For years, corporate IT departments have wrestled with a persistent security headache: how to grant network access to contractors, temporary workers, and guests without exposing sensitive systems to unmanaged devices. Sophos, the British cybersecurity firm, is now offering its answer with a new capability called Workspace Protection, designed to create a controlled computing environment on devices the organization doesn’t own or manage.
The announcement, detailed on the Sophos corporate blog, represents the company’s latest effort to address a growing gap in enterprise security. As organizations increasingly rely on external labor—freelancers, consultants, seasonal staff, and third-party vendors—the attack surface expands well beyond the perimeter of company-issued hardware. Workspace Protection aims to close that gap by enabling secure access from personal or unmanaged devices without requiring full endpoint management.
The Contractor Problem: Unmanaged Devices, Uncontrolled Risk
The challenge Sophos is targeting is neither new nor trivial. According to the company, organizations face a fundamental tension when onboarding external workers. Issuing corporate laptops to short-term contractors is expensive and logistically cumbersome. Yet allowing those workers to connect from their own devices—often running outdated software, lacking endpoint protection, or harboring unknown vulnerabilities—introduces risk that traditional security models were never designed to handle.
This problem has intensified in recent years. The shift toward hybrid and remote work, accelerated by the pandemic, made it common for workers of all types to access corporate resources from locations and devices outside IT’s direct control. But while full-time employees typically receive managed devices with endpoint detection and response (EDR) tools, VPN clients, and mobile device management (MDM) profiles, contractors and guests frequently fall through the cracks. They represent what security professionals often call a “blind spot”—visible enough to be granted access, but invisible enough to evade standard monitoring.
How Workspace Protection Works
Sophos describes Workspace Protection as a solution that creates a secure, isolated workspace on an unmanaged device. Rather than attempting to manage the entire device—an approach that raises both technical and privacy concerns—the technology establishes a controlled environment through which the external user accesses corporate applications and data. The workspace is governed by organizational security policies, even though the underlying device remains outside the company’s management domain.
According to the Sophos blog post, the solution integrates with the company’s broader security platform, including Sophos Central, the cloud-based management console that administrators already use to oversee endpoint protection, firewall policies, and threat response across their organizations. This integration means that IT teams can apply consistent security policies to contractor workspaces alongside their managed endpoints, reducing the administrative overhead of maintaining separate security frameworks for different classes of users.
A Market Responding to Real-World Breaches
Sophos’s move comes at a time when third-party access has been implicated in some of the most consequential security incidents in recent memory. The 2020 SolarWinds attack, the 2013 Target breach (which was traced back to an HVAC contractor’s compromised credentials), and numerous ransomware incidents have all underscored the risk posed by external parties with network access. Security analysts have long warned that the supply chain—including the human supply chain of contractors and temporary workers—represents one of the most underprotected vectors in enterprise security.
The broader industry has taken notice. Companies like Citrix, VMware (now part of Broadcom), and various zero-trust network access (ZTNA) vendors have all developed solutions aimed at securing access from unmanaged devices. Microsoft’s Windows 365 Cloud PC and Azure Virtual Desktop also address parts of this problem by streaming a managed desktop environment to any device with a browser. Sophos’s entry into this space signals that the company sees an opportunity to differentiate by tying workspace isolation directly into its existing security management and threat detection infrastructure.
Zero Trust as the Underlying Philosophy
The architectural philosophy behind Workspace Protection aligns closely with zero-trust principles, which have become the dominant framework for enterprise security strategy. Zero trust holds that no user, device, or network connection should be inherently trusted, regardless of whether it originates inside or outside the corporate perimeter. Every access request must be verified, and permissions should be granted on a least-privilege basis.
For contractors and guests, zero trust is particularly relevant. These users typically need access to a narrow set of applications or data repositories, and their access should be time-limited and closely monitored. Sophos’s approach appears to operationalize these principles by confining external users to a workspace that enforces organizational policies without requiring the user to surrender control of their personal device. This distinction matters: privacy regulations in many jurisdictions restrict what employers and clients can install on or monitor on a worker’s personal hardware, making full device management legally and ethically fraught.
