Non-VPN Remote Access Options

January 12, 2021 | By IANS Faculty

With the onset of Covid-19, newer, cloud-based desktops, application delivery services and software-defined perimeter (SDP)-like services were adopted to help simplify remote access on a broad scale. However, doing so can brings its own risks and costs. In this piece we examine the options for, and considerations of, non-VPN remote access controls.

Non-VPN Remote Access Category Options

VDI: These virtual desktops are accessed through a VDI gateway and load balancing technology. This is not a low-cost or simple option to implement in the short-term, and as a result, can be more attractive an option if a VDI infrastructure is already up and running.

VMware Workspace ONE or Citrix Workspace: These options are cloud-hosted virtual applications that also provide endpoint monitoring and management. These could be options for organizations that want to offer application provisioning and workforce management, but don’t want to install and manage in-house VDI platforms. With VMware Workspace ONE, applications are delivered to any device through the VMware online cloud. Once authenticated through the VMware Workspace ONE Intelligent Hub app, remote users can access their personalized enterprise app catalog and subscribe to any mobile, Windows and Mac apps you provision. Workspace ONE helps simplify application and access management by offering single sign-on (SSO) capabilities and support for multifactor authentication (MFA). This is a way to provision business apps to existing remote desktops and mobile devices.

Windows Virtual Desktop: Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in Microsoft’s Azure cloud. It’s essentially a VDI platform that delivers simplified and streamlined management, multi-session Windows 10 access, optimizations for and native integration with Office 365, and support for Remote Desktop Services (RDS) environments for server and admin scenarios.

SDP tools: These can actually take the place of a traditional VPN, with brokered access to on-premises apps or cloud software-as-a-service (SaaS) apps managed by a deployed endpoint client and the service provider infrastructure as a new “hub.” These can help organizations start down the road of creating a flexible, highly available software-defined perimeter (SDP) that moves away from traditional hub-and-spoke VPN architecture. However, it is important to note this market is somewhat new and changing rapidly, and with that, consideration should be taken into account.

In-Depth Look at SDP Tools

The first three non-VPN options (VDI, VMware/Citrix and Windows Virtual Desktop) require some up-front considerations in terms of specific applications supported, etc. The fourth, SDP tools offer a newer remote access model that can replace a traditional VPN. With SDP tools and services, the “VPN” is actually a cloud service provider environment that brokers connectivity, whereas the virtual desktop options are full desktops hosted on-premises or in the cloud.

With SDP services, an SDP client is deployed on the endpoint and end users manually or automatically connect to an SDP service provider’s point of presence (PoP) in the cloud. From there, users can connect back to on-premises resources, cloud services or both, and all users, endpoints and policies are managed from a single console.

Additional SDP Considerations

There are additional considerations with these newer solutions, including, but not limited to the following:

  • Number of global PoPs available, which impacts end-user latency and connectivity.
  • Potential ease-of-use challenges
  • Different security controls in various areas
  • Varied app support. Not all cloud applications are natively supported for easy integration, and some may require additional configuration and tuning.
  • Most implementations entail testing with preconfigured clients that are set to connect to local provider PoPs based on current location. Once the system and user are identified, a set of security and connectivity policies are then applied and enforced to allow/prohibit access to certain cloud or on-prem applications and services. Depending on the type of access provisioned, some tuning of controls and bandwidth usage may need to be done to improve end user experience. Also, if you have a large variety of end user devices, apps and use cases, you should plan on much longer implementation cycles (potentially 12-18 months).

Important to note, here is the potential of local client conflicts with other installed software, so be sure to test carefully.

SDP Decision Factors

Organizations considering SDP providers based on networking and networking security capabilities should consider taking two areas into account:

  • Performance: Be sure to heavily scrutinize uptime and availability service-level agreements (SLAs), along with the breadth in PoPs for connectivity.
  • Security: Carefully assess network and network security capabilities. Not all providers have the same level of maturity in each area. However, these services are being updated regularly, too, so make sure to find out what the latest features and improvements are.

Non-VPN Cost and Operational Investments

All four non-VPN solutions come with costs. For on-premises VDI, the capital costs could potentially be high, including storage infrastructure, high-powered servers for clustering, software, gateway platforms and bandwidth/networking controls.

For cloud-based scenarios, the cost is more operational in nature, with new configuration and policy definitions needed (but there is also a licensing cost for any users/desktops). Plus, it's important to be comfortable with cloud service provider security controls and audit reports.

Remote Access Options

Organizations have begun to use different solutions for remote access than traditional VPNs. For those with an existing next-generation firewall (NGFW) platform, some traditional VPN access is commonly still employed. However, with many remote users simultaneously needing access following the onset of Covid-19, cloud-based services are gaining traction. To that end, it's important for organizations to consider:

  • Researching viable cloud service alternatives to traditional on-premises VPNs.
  • Investigating providers’ security and compliance controls, and ensure they meet your requirements.
  • Evaluating providers’ overall transparency regarding risk mitigation, via reports like SOC 1 and 2, ISO 27001, etc.

Important to remember, all remote access solutions require some degree of investment, both financial and operational. Several new options are simpler to set up and manage than traditional VPNs. However, each may bring additional risks, because they require organizations to use third-party brokers and service environments for hosting and/or facilitating access.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.


Find additional resources from our security practitioners.


Learn how IANS can help you and your security team.