The (Virtual) Secure Developer Laptop: how the last 10 years in ICT evolution led us to the ideal corporate platform for secure application development
The need to secure corporate laptops is common to all functions of organizations, and software application development is one of them.
In this article, we retrace the origins of the secure laptop and explain how recent advances in virtualization and security mechanisms have enabled an entirely online delivery of secure development environments, literally putting an end to the necessity for physical incarnations of the secure developer laptop.
Why do we need Secure Development Laptops?
At its core, the need for securing laptops in organizations arises from the digital corporate assets that they carry. It’s often data attached to privacy concerns, typically under regulations such as GDPR or HIPAA, or application source code, credentials, and most recently operational data that can have strategic significance.
Threat scenarios attached to corporate data are not only bound to leaking data to outsiders but also preventing insiders with nefarious intent to exfiltrate data. Hence the security problem is multifaceted: it spans from careless asset handling to willful mishandling.
In the case of laptops for software application development, the complexity of the security problem lies in addressing the diversity of the developer’s environment settings. They range from data access needs and environment configuration to the developer’s corporate status, e.g. whether they are considered as an internal or an external employee (e.g. consultant, temporary, etc.).
Security left aside, development laptops have notoriously complex setups and often require significant maintenance because many applications and data are locally present on the laptop’s internal storage. Take, for example, the development environment (IDE) and the source code replica (from the online code management repository).
Hence, data protection against leaks and exfiltration will target the locally stored assets, i.e. source code, credentials, and potentially sensitive data.
The billion-dollar lost laptop problem
Let’s first take a quick step back in ICT history and look at the secure laptop problem: an oft-cited 2010 benchmark study is named The Billion Dollar Lost Laptop Problem. It looks at 329 organizations over 12 months and reports that over 86,000 laptops were stolen or lost, resulting in a loss of 2.1 billion USD, an average of 6.4 million per organization.
86,000 laptops stolen in 2010 resulted in a loss of 2.1 billion USD using metrics at that time.
At that time, the use of the cloud as a medium for corporate data storage was sparse, hence the metrics to determine the cost and impact of the loss of a corporate laptop would likely need to be revisited in today’s economy.
For example, for many of the business functions that were likely to be impacted at that time, the Cloud has now brought a solution by removing sensitive data from employees’ laptops through the use of web applications. This has mostly shifted the discussion on laptop security to protecting the credentials required to access cloud (or self-hosted) business resources, rather than protecting locally stored data.
Most of the business productivity data has already moved to the cloud
There is, though a notable exception to the above shift in technology: the laptops used for code development. As we mentioned before, many laptops today have a replica of projects’ source code, corporate secrets such as credentials, web tokens, cryptographic keys and perhaps strategic data to train machine learning models or to test algorithms. In other words, there is still plenty of interesting data stored locally on laptops used by developers. Therefore, the interest in providing secured corporate laptops to developers has not waned.
There are a variety of reasons for malicious actors to go after corporate assets typically stored on these laptops, such as access to intellectual property (see the hack of Grand Theft Auto 6), to compromise an application in operation (i.e. customer-facing, accessible online, etc.). Once compromised, the latter might provide access to sensitive data such as personal information of users, including credit card numbers. In particular, access to source code provides hackers with a way to determine code vulnerabilities such that the application can later be exploited. See for example, the smartphone’s customer angst following the source code hack at Samsung. The intent here is again to leak potentially sensitive or personal data. A recent and notorious hack of this kind was suffered by password manager company LastPass.
Recent and notorious hacks impacting intellectual property as source code and data.
Despite all these potential downfalls resulting from the hacking of a single developer’s laptop, few companies today can accurately determine where the replicas of their source code, secrets and data are (hint: likely all over the laptops of their distributed workforce), and are poorly shielded against the loss of a laptop or a looming insider threat. Recall that, using any online or self-hosted source code repositories such as GitHub does not get rid of any of the replicas on the developer laptops.
Removing the data from laptops
If history provides us with any lesson, then we can expect the next evolution in protecting developer laptops to be the removal of locally stored data.
