Reducing the Cost of Providing Secure Developer Laptops

In this article, I delve into the evolution of securing corporate laptops, specifically for software application development, and discuss how modern virtualization and security advancements have led to technology that enables the online delivery of secure development environments, eliminating the need for physical secure developer laptops.

Published: February 18, 2024

Author:Laurent Balmelli

Article Landing Image

Why Do Organizations Need Secure Laptops for Development?

The need to secure corporate laptops is common to all functions of organizations, and software application development is one of them.
At its core, the need for securing laptops in organizations arises from the digital corporate assets that they carry. It’s often data attached to privacy concerns, typically under regulations such as GDPR or HIPAA, or application source code, credentials, and most recently operational data that can have strategic significance.
Threat scenarios attached to corporate data are not only bound to leaking data to outsiders but also preventing insiders with nefarious intent to exfiltrate data. Hence the security problem is multifaceted: it spans from careless asset handling to willful mishandling.
In the case of laptops for software application development, aka development laptops, the complexity of the security problem lies in addressing the diversity of the developer’s environment settings. They range from data access needs and environment configuration to the developer’s corporate status, e.g. whether she is considered as an internal or an external employee (e.g. consultant, temporary, etc.).
Security left aside, development laptops have notoriously complex setups and often require significant maintenance because many applications and data are locally present on the laptop’s internal storage, for example the development environment (IDE) and the source code.
Hence, data protection against leaks targets locally stored assets, i.e. source code, credentials, and potentially sensitive data.

Local Data on Laptops Is a Billion-Dollar Problem for Companies

Let’s first take a quick step back in ICT history and look at an oft-cited 2010 benchmark study is named The Billion Dollar Lost Laptop Problem. The study looks at 329 organizations over 12 months and reports that over 86,000 laptops were stolen or lost, resulting in a loss of 2.1 billion USD, an average of 6.4 million per organization.
86,000 laptops stolen in 2010
Figure: 86,000 laptops stolen in 2010 resulted in a loss of 2.1 billion USD using metrics at that time.
In 2010, the use of the Cloud as a storage medium for corporate data was nascent, hence today, the metrics to determine the cost and impact of the loss of a corporate laptop would likely look very different.
For example, for many of the business functions that were likely to be impacted at that time, Cloud applications have brought today a solution by removing sensitive data from employees’ laptops. This has mostly shifted the discussion on laptop security to protecting the credentials required to access Cloud (or self-hosted) business resources, rather than protecting locally stored data itself.
Most of the business productivity data has already moved to the cloud
Figure: Most of the business productivity data has already moved to the cloud.
There is, though, a notable exception to the above shift in technology: the laptops used for code development. For practical reasons, these laptops today have a replica of projects’ source code, in addition to corporate secrets such as credentials, web tokens, cryptographic keys and perhaps strategic data to train machine learning models or to test algorithms. In other words, there is still plenty of interesting data stored locally on laptops used by developers that warrant protection against loss or theft. Therefore, the interest in providing secured corporate laptops to developers has not waned.
There are a variety of reasons for malicious actors to go after assets on these laptops, from accessing intellectual property (see the hack of Grand Theft Auto 6), to compromising an application in operation (i.e. customer-facing, accessible online, etc.).
Once compromised, the application might provide access to sensitive data such as personal information of users, including credit card numbers.
In particular, access to source code provides hackers with a way to determine code vulnerabilities such that the application can later be exploited. See for example, the source code hack at Samsung. The final intent here is again to leak potentially sensitive or personal data. A recent and notorious hack of this kind was suffered by password manager company LastPass.
Hack of source code in 2022
Figure: Recent and notorious hacks impacting intellectual property as source code and data.
Despite all these potential downfalls resulting from the hacking of a single developer’s laptop, few companies today can accurately determine where the replicas of their source code, secrets and data are (hint: likely all over the laptops of their distributed workforce), and are poorly shielded against the loss of a laptop or a looming insider threat. Recall that, using any online or self-hosted source code repositories such as GitHub does not get rid of any of the replicas on the developer laptops. This is because local replicas are needed for developers to update the code before sending it back to the online Git repository.

How Did Organizations Remove the Data From Laptops?

