WEBINAR

Replacing the Use of Secure Laptops for Developers

Learn how to deliver the functional equivalent of a secure laptop for your developers without the technical and logistical complexity of shipping laptops or building a VDI infrastructure.

Brain-Strong-Network

Learn From an Industry Expert

Learn how to deliver a secure laptop equivalent accessible from any device, in a session covering secure developer onboarding, accelerated environment provisioning, and real-time workforce metrics.

Dr. Laurent Balmelli is co-founder and CEO of Strong Network. He sold his last cybersecurity start-up, Strong Codes to the US company Snapchat in 2016 and led cybersecurity efforts at Snap during a three-year earn out period from 2016 to 2020.

After earning his PhD from ETH in Switzerland in 2000, Laurent also worked 12 years at IBM Research Division and CTO office in New York and Tokyo before moving back to Switzerland.

Why Does It Matter?

When dealing with external developers, organizations often resort to shipping laptops for security reasons, which not only costs the organization but is also ineffective and burdens the IT team.

In this session, you will learn how organizations are now able to deliver the functional equivalent of a secure laptop accessible from any device connected to the internet, accelerate the provisioning of remote developers, and eliminate the technical and logistical complexity of shipping laptops or building VDI infrastructure.

What This Webinar Covers

How to onboard developers securely without the need to send them a secure laptop.

How to effectively accelerate the provisioning of development environments.

How to obtain real-time productivity and governance metrics across your workforce.

Watch how secure Cloud Development Environments replace laptop security for developers

Watch the webinar on YouTube to learn how to replace the use of secure laptops for developers.

Webinar Transcript:

Introduction

[Leo]:
OK, I think we can start. Alright, so welcome everyone. I'm Leo. I'm a security researcher here at Strong Network. And I'm here to present this first webinar of a series of four webinars that Laurent will present for us. So, Laurent is a co-founder and CEO of Strong Network, which is a platform that helps distributed teams work from anywhere while keeping the organization's source code, data, and credentials secure. So Laurent has over 20 years of experience in the cybersecurity field. He received his engineering degree and PhD from EPFL in Lausanne, Switzerland. Then he worked at IBM's research division in New York and Tokyo. And he also founded a previous cybersecurity startup, Strong Codes, which was acquired by Snapchat in 2016. And so now I'll let Laurent continue.
[Laurent]:
Thanks, Leo. Thanks a lot. And thanks a lot for joining us on this first webinar. As Leo said, there's a series that will go through in the coming month. But first I want to mention that you can scan this QR code and get access to the entire narrative of this webinar. You'll see that I mentioned in the bio that I enjoy writing. This is something I love doing, especially on the topics of cybersecurity, digital identity, and related topics.
This webinar is based on an article that I wrote some time ago and it explains basically how we, as a company, came to think about secure developer laptops, in particular, as something that should be virtualized and distributed more efficiently compared to the usual way of sending laptops over. I think this technology here today has reached a certain maturity that makes this not impossible.
And I also explain the history of why this is something that comes to fruition now. Because of the conjunction of a series of technologies that became mature very recently. So, if you want to read that article, you can scan this QR code. This article is available on our website. This is the article itself. And then you'll see that what I'm going to talk about today is explained here. So that’s pretty much the story.

We Have a New Series of Webinars

[Laurent]:
But don't leave the presentation just yet, because I have a bit more anecdotes and so on, especially little updates about some of the facts that I'm giving in these presentations. One thing also is that, as Leo mentioned initially, this is the first of a series of webinars that we're providing to the community about what we do. This is the first one here, replacing the use of secure laptops for developers. And I think we're going to dig into the subject.
These are the complement to the first webinar when we give more details about what can be achieved with this technology. Once we have the infrastructure that I described here, you can think that it is very efficient in a way that, for instance, you can be more compliant with the development process, and it becomes easier to achieve compliance and regulatory requirements.
Also, we compare this to replacement solutions that I've been on the market for some time, like VDIs, desktops as a service, and so on. Because I think it's... I'll talk about this today because this is really how we position our product. But this is something that I think I'll spend a whole webinar talking about the evolution of the solutions. Last but not least, there are a lot of things you can do about DevOps automation for multiple reasons that I will also explain here today. And the cool thing is that once you have an infrastructure like the one I explain here today, you can automate a lot of things that used to be manual or complex to set up, and you can accelerate your code development process. So that's the general idea.
I'm not going to try to go too long today. I think I'll speak for about 30 minutes or 40 minutes and I want to leave time for questions. The questions can be sent through the chat. And I think either Johann or Audrey, who's helping on hosting this call today, will get the questions and then send the questions to me. So that's how we will do that today.