This began around 10 years ago with the use of development machines accessed remotely. Citrix and VMware have been key actors in this market by enabling developers to remotely access virtual machines hosted by the organization.
Left: developers to remotely access virtual machines hosted by the organization. Right: Virtualization has evolved
from emulating machines to processes, which is used as a staple for DevOps.
Such a (heavy) mechanism is needed because of the complexity of a development environment. It has been, until recently, very difficult to provide online access to a development environment outside the scope of an entire machine. This is in contrast to more pedestrian data processing applications, such as Customer Relationship Management (CRM) software and other business productivity apps that can easily be implemented as a web application running in a browser.
In this context, the developer works on the remote machine via the streaming images of a remotely executing desktop. More recently, the ubiquitous use of the cloud has now provided an alternative in the form of a streaming desktop-as-a-service (in short, a DaaS) based on a virtual machine executing at the cloud service provider. In both cases, though, running and accessing a virtual machine remotely has many drawbacks in particular on the developer’s productivity. This is because the streaming nature of the environment also results in irritating lags when typing code. It also requires significant bandwidth to be truly usable. Finally, it is complex to set up and costly to maintain and operate.
Only recently, advances in virtualization technology have allowed organizations to replace the use of virtual machines in specific contexts such as code development. Virtualization has evolved from emulating entire machines to the granularity of single processes with the technology of software containers. Containers bring a mechanism to quickly start a virtual process such as a running operating system. This operating system can be pre-configured such that it includes all necessary software dependencies that are needed for the development of an application.
The use of containers as lightweight virtual machines
Containers are a tool for developers to isolate all dependencies related to a specific project in a way that the source code can be compiled and executed without interference with potentially unwanted settings on the developer’s laptop. Using a container, the source code can be sent to a co-worker with a complete specification of all the dependencies needed to run it, in the form of a container definition. Containers can be used on any development laptop locally, a popular implementation of such a mechanism is Docker.
The great thing about containers is that they don’t have to remain a locally used development tool. They can be run online and become an alternative to a virtual machine. In this context, developers connect to the container via network and work “inside of it”. This basically provides them with a lightweight, pre-configured environment that is ready for development and code execution. In contrast to virtual machines, containers start much faster and will have far lower maintenance needs. The counterpart is that they do not provide a desktop from which a development environment can be provided. Hence the remaining piece of the puzzle is to enable access to online containers in a convenient manner. One way to do this is to access them via a Cloud Development Environment (CDE), i.e. a development environment that executes in the web browser.
Containers can be run online and become a lightweight alternative to a virtual machine.
Running containers online has been one of the most exciting recent trends in virtualization aligned with DevOps practices where containers are staples to enable efficient testing and deployments.
Multiple vendors such as GitHub (Microsoft) Codespaces, Gitpod and Coder have been developing online container management platforms that can be accessed using a cloud IDE. A cloud IDE allows a developer to access a remote container with a locally executing code editor (in the browser used for the access). This has the benefit that no environment needs to be installed on the local development laptop and the access to the remote container is done transparently. In addition, discomfort due to a streaming environment does not apply here since the IDE is executing locally. Hence the developer will not suffer display lags in particular in low bandwidth environments as is the case with VDI and DaaS.
Compared to other vendors, Strong Network delivers the first platform that combines the efficiency, productivity, and cost-saving advantages of CDEs, with innovative data security mechanisms essential for deployments at global organizations. That's why we define our product as a Secure Cloud Development Environment.
Security models: VDI vs DaaS vs CDEs
What kind of security model is necessary for the secure developer laptop?
So far we only discussed protecting data by removing it from the developer’s laptop. This is necessary but not sufficient, since this does not guarantee any protection against potential leaks and exfiltration. Let’s briefly review the security models provided by the different options to realize a secure developer laptop that I discussed so far.
In the case of VDI, as provided by Citrix and VMware, data loss prevention is baked into the solution by monitoring the developer’s actions such as the data copied into the clipboard.
