full data protection and control in a lightweight virtual infrastructure setting such as the one provided by containers. This is how we can deliver a virtual and secure developer laptop that protects organizations in particular across modern workforce settings, i.e. where developers can be working from home or anywhere.
Virtually Provisioning the Secure Laptop
Here is a simple recipe to reconstruct the secure laptop such that it can be provisioned virtually using an online container and delivered to any developer in a comfortable and flexible environment. Either via a cloud IDE or through a remote connection initiated from a locally installed IDE. The Strong Network platform implements all the elements of this recipe.
Remove data from the local storage with Online Containers
The evolution of virtualization that I reviewed in this article has shown that it is possible to remove data from laptops using containers as the first step toward data protection. But it does not and should not stop here.
Prevent data exfiltration with Data Loss Prevention
Then, protecting against exfiltration requires a security mechanism such as clipboard monitoring as available with VDIs and DaaS. You also need a granular way to filter network traffic, possibly a way to decrypt some of the traffic for inspection. None of the VDI or DaaS solutions were fully satisfying for that purpose. Ask me if you need more details on that.
Monitor and secure resource access via a Security Proxy
This one is a bit trickier since it entails the ability to broker access to a diverse set of data resources but also to manage all the credentials such that it provides a single-sign-on functionality to users, but also prevents credentials to be explicitly known by users such that they cannot be used outside the scope of the container. This is realized with the security proxy that manages transparently all connections from a container to any of the resources needed by the developer.
Protecting data beyond the IDE
This is essential because, besides the IDE, many tools are used along the DevOps process. Such as when performing code reviews and collaborating with other users. Data protection in these environments will be partially covered when using a VDI or DaaS. However, to be truly effective, access to these applications should be restricted to the environment only, i.e. applications should not be accessible from outside the VDI or DaaS. In contrast, none of the Cloud IDE providers is equipped to handle data outside the scope of the IDE, since this is outside the scope of simply providing a container management platform.
Generally, data protection in web applications is referred to as Remote Browser Isolation (RBI). RBI provides SSO authentication to the web application in addition to monitoring the user operations in the application. Some vendors in this space such as Island, Talon, Surf Security and others. Very much like a VDI, RBI protects client-side operations but does not provide containers for development. Hence they are only a piece of the puzzle when building a secure developer laptop.
Retracing the secure laptop evolution across the last 10+ years
As a conclusion to this discussion, I briefly retrace the different steps that have led us to build a solution at Strong Network that combines efficient infrastructure and end-to-end data protection that includes:
- Online Containers,
- Data Loss Prevention,
- a Security Proxy and
- Remote Browser Isolation.
The only solution today covering all these needs is the Strong Network’s Virtual Workspace Infrastructure and is represented by the rightmost figure.
This is illustrated in the above figure below from left to right.
Initially, secure laptops were used to directly access corporate resources sometimes using a VPN when outside the IT perimeter. According to the benchmark study that I mentioned at the beginning of this article, 41% of laptops routinely contained sensitive data.
Then, the use of virtual machines and early access to web applications has allowed organizations to remove data from local laptop storage. But code development on remote virtual machines was and remains strenuous.
Recently, the use of lightweight virtualization based on containers has allowed quicker access to online development environments, but all current vendors in this space such as GitPod, Coder and GitHub Codespaces lack data security.
Finally, our platform as shown in the rightmost figure illustrates the closest incarnation of the secure development laptop and the solution provided by the Strong Network platform, dubbed the Virtual Workspace Infrastructure (VWI). It combines all the ingredients that we discussed.
There’s still a lot to discuss about the implementation of the virtual and secure development laptop such as the impact of moving the development workload to the Cloud, allowing the use of thin devices such as Chromebooks to replace heavy duty laptops, the resulting impact on sustainability, the total return on investment across a large development workforce, in particular around compliance, productivity and process governance, and many other exciting topics.
I’m planning on discussing all these subjects in an upcoming series of articles on this topic, in particular based on the experience that Strong Network is building with large customer deployments. But this is it for this article.
Drop me an email at laurent@strong.network to chat about the platform around a demo, or if you are interested to join us.
