InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
With the onset of Covid-19, newer, cloud-based desktops, application delivery services and software-defined perimeter (SDP)-like services were adopted to help simplify remote access on a broad scale. However, doing so can brings its own risks and costs.
In this piece we examine the options for, and considerations of, non-VPN remote access controls.
VDI: These virtual desktops are accessed through a VDI gateway and load balancing technology. This is not a low-cost or simple option to implement in the short-term, and as a result, can be more attractive an option if a VDI infrastructure
is already up and running.
VMware Workspace ONE or Citrix Workspace: These options are cloud-hosted virtual applications that also provide endpoint monitoring and management. These could be options for organizations that want to offer application provisioning and
workforce management, but don’t want to install and manage in-house VDI platforms. With VMware Workspace ONE, applications are delivered to any device through the VMware online cloud. Once authenticated through the VMware Workspace ONE Intelligent
Hub app, remote users can access their personalized enterprise app catalog and subscribe to any mobile, Windows and Mac apps you provision. Workspace ONE helps simplify application and access management by offering single sign-on (SSO) capabilities
and support for multifactor authentication (MFA). This is a way to provision business apps to existing remote desktops and mobile devices.
Windows Virtual Desktop: Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in Microsoft’s Azure cloud. It’s essentially a VDI platform that delivers simplified and streamlined management,
multi-session Windows 10 access, optimizations for and native integration with Office 365, and support for Remote Desktop Services (RDS) environments for server and admin scenarios.
SDP tools: These can actually take the place of a traditional VPN, with brokered access to on-premises apps or cloud software-as-a-service (SaaS) apps managed by a deployed endpoint client and the service provider infrastructure as a
new “hub.” These can help organizations start down the road of creating a flexible, highly available software-defined perimeter (SDP) that moves away from traditional hub-and-spoke VPN architecture. However, it is important to note this
market is somewhat new and changing rapidly, and with that, consideration should be taken into account.
The first three non-VPN options (VDI, VMware/Citrix and Windows Virtual Desktop) require some up-front considerations in terms of specific applications supported, etc. The fourth, SDP tools offer a newer remote access model that can replace a traditional
VPN. With SDP tools and services, the “VPN” is actually a cloud service provider environment that brokers connectivity, whereas the virtual desktop options are full desktops hosted on-premises or in the cloud.
With SDP services, an SDP client is deployed on the endpoint and end users manually or automatically connect to an SDP service provider’s point of presence (PoP) in the cloud. From there, users can connect back to on-premises resources, cloud services
or both, and all users, endpoints and policies are managed from a single console.
There are additional considerations with these newer solutions, including, but not limited to the following:
Important to note, here is the potential of local client conflicts with other installed software, so be sure to test carefully.
Organizations considering SDP providers based on networking and networking security capabilities should consider taking two areas into account:
All four non-VPN solutions come with costs. For on-premises VDI, the capital costs could potentially be high, including storage infrastructure, high-powered servers for clustering, software, gateway platforms and bandwidth/networking controls.
For cloud-based scenarios, the cost is more operational in nature, with new configuration and policy definitions needed (but there is also a licensing cost for any users/desktops). Plus, it's important to be comfortable with cloud service provider security
controls and audit reports.
Organizations have begun to use different solutions for remote access than traditional VPNs. For those with an existing next-generation firewall (NGFW) platform, some traditional VPN access is commonly still employed. However, with many remote users simultaneously
needing access following the onset of Covid-19, cloud-based services are gaining traction. To that end, it's important for organizations to consider:
Important to remember, all remote access solutions require some degree of investment, both financial and operational. Several new options are simpler to set up and manage than traditional VPNs. However, each may bring additional risks, because they require
organizations to use third-party brokers and service environments for hosting and/or facilitating access.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.