Why Do We Need Secure Development Laptops?

[Laurent]:
So, let's start. First of all, why do we need secure development laptops? Because typically organizations have some intellectual property to protect. I think the premise of this discussion is that source code, data, credentials that have access to the infrastructure that is used for code development, and everything related to it is important, and these things have to be protected.
And also there are multiple use cases. It can come from working with internal developers obviously, but we also employ remote developers, contractors, consultants, and freelancers. There are multiple use cases and situations where it's important to have some type of guarantee that your assets are protected. You don't want this to be the wild west. You won't have any kind of security guarantees. You keep governance of your development process. And this problem is multifaceted.
It's quite a complex problem because there are so many different use cases and you want to put the accord, out the appropriate level of security for each of the use cases, because usually this is why we're discussing this today. Very often, security gets in the way of developers’ productivity. If security was transparent and there was no issue with deploying this type of thing, there was a problem. I just have one laptop that embeds all the security artifacts or a mechanism that I want this device to enforce and I send this over.
If this is not the case security is always something that's not usually improving the work but more getting into productivity, but also because this has a cost. This is not always possible to do and it is also unsustainable. Eeven for large organizations, it has a cost to send physical devices around or to provision physical devices for internal developers.
There are many situations where it has a cost and this needs to be considered. This is the reason why I think it's an interesting problem to solve to see how we can address this and set up some kind of efficient policies and things that could be implemented in an economically efficient way.
The interesting thing, this spans from small organizations to large organizations. It's not because you're a small organization that you don't want to protect your intellectual property, and very often small organizations will cut corners just because of economic issues and they can't put all their money into coming up with a solution that will be satisfying. Say, okay well we take the risk or we don't have the means and the work to equip our laptops with all the security measures and send this over things so we allow everybody to use their own device and let's see what happens.
Obviously, when you work in a large organization you have more means so you will put some kind of policy in place and so on. And also it varies by industry. It's not a single one-size-fits-all solution like some industries especially when they're regulated they will need to guarantee security on the laptops and their assets so we're thinking of an industry like banking, insurance, and this industry is basically where there's a need for security in a more marked way but we'll see that it's not limited to these industries.
So, I just want to take a step back and explain some kind of history. When I started working on that topic and I wrote that article that I mentioned before I was thinking… Okay, I have to understand where we are coming from, right? And I've lived through 2010. I remember this widely because obviously, I was traveling the world. I was working in New York. I was working in Tokyo. I remember that, most of the data that was used, not just talking about development data that was used for any type of task, any type of function in the enterprise was mostly on the laptop, even customer data.
So, one of the big issues is that if you have customer data you lose this laptop... This is not only a loss for the organization, but it can result in a big fine for the organization because this is personal data.You have to be very careful about that.

