End user computing is a popular target for malware attacks. Virtual desktops are no exception. As noted in previous posts, Spot PC emphasizes a “security in layers” approach to securing virtual desktop sessions. This includes using Windows 365 and Azure Virtual Desktop (AVD) and their built-in user identity and security management offered by Microsoft Azure Active Directory. Spot PC also enables Defender for Cloud for every managed virtual machine. This ensures that misconfigurations and suspicious activity patterns are identified and remediated.
While we believe Microsoft has enabled very strong security layers for end users, we think that administrative functions and process automation should also be protected by security layers. To that end, the Spot PC components created by NetApp are managed using security best practices. Part of that approach is having external auditors evaluate the processes and configurations, providing customers and prospects with validation for our approach.
Spot PC is now certified as compliant with SOC2 Type 1, ISO 27001-2013, and the Privacy and Security rule components of the Health Insurance Portability and Accountability Act (HIPAA). The audits for this cycle were completed by Schellman & Company LLC. The audit reports are available by request from the Spot PC team and online from the NetApp Compliance Center.
What do these certifications mean for businesses? The standards consist of a framework of security controls that are intended to minimize the risk of attacks. Examples include using documented change control processes, segregating staff that develop code from those that promote changes to production, and enabling continuous scanning of code, public endpoints, and third-party components to identify potential attack vectors. It also encompasses data security – backups of key data, restore tests that simulate recovery scenarios, and encryption for data at rest and when in motion across public networks. Compliance audits test that organizations like NetApp both comply with these security controls and provide evidence of operating practices that show continued compliance.
Why compliance matters
Using a controls plus audit approach standardizes evaluation of products and the companies that publish them. Instead of surveys and requests for information, companies can read and evaluate the compliance audit reports for a deeper understanding of the product and how it implements common security practices. Compliance audit reports also typically satisfy legal and financial requirements, including providing proof to insurance companies and external auditors that your company is using technology products that have been audited.
Insist on compliance
Malware attacks and defenses have evolved to a point where verified security control compliance is essential. Gone are the days of responses like “we use internal assessment” or “our product runs on Azure so its secure by default” or “our product is only a tool set so security assessment is your responsibility” being sufficient. Security in layers means all layers – not just the physical environment. High profile software supply chain attacks and control plane targeting illustrate how quickly hackers find and exploit these partial security configurations. Make no mistake, compliance certification is a detailed and time-consuming process, but we encourage you to challenge your vendors to show external proof.
To learn more about Spot PC, please visit https://spot.io/products/spotpc/.