If history provides us with any lesson, then we can expect the next evolution in protecting developer laptops to be the removal of locally stored data.
This trend already began over 10 years ago with the use of development machines accessed remotely.
Citrix and VMware have been key actors in this market by enabling developers to remotely access virtual machines hosted by the organization.
Virtualization of processes versus virtual machines
Figure: Left: developers to remotely access virtual machines hosted by the organization. Right: Virtualization has evolved from emulating machines to processes, which is used as a staple for DevOps.
Such a (heavy) mechanism is needed because of the complexity of a development environment. It has been, until recently, very difficult to provide online access to a development environment outside the scope of an entire machine.
In this context, the developer works on the remote machine via the streaming images of a remotely executing desktop. More recently, the ubiquitous use of the Cloud has now provided an alternative in the form of a streaming desktop-as-a-service (in short, a DaaS) based on a virtual machine executing at a Cloud service provider.
In both cases, though, running and accessing a virtual machine remotely has many drawbacks in particular on the developer’s productivity. This is because the streaming nature of the environment also results in irritating lags when typing code. It also requires significant bandwidth to be truly usable. Finally, it is complex to set up and costly to maintain and operate.
Only recently, advances in virtualization technology have allowed organizations to replace the use of virtual machines in specific contexts such as code development. Virtualization has evolved from emulating entire machines to the granularity of single processes with the technology of software containers.
Containers bring a mechanism to quickly start a virtual process such as a running operating system. This operating system can be pre-configured such that it includes all necessary software dependencies that are needed for the development of an application.

How to Reduce the Cost of Secure Developer Laptops

At first, containers are tools for developers to isolate software dependencies related to a specific project in a way that the source code can be compiled and executed without interference with potentially unwanted settings on the developer’s laptop.
The great thing about containers is that they don’t have to remain a locally used development tool. They can be run online and become an alternative to a virtual machine.
In this context, developers connect to the container via network and work “inside of it”. This basically provides them with a lightweight, pre-configured environment that is ready for development and code execution.
In contrast to virtual machines, containers start much faster and will have far lower maintenance needs. The counterpart is that they do not provide a desktop from which a development environment can be provided. Hence the remaining piece of the puzzle is to enable access to online containers in a convenient manner. One way to do this is to access them via a Cloud Development Environment (CDE), i.e. a development environment that executes in the web browser.
Containers running online are a lightweight alternative to a virtual machine
Figure: Containers can be run online and become a lightweight alternative to a virtual machine.
Running containers online has been one of the most exciting recent trends in virtualization aligned with DevOps practices where containers are critical to enable efficient testing and deployments.
In addition to our company, other vendors such as GitHub (Microsoft) Codespaces and others have been developing online container management platforms that can be accessed using a cloud IDE.
A Cloud IDE allows a developer to access a remote container with a locally executing code editor (in the browser used for the access). This has the benefit that no environment needs to be installed on the local development laptop and the access to the remote container is done transparently. In addition, discomfort due to a streaming environment does not apply here since the IDE is executing locally in the browser. Hence the developer will not suffer display lags in particular in low bandwidth environments as is the case with VDI and DaaS.
Compared to other vendors, we decided to add data security against leaks to online containers with the goal to deliver a combination of efficiency, productivity, and cost-saving advantages of CDEs, with innovative data security mechanisms essential for deployments at global organizations.
The resulting platform is a secure Cloud Development platform. Using such a platform, organizations can significantly start to reduce the cost of provisioning secure laptops for their developers. In this additional article, I explain how such a platform is implemented.
Secure Laptop implemented using a secure CDE platforn by Strong Network
Figure: A secure Cloud development platform allows organizations to provision a secure laptop replacement and reduce IT costs.

Evolving Corporate Laptops Towards Secure Cloud Development

As a conclusion to this discussion, below I briefly retrace the different steps that have led us to build a secure Cloud development platform that combines the efficient infrastructure of CDE with end-to-end data protection against data exfiltration.
ICT evolution for securing laptops for application development
Figure: ICT evolution for securing laptops for application development
Initially, secure developer laptops were used to directly access corporate resources sometimes using a VPN when outside the IT perimeter. According to the benchmark study that I mentioned at the beginning of this article, 41% of laptops routinely contained sensitive data according to the study that I mentioned at the beginning of this article.
Then, the use of virtual machines and early access to web applications has allowed organizations to remove data from local laptop storage. But code development on remote virtual machines was and remains strenuous.
Recently, the use of lightweight virtualization based on containers has allowed quicker access to online development environments, but all current vendors in this space do not have data security since the primary use case is productivity.
Finally, a secure Cloud Development Environment platform as shown in the rightmost figure illustrates the closest incarnation of the secure development laptop.
In summary, I think that Cloud Development Environments (CDEs) in businesses need security that can handle the complexity of today's worldwide development teams. Their need for minimal infrastructure opens up opportunities for new ways of collaborating and innovative security solutions through the Cloud.
Secure CDEs benefit from the experiences of pioneering companies like Citrix, seizing the chance to separate development environments from traditional hardware. This separation allows for a blend of infrastructure efficiency and security without compromising developers' experience.
---
All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network
Copyright © 2020-2024 Strong Network All rights reserved.

Coding Productivity Meets
Enterprise Security

Interested to learn how Strong Network is solving problems of some of the world’s biggest Enterprises?
Book a Demo with one of our experts today!