The Billion-Dollar Lost Laptop Problem

[Laurent]:
And there was this study that was called The Billion Dollar Lost Laptop Problem. This is something that was written early, it was a benchmark study written in 2010. I have a link here you see, The Billion Dollar Lost Laptop Problem. It (the study) was talking about the cost of when organizations lose a laptop that contains customer data. And I think this is something that was extremely serious at the time.
But look at the timeline here, it's 2010, right. So, what happened between 2008 and 2012? If you read some books about how the cloud came about and how data migrated from devices to the cloud this is exactly these years, right? Actually there's a great book from Thomas Friedman called Thank You for Being Late that explains this change.
Data moved from user devices to the cloud, and one of the pioneers in this transition, particularly concerning the customer data side, was Salesforce as a CRM. And what happened is that, well, now data actually from Salesforce sharing data moved to the cloud. It was not more concerning to lose a laptop because if you lose a laptop, then none of the data is on the laptop except for the credentials that will let you access your Salesforce online.
Still, the credentials are something that you have to pay attention to, but at least the data is not on the laptop. Credentials will eventually expire quite quickly because if you have a token that is on your laptop and you try to reuse it, then unless it's not expired, you won't be able to access the machine.
Also, the machine is encrypted, but, if people let the machine on and then somebody was able to get all of the machine without going to pause or like the login screen, then you have all this information that is accessible in case it is on your device. So, it was a real problem. What happened is that all the data moved to the cloud, including data from CRM and so on. Eventually, what happened is that there was still some data that is still on the development laptops, and this is the development data, one of the last battlegrounds in the industries.
Every piece of data, from customer data to some other design data, most of them moved to the cloud because applications became online applications. They don't have the application installed locally; applications become web applications. Think Google Doc, like in Microsoft 260, and everything moved to the cloud. So, your data and your documents do not leave on your laptop anymore; they leave somewhere in the cloud. It's a good thing that, if you lose your laptop, you don't have to care about that. But the exception is the development data very often, data is the development that is actually on the laptop.

Reasons for Malicious Actors to Go After Developer Laptops

[Laurent]:
However, this is changing. Industries that want to protect the data were completely aware of that, and they had ways to mitigate that effect. What happens and why is very important because today there is still a lot of data, I'm talking about credentials, left on the developers' laptops.
And this is not all; this is like a few months ago, companies like Octa, Slack, and CircleCI got hacked. Developers are still very sensitive to attacks on the source code they have online and the credentials they have on their desktops and laptops. These credentials are exfiltrated and used to access the organization's repositories online.

Thwarting the theft of OAuth Session Tokens Using Secure Containerized Development Environments (CDEs)

[Laurent]:
If you understand how that happens, then you can scan here; this is your code. Then you can get access to another article that I wrote more recently here in collaboration with my secret researchers. We looked at how developers' laptops were hacked and how credentials were exploited. In this case, its affected clients were clients and phishing attacks. This is really how things happen, and you can understand here basically what happened to these things.

Removing the Data from Laptops (Again)

[Laurent]:
So, how do companies that would prevent data from being either lost or stolen, especially from development and from other functions, try to mitigate that issue? One way to do this is basically to use a virtual machine. Instead of accessing your data locally here, you will use your device as a simple terminal, and you will access a virtual machine that could be either hosted on-premises at your company or it could be cloud-delivered. That's something that could be delivered online.
The goal here is to do exactly what we explain here with a web application, remove data locally from the developers' laptops. In this case, talking about developers, this is another way we can cope with the issue of having data on developers' laptops.
But you know, we will see this is coming with many issues, and the most obvious one is usability. Because in this case, imagine you're not working directly with the machine with your local machine; you're working with a remote machine. The way you get to work with this remote machine is that you're getting connected here, and you have a video stream coming to your machine, and you work on that view. As I was saying, it's quite demanding, and it will hinder your productivity, or it's not something you could easily use when you might be remote or in motion like in public transport and so on, something that is not ideal.
So, the first place where we can mitigate that effect is to use remote access. There are multiple solutions to this. I think one popular one is to use Citrix, and it's called VDI for virtual desktop infrastructure. This solution lets you connect your remote machine, and you can work. Windows has a directly embedded solution for this. They have the Windows Remote Desktop, and this is something you can use to access a remote machine at work. I'm going to develop myself.
I mean, everyone who's been developing on this before, knows it's not the panacea, right? Something that is quite clumsy, I would say; it's not very pleasant to use. If this can be avoided, it is avoided. This is because it is avoided many times; this is why many companies get hacked because they don't use VDIs or similar technology.
In the banking world, they often use VDI, but it will be with proximity. They will use it only for external developers or people who need to keep some type of regulatory boundary between the organization and these developers, for multiple reasons. But it definitely won't be used for the entire company. In some cases, if you have a very secretive or critical project, it could be used. But because of the complexity, because of the issue of deploying the infrastructure it’s also costly in terms of resources, and so on, it's not what they use for that reason. But it's something that is used because it's just a way to deal with constraints you have in some industries.
But one thing that could be easily noticed is that very few, if any, technology companies are using this kind of infrastructure because it's heavy, something that you don't really want to deal with. And many companies, when talking to them, just say, 'We just take the chance. We have what is called or referred to as managed devices. We need some kind of health check on the devices, and we try to limit the permissions of developers on them. We try to make sure that the data is not exfiltrated, like for instance, blocking USB ports. But it is still sensitive to phishing, malware, and all things. I mean, especially for a laptop that is lost, there's always data on the laptop.'
And one thing that is interesting to see here is that there's now a trend to move from virtual machines to virtual processors. This is something I think that was the most insightful, at least for Strong Network, that we noticed that the trend is going like, 'No, we do not use virtual machines anymore.' I'm talking about the use of virtual machines for testing or for accessing applications. But also, there's a lighter way to do this as a virtual process.
One of the mechanisms for this is Docker. This is why I have this icon here. Docker is a lightweight virtual machine. Developers also, don't use only virtual machines to prevent exfiltration, but they also very much use virtual machines for testing, for deploying. It's not only a means for security, but also a means for productivity in terms of, 'I need to do my co-development; I need to do testing; I need to isolate dependencies.' It's been a replacement for something that is much more efficient, the virtual process. It is something that's represented here.
The advantage here is that since it's much more lightweight, it can be started easier. Starting a virtual machine will take minutes, as opposed to seconds for a virtual process. It's lightweight; it can be easily defined as code. You can define a virtual process as a Docker, as a Dockerfile. You can define what it's going to contain in terms of application software, and it will be much easier.