However, any developer routinely consumes resources such as source code from code repositories, data from online folders and other services such as rest APIs, databases and others. Access and monitoring to these resources must be separately set up since VDI security focuses only on protecting the client side of the application. All backend traffic control is a concern for the remote virtual machine.
In the case of DaaS, as provided by Amazon Web Services and Microsoft Azure, the remote desktop also provides clipboard monitoring and network policies to filter network access.
Yet logging the developer's activities such as access to code repositories and other resources has to be configured with separate services unless a specific mechanism is provided by the cloud provider.
In the case of the CDEs provided by GitHub Codespaces, GitPod and Coder, the focus is on providing infrastructure and not security. Hence, their development environments do not provide any protection against data leaks or exfiltration of code. The use of network policies to control traffic or any mechanism to monitor access control to development resources is neither in their scope.
This is where the Secure Cloud Development Environment platform of Strong Networks fills a market gap: we see an opportunity to provide full data protection and control in a lightweight virtual infrastructure setting such as the one provided by containers. This is how we can deliver a virtual and secure developer laptop that protects organizations in particular across modern workforce settings, i.e. where developers can be working from home or anywhere (inshore, nearshore, offshore).
We see a market gap opportunity for full data protection in a lightweight virtual infrastructure setting
Virtually provisioning the secure laptop
Strong Network's platform allows you to reconstruct a secure laptop that can be provisioned virtually using an online container and delivered to any developer in a comfortable and flexible environment, either via a cloud IDE or through a remote connection initiated from a locally installed IDE.
Strong Network's platform allows you to reconstruct a secure laptop
Indeed, Strong Network platform:
1. Removes data from the local storage with Online Containers
The evolution of virtualization that we reviewed in this article has shown that it is possible to remove data from laptops using containers as the first step toward data protection. But it does not and should not stop here.
2. Prevents data exfiltration with Data Loss Prevention
Protecting against exfiltration requires a security mechanism such as clipboard monitoring as available with VDIs and DaaS. You also need a granular way to filter network traffic, possibly a way to decrypt some of the traffic for inspection. None of the VDI or DaaS solutions were fully satisfying for that purpose.
3. Monitors and secures the access to resources via a Security Proxy
Our security proxy manages transparently all connections from a container to any of the resources the developer needs.
4. Protects data beyond the IDE with Remote Browser Isolation (RBI)
This is essential because, besides the IDE, many tools are used in the DevOps process. Such as when performing code reviews and collaborating with other users. Data protection in these environments will be partially covered when using a VDI or DaaS. However, to be truly effective, access to these applications should be restricted to the environment only, i.e. applications should not be accessible from outside the VDI or DaaS. In contrast, none of the CDE providers is equipped to handle data outside the scope of the IDE, since this is outside the scope of simply providing a container management platform.
Generally, data protection in web applications is referred to as Remote Browser Isolation (RBI). RBI provides SSO authentication to the web application in addition to monitoring the user operations in the application. Some vendors in this space such as Island, Talon, Surf Security and others. Very much like a VDI, RBI protects client-side operations but does not provide containers for development. Hence they are only a piece of the puzzle when building a secure developer laptop.
Retracing the secure laptop evolution across the last 10+ years
As a conclusion to this discussion, below we briefly retrace the different steps that have led us to build Strong Network's solution that combines the efficient infrastructure of CDE with end-to-end data protection.
ICT evolution for secure application development
Initially, secure laptops were used to directly access corporate resources sometimes using a VPN when outside the IT perimeter. According to the benchmark study that I mentioned at the beginning of this article, 41% of laptops routinely contained sensitive data.
Then, the use of virtual machines and early access to web applications has allowed organizations to remove data from local laptop storage. But code development on remote virtual machines was and remains strenuous.
Recently, the use of lightweight virtualization based on containers has allowed quicker access to online development environments, but all current vendors in this space such as GitPod, Coder and GitHub Codespaces lack data security.
Finally, our Secure Cloud Development Environment platform as shown in the rightmost figure illustrates the closest incarnation of the secure development laptop and is the only solution today covering all the DevSecOps needs.