The Economics of Contractor Security
Beyond the technical considerations, there is a compelling financial argument for solutions like Workspace Protection. Provisioning, shipping, and recovering corporate hardware for short-term workers is a significant cost center. IT asset management firms estimate that the total cost of ownership for a corporate laptop—including procurement, configuration, support, and eventual decommissioning—can run between $3,000 and $5,000 over a three-year lifecycle. For a contractor engaged for a six-month project, much of that investment is wasted.
Software-based workspace solutions shift the cost model. Instead of a capital expenditure on hardware, organizations pay a per-user subscription or license fee for the secure workspace. The contractor uses their own device, the organization controls the workspace, and when the engagement ends, access is revoked without the need to retrieve physical equipment. For enterprises managing hundreds or thousands of external workers at any given time, the savings can be substantial. Sophos, by embedding this capability within its existing platform, may also reduce the need for organizations to purchase and manage a separate product from another vendor.
Integration With Threat Detection and Response
One of the more notable aspects of the Sophos announcement is the emphasis on integrating Workspace Protection with the company’s threat detection and managed detection and response (MDR) services. According to the Sophos blog, the workspace environments can be monitored through the same Sophos Central console used for managed endpoints, giving security operations teams visibility into contractor activity alongside employee activity.
This integration addresses a common complaint among security operations center (SOC) analysts: that contractor and guest access often generates blind spots in security telemetry. When external users connect through consumer-grade VPNs, personal email accounts, or unmonitored devices, their activity may not appear in the organization’s security information and event management (SIEM) system. By routing contractor access through a monitored workspace, Sophos aims to close this visibility gap and ensure that anomalous behavior—whether from a compromised contractor credential or a malicious insider—triggers the same detection and response workflows as threats originating from managed devices.
What This Means for Enterprise Security Teams
For chief information security officers (CISOs) and their teams, the arrival of Workspace Protection adds another option to an increasingly crowded market for secure access solutions. The key differentiator Sophos is promoting is the tight coupling between workspace isolation and its broader security platform. Organizations already invested in Sophos endpoint protection, firewalls, and MDR services may find it attractive to extend those capabilities to cover unmanaged devices without introducing a new vendor relationship.
However, the solution’s effectiveness will ultimately depend on execution details that the initial announcement leaves partly unaddressed. Questions about supported operating systems, performance overhead on lower-specification contractor devices, offline access capabilities, and the granularity of policy controls will all factor into enterprise purchasing decisions. Competitors in the virtual desktop infrastructure (VDI) and ZTNA markets have had years to refine their offerings, and Sophos will need to demonstrate that Workspace Protection can match or exceed the maturity of those established products.
The Broader Trend Toward Securing the Extended Workforce
Sophos’s announcement is best understood as part of a broader industry movement toward securing what some analysts call the “extended workforce”—the growing population of non-employee workers who access corporate systems. Research from staffing industry groups suggests that contingent workers now represent between 30% and 40% of the total workforce at many large enterprises, a figure that has been climbing steadily for over a decade.
As that proportion grows, the security implications become harder to ignore. Regulatory frameworks like the European Union’s NIS2 Directive and the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) zero-trust maturity model both emphasize the need to secure third-party access. Organizations that fail to do so face not only the risk of a breach but also potential regulatory penalties and reputational damage. Sophos, by explicitly targeting the contractor and guest use case, is positioning itself to help enterprises address a compliance requirement that is becoming as pressing as the underlying security concern.
Whether Workspace Protection gains significant market traction will depend on how well it performs in production environments and how aggressively Sophos prices and markets the offering against entrenched competitors. But the problem it addresses is real, growing, and increasingly difficult for enterprises to ignore.