Inspiration: The Use of Containers As Lightweight Virtual Machines

[Laurent]:
So, this is the inspiration actually that we thought, 'Hey, perhaps we can do something better for the protection of data on developers' laptops'. So, what we looked at is, we looked at, hey, there's use of containers as a virtual machine. Containers, at some point, have been a trend for a few years now to put containers online. All the containers I was mentioning here were living on the developer's laptop and used for the development process and doing the development activities.
But here, there's been this trend to put containers online. One of the observations that the team here, where the founder team of Storm Network, includes myself and my partner, would say, 'Wow, this is interesting because we're putting these containers online. And that reminds me of when virtual machines were used to protect against that exfiltration because you don't want to have any data locally on your device.' Many providers came up.
I mean, like very early, something called AWS Cloud9. It's basically running, and I don't even need to continue, I think it's just a virtual machine. In this case, I don't think it was container-based, but it lets you access data directly online. You don't have to have any SCP code development. I don't know if they support all types of development, but because it's quite a new solution, I think it was from an acquisition called MV, and that happened if I'm not mistaken in 2015. And some other solutions like Gitpod Coder, there's something called here, where that's dev, dev, dev, spaces. Now we have GitHub Code Spaces, so they're very, very similar solutions, right? Google Workstations.
The idea here is to put containers online, and you can access them. You can access containers with different means, likely what is referred to as a cloud IDE, which is your development environment but running in the browser. And you will get transparency; you will get connected to this remote container, and you will get this as an environment for your development process. This is an easy way to define what you will need for development and define what you will need for implementing your application and so on.
It's very attractive as an idea; it's very complex to implement. All the solutions, they're quite complex. It's interesting in terms of which features these solutions are providing. The user experience is paramount here; it's very important to provide a valuable experience, but this is an initial inspiration to Strong Network. Is that, hey, perhaps we can look at this thing here and say, 'But why don't we use this kind of technology to protect code development?' As, you know, just to provide some online containers because here the initial inspiration for this solution is really to provide a productive way to create environments, right? To provision environments for development and so on, to work with them. There was no intent of protecting against data exfiltration or the same way, you know, the VDI was used or still used, and some other solutions are used.
So there was the inspiration to be productive, right?

