This all depends on verticals, regulation, risk appetite, impact of incidents and threat associated with your business.

If your assets are not worth much then maybe you can’t afford many controls and you’re bravely deperimitersised, beyond corping on you way to a zero trust future and in any case you demand agents, MDM, MAM and all sorts of things of your employees.

Personally I’d go for everyone gets a corporate device, as it’s easier to be consistent - of course a lot depends on what the virtual desktop infra has access to as well.

Makes everything so much cleaner if it’s your assets used all the way.

I'm sorry, but I felt an arrhythmia just by reading "RDP".  Is the VPN broken?  Is there any MDM onboarding or similar for the personal device?  Can RDP be improved by an issued computer and some MFA?

 

I need my smelling salts.  I feel faint.

Data loss can be just as big a deal as data exposure. In addition to video/keystroke capture, you might also consider laptops being left on a plane, missing backups when laptops are powered down at night, and getting ransom-wared if the user has access to the data files themselves. 

 

Keep in mind that "Safe" is a continuum, not a binary (true/false) value. Risk acceptance is a game of balancing user-experience, cost, and data protection, typically based on your management's tolerance for whiney users vs whiney cyber-sec staff.

 

To "make the sale", it is often necessary to compromise a bit in the name of user experience.  RDP is often the "lesser harm" vs the data being on the laptop itself.  With RDP, company data remains safely stashed in the data center. And when the session is disconnected you know the data is protected from prying eyes.

 

The trick is understanding where we can afford to let go and what mitigations we can squeeze in, such as:

 

1. A secure communications channel, such as a network VPN or SSL VPN/proxy.
2. Multi-factor authentication.
3. Reasonable session and inactivity timeouts on the VPN.
4. Posture checking of the laptop (A/V, patch level, blacklisted software, etc).
5. While logged into the VPN, route Internet-access through the VPN and the company firewall.
6. Publish the app via Citrix/Horizon/etc instead of publishing a complete desktop.

Many of these add value even if the company owns the laptop.

 

---

@cweatherford wrote:

Maybe I am wrong, but I just don't see how allowing a non-company device connectivity to RDP in an environment where clients confidential data is being reviewed can be deemed safe. 

---

We tend to turn on RDP and the like as a catch-all solution for incomplete engineering. We don't know what kind of remote access we want so we just going to turn this thing on as though we are sitting at the keyboard with an interactive login. That's a "most privilege" solution. The least privilege would be looking at something like database-client relationship where you can have more granular control over the data and the access to it, layering on top of that (or under it if you're thinking in terms of OSI or TCP/IP) good host security and network controls etc.

 

Broadly, whenever I see RDP, I think "corner cutting," bearing in mind that sometimes it is necessary to cut corners. It's done to save on personnel, hardware, or engineering. That's fine for testing or lab work, but in a production environment, like you, I am pressed to come up with a good justification.