Security Comparison: VDI vs DaaS vs Cloud IDE vs Secure Cloud IDE

[Laurent]:
So if you compare quickly, and the evolution here is the pure, you know, virtual machine and VDI is online and the desktop as a service, here, those are all streaming desktops. So this is machine-based; this is a virtual machine, a virtual machine. And these solutions here are used; they have very often data loss prevention mechanisms because you want to provide access to some remote data set to some user, circuit development data set, and you want to have some guarantee on the security of this data. This is the inspiration for this solution. Now comes this solution based on processes here like containers, Docker containers, and so on, and here this is not a security play; it's a productivity play.
So if you look at the GitHub Code Spaces, they let you very quickly access a branch on GitHub and edit the code on this branch without having to set up an entire IDE on your laptop. And you can quickly make changes, so it's linked to code. It's a productive player, right? This is to the bulk here; Google Workstation is a bit similar. It's been used like Google for a while. I know someone who is quite paranoid about their assets, so they had this idea also to remove assets from the bulk of a laptop, but it didn't go to the length of implementing data loss prevention. But it's also about because there's productivity here that is, again, productivity that is important when we get into this type of solution. So we aspire from this thing and we say, 'Well, why don't we do this, and then we add all the things that you see here on the top, we add them here plus other things not gonna go later.'

Secure Developer Laptops Need a New Kind of Containers

[Laurent]:
So if you position the protected developer laptop, the protected container you need for implementing this virtual developer laptop is the thing in the middle here. So what we do is that we decided to do a blend of this online container solution here and data protection provided by Citrix VDI, the best workspaces, VMware Horizon, and so on. And we blend these things and we go into one solution here. That's the inspiration for things, and this is all about providing infrastructure security at the same time as you provide a productive development environment. So, this is the recipe for your virtual provision, the secure laptop for a developer, and this one is implemented. I mean, value any feedback you would have. But this is the thing.
The 4-Ingredient Recipe to Virtually Provision the Secure Laptop
So, I mean, there are four steps I think that we need to see here, and then I'm gonna also demo something that we do. But I also want to explain this four-step.
So, the first thing you need to do is remove data from the local storage with online containers. This is something that is naturally achieved by the solution that is the initial intent when you use a virtual, a virtual machine that is remotely accessed. The goal is to remove data from the local storage, right? You also have you have some guarantee of the device that accesses, that provides access to this, that provides access to this thing because, you know, if they have any type of permission on this machine, you might be able to access the data, even if it's accessed remotely because there might be some trace of this data on some cache and something like that. But if you have some kind of guarantee of, you know, permission of the users on the local device, you can, you know, have a strong security model. But, you know, this has to be considered. But let's take this from, you know, from the big points, and we can discuss more about the details.
Second, you have to prevent data exfiltration with data prevention. This also has multiple facets, right? It's not only, you know, monitoring what the user is doing because that's kind of also aggressive. This is what Citrix is doing. Citrix is like they monitor clipboards; they look at what people put on. They want to prevent them from copying the content of the clipboard outside the scope of the virtual machine. We do this as well, but I think this is, uh, it's quite, you know, if you're very suspicious of your developers, yeah, perhaps this is something you can do. But I don't think it's a good policy to be suspicious of developers. You want, I think, is actually what, why the opposite, right? You want to protect them from attacks that will come from outside, come from outside, for instance, like the phishing attack that we've seen at Slack and Octa. You want to prevent malware, you know, an exfiltration of things against their knowledge, right? I think so. This is more; you want to put some type of data prevention that is benefiting the developers as opposed to, you know, being suspicious of their activity. So I think we're stronger than that.
And, by the way, you know, we're all developers in a strong network, and that is, you know, something that we were from the beginning. We're looking at having security that benefits the developer and doesn't get in the way of developers. It's very important because, um, you know, if you want to, you don't want to hinder your work. You want to improve the experience.
Third, if you want to monitor and secure resources, we add a security proxy. So, this is something also that developers can benefit a lot from. You want, you'll provide them very, uh, easy access to resources without them to be, you know, overwhelmed with credentials and so on. So, you think of this technology as single sign-on. You want to improve their life with this by, you know, having a single way to authenticate and access the data they need, and especially to, you know, make sure that they have access to resources. They can also template the resources. They can clone their machines. They can, they can, they can, you know, use directly this for testing. I mean, there's much the system needs to be there to improve the life of the developer, not to, you know, not to monitor.
And, as the fourth point, you have to protect the data beyond the ID that's paramount and explain here that the workflow of the developer is not only typing in the ID it's beyond that, right? Most of the work is done typing code in the development environment but also, you know, there will be other activities, right? For instance, pushing this code to a Git repository, doing a pull request which is, you know, one of the key activities in DevOps is the principle of feedback. You want to ask your colleagues to comment on your code; you want to merge your code with the master, the main branch of the code.
And, you know, you also want to report your work in an application like JIRA and so on. So, it plays beyond the ID and it will also need to protect data beyond the ID because otherwise, you know, what's the point, right? If basically, data can be, you know, fully accessed outside the ID, then there's no point ever. And this is what the security that is remote, the virtual machine, remote access to the virtual machine provides to you right? It's not providing only security in one environment. It's a desktop, right? So, you basically need to reproduce that principle. You need to recreate the fact that it's not only about the ID but it's all the applications that are used for the workflow.

Adopting the Virtual Workspace Infrastructure Across Organization Sizes

[Laurent]:
So, this is where we are. This is why the solution is that if you want to solve that problem and this is where, you know, you will go beyond this existing online container solution like GitHub Code Spaces, Google Station, you know, whatever name it, right? The OpenShift, Red Ads, Dev Speed. It's not only about the ID, and then and all the solutions there, they focused on online containers and the ID.
What you need is obviously to have this container-based solution for access but also need to have what is called remote browser isolation. So, you also need to combine this with access to in-theory applications here that will be necessary for the developer. And once we have this basically, you have a whole of the entire workflow of the developer.
So, I don't want this thing to become too complex. So, I think showing how it looks is perhaps the best thing to see. And this is how I would deliver a developer laptop. So, let me do this from scratch; I'm going to create a virtual laptop for my developer, and I will deliver that laptop to that person.
Right, so this is the environment right; this is the environment that we have. What you can see here is a virtual laptop that is used belongs to me, but if I look at my entire team I can see all the workspaces here this is an entire team working so we have many people in the company and people working for us and this is all like you can see this is all like the laptop right and you can see here that you know and all this stuff I can see just they're running they have the owner you can see here.
This one has a little arrow, and that means that it's shared with me. I'm the project owner in terms of permission, so Bjorn here is a person I collaborate with, and he shared his laptop with me. His laptop is, in this case, an IDE because there's no real need, in this case, to share other applications. So basically, I could go here and simply open the application.
Now, we have to authenticate, so let me just go back and authenticate. I should have authenticated before, but sorry about that. There you go. I'm going to authenticate to the platform because basically, my session was there. Alright, and you can see the current sprint and so on.
So if I go back to the workspaces here, I will see Bjorn, and I can open that. You can see I'm connected here. This is for privacy; you can see I'm connected. I can go and see this, really similar to what a Google Doc would be. You can go and work with him on that thing. This would enable direct collaboration. But let's say now when I'm bored, a new developer, right? So I would say I would do this. I'm going to create a new workspace here.
So what I'm going to do is create a workspace, which is, you know, the name we give to this virtual laptop. I just put myself as an owner, so it would appear here. I don't want to create that laptop to code data science. I want to do some kind of data science analysis and coding. I'm going to choose an image here; the city is a Docker container, and this is something that I'm going to use for defining the properties and the software that is embedded in my workspace. I can add some repositories here; I can connect this to a special project, and I'm not going to go further than that.
I'm going to review and launch, and then this machine here is going to be created in a few seconds. I can have my whole team here; I can see this. I was mentioning God; he is one of the... I'm the security officer for this platform, and they can see that we have a whole team here on this thing.
I was mentioning here that this is for remote developers, like for any developer. Once you log into the platform, you will see this appear here as one of your... you can see it's not the only thing that we have here, the workspace. We have the browser apps here. So if you need to access other applications that you use in this case, GitHub and an application that you might run on your workspace, they will come here. So if you run any application when you develop, it runs here on your workspace.
Here, I can use GitHub. This is GitHub open, but this is open GitHub to a remote browser isolation. So in this case, I have total control of what's happening here on the application. I have control over what people are allowed to do. This is the only thing that the developer needs to access this environment. So you can code; you can do pull requests. It will be just a browser web browser; this is already in the web browser. And by the way, this is a Chromebook; nothing will be installed locally.
Now, if I go online to that essential workspace here, what happens is that it's fully already configured. Also, what happened is that here you can see already the project has been completely cloned. So when I accessed it, I asked this workspace to be equipped not only with the software but with the project. So I did not have to copy the project because everything was done for me. The benefit here is that there's no necessary authentication to the project; everything was done by developers. The developer doesn't have to deal with authentication.
This defines the properties and the software embedded in my workspace. I can add a repository, connect it to a special project, and not go further than that.
If I look at my project, what I'm going to do to complete this demo is start an application based on the content of this project. This application is going to run on my workspace. I'll give it a name, 'science,' and make it public. This application is running on my workspace, and the way I can open it is simply to go here. I see it's going to appear here. Now I have a running application. This is an application running on my workspace, and I can open it. This is an application I just started on my workspace.
To show you that we can collaborate easily with this, I made this application public. I'm going to create a QR code. If you scan this QR code with your phone, you'll be able to open the application I'm running right now. So, if I wanted to send this application to somebody, here you go. I have the application running on my phone. It's very easy now to collaborate.
Things are much simpler; you can collaborate more easily, and it's faster to code because everything is set up for you initially. You don't have to spend time installing your laptop. To give an example, there's a bulk load of software that needs to be installed. You need to install TensorFlow, python libraries, and so on. This was completed for me automatically, and you can see that the application is running here. People connecting can see it.

The Secure Laptop Evolution in the last 10+ Years

[Laurent]:
To conclude, this presentation is the story we went through. In 2010, everything was local; you needed to access data from your company. You connect your VPN to the corporate, copy all data locally, which is a nightmare for compliance and CIOs. If you lose this laptop, if something happens, then you expose the company to financial risks.
One way to mitigate the effects is to focus on critical applications. For these applications, it's suggested to utilize remote machines that enable access to data stored in the cloud. Additionally, there is still the option to access data via VPN.
A significant shift towards cloud computing has been observed between 2010 and 2015, and as of 2020, efforts have been directed towards achieving efficiency without relying solely on virtual machines. Instead, there is a growing emphasis on using containers online for work purposes.
Upon implementing Strong Network, it became apparent that online containers serve not only efficiency and productivity but also play a crucial role in enhancing security. The realization emerged that these containers allow for the integration of multiple resources, facilitating the reproduction of an entire developer's secure laptop environment. Through a combination of these technologies, the goal is achieved to replace a secure developer laptop with a virtual solution.
So, I hope this makes sense, and we have more information about this in the upcoming seminars, especially as we can achieve now that we have everything online. We have a cool developer setup that happens fully online. We can achieve a boatload of new benefits, and I'll mention this in the upcoming presentation. So, we have about 10 minutes, and if there are questions, I'll be very happy to answer them.

Q&A

[Leo]:
Yeah, so thank you, Laurent. I'll take the questions in the Q&A. If you have questions, you guys can put them in there, and I'll read them out. All right, so the first question that we have is how can the solution be used for compliance with security risk controls. Oh, okay, so that's jumping into your details. We have a full webinar about the implementation of security controls. For people who do not know about the lingo, security controls are something that you need to enforce in your process for the sake of fulfilling some security constraints that can be mandated by a standard like ISO 27001 or SOC or things that you implement in your company.
[Laurent]:
So, one of the advantages here is that since we have full visibility of the workflow of the developer, it's easy to plug security controls in different parts of this workflow because we have possession and control of the entire workflow. This is a big difference with a solution like a remote desktop or VDI, which is agnostic to the underlying business process. VDI doesn't know that you use it for development; it's just there to protect what's happening over the desktop, and it could be used for Excel, CAD modeling, or development.
There's no assumption on what's the underlying business process. So that's why it's not possible to implement risk controls based on a solution like that. You would have to implement them on top of what you have, and it could be any type of software that you need to install in addition to what you have.
The advantage here is that you have control of the workflow, and it becomes very easy to implement security controls if they fit into this workflow. We're talking about a security control that would impact DevOps, development in general. From the seminar, I want to give, in a few weeks from now, about this; we identified ISO 27001, with FI 61 controls that can fit into the workflow that we control. I think this is a great way basically to increase the ROI of a platform like that. Thanks for the question.
[Leo]:
Okay, thank you for the response. We have another question not related to technology, but will the webinar be sent by email or the replay to...
[Laurent]:
Yeah, absolutely. I think if we have your email the team is there for you to serve you. Definitely, I will send the entire webinar. I think you can see that you can watch this recording again.
[Leo]:
Perfect. And here I have another question. So, we saw how developers can work on the platform, but how can externals collaborate?
[Laurent]:
Oh, okay, that's a very good question. So actually, one thing is that there's no big difference in how an external person or an internal person will access the platform because it's always happening through the interface here. What would differentiate an external person, a developer, from internal developers will be the permission model.
So basically, if you take this from the beginning, if you're an internal or external developer, you will log in the same way to the platform. If this is happening outside, then you might have to go through some VPN or some protection, and it depends on the organization, and you access this, and that's it, right? But what differentiates these options is the permission model. You can have different types of developers here. We have like three standard roles. You can create your roles, but based on this role, there will be different permissions.
For instance, for a collaborative external developer, you want to give access to the workspace, but you don't want them to be able to create their workspaces. The developer, when they go to the platform, can create their workspaces. They can create multiple if you need them for multiple projects. You can switch from one project to the other.
For an external developer, you might say, 'Well, that person might not be able to create their workspaces because it's our resources. We want to mitigate the cost.' This is one of the things. Also, you don't want this external person to access any type of resources inside the company. You can limit to a single project repository or single application, and you don't want this person to access any service you have internally.
So, this is all done when you configure the workspace, as I mentioned before. You can have templates for workspaces, create a workspace from a template, and give permissions for access to only certain types of resources. That person cannot have unrestricted access. In terms of experience, it starts with the same experience, but the permissions will be completely different. You can ensure that an external person does not have access to unrestricted resources of the company, which is common sense.
[Leo]:
Okay, thank you. We have a last question: How does the performance of the online ID compare to a local one?
[Leo]:
That is a great question because the thing is, if we open the VS Code here, and in the cloud, it's 100% the same code base that you will have locally. VS Code was implemented in TypeScript, so it's 100% the same version with the same marketplace. When it runs locally, it runs Atom, which is based on Chromium. So basically, the version you have when you run locally VS Code is 100% the same. There's no difference in performance. It is not streaming here because it is run locally, and rendered in the browser, but you can install this as a local app, and this becomes a local app. There's no way to distinguish between the local VS Code from this one because it's the same. That's one of the first considerations.
The second consideration is if you want to use your local version of VS Code because you have an install, you have a specific index, you like it, or for any other reasons. Also, if you want to use IntelliJ, you want to use the local version of IntelliJ, there's a way to do remote development. Your local VS Code or local IntelliJ will connect remotely to the container online, and basically, the data will be remote, but the ID will be local. There's an extension for VS Code called Remote Development, and there's a similar capability for IntelliJ. You can use both.
One of the advantages here is that to use the online ID is that it's instantaneous. It's fast. You don't have to install anything, and you can use this over your Chromebook or when you go home. You don't have to reproduce the installation of that. It's one of the big advantages, but fortunately, there's no difference in performance between this one. Also, you can see we build our extensions here in VS Code. You can run applications. We also built a bunch of extensions from Strong Network to support some additional features in VS Code, which actually will work on the local VS Code.
[Leo]:
Okay, great. We covered all the questions now.
[Laurent]:
So great, fantastic. For the next webinar, I'm, you can find the link online, and we'll make some posts on LinkedIn. It's about achieving regulatory and security compliance. This is about security controls. You can plan this efficiently, improve the ROI, and be very efficient, especially transparent. I think that's one of the key aspects of this. You want security to be transparent. Thank you very much. Thanks a lot, everybody, and I hope it was instructive.
---
All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network
Copyright © 2020-2024 Strong Network All rights reserved.

Coding Productivity Meets
Enterprise Security

Interested to learn how Strong Network is solving problems of some of the world’s biggest Enterprises?
Book a Demo with one of our experts today!