Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
With the onset of Covid-19, newer, cloud-based desktops, application delivery services and software-defined perimeter (SDP)-like services were adopted to help simplify remote access on a broad scale. However, doing so can brings its own risks and costs.
In this piece we examine the options for, and considerations of, non-VPN remote access controls.
VDI: These virtual desktops are accessed through a VDI gateway and load balancing technology. This is not a low-cost or simple option to implement in the short-term, and as a result, can be more attractive an option if a VDI infrastructure
is already up and running.
VMware Workspace ONE or Citrix Workspace: These options are cloud-hosted virtual applications that also provide endpoint monitoring and management. These could be options for organizations that want to offer application provisioning and
workforce management, but don’t want to install and manage in-house VDI platforms. With VMware Workspace ONE, applications are delivered to any device through the VMware online cloud. Once authenticated through the VMware Workspace ONE Intelligent
Hub app, remote users can access their personalized enterprise app catalog and subscribe to any mobile, Windows and Mac apps you provision. Workspace ONE helps simplify application and access management by offering single sign-on (SSO) capabilities
and support for multifactor authentication (MFA). This is a way to provision business apps to existing remote desktops and mobile devices.
Windows Virtual Desktop: Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in Microsoft’s Azure cloud. It’s essentially a VDI platform that delivers simplified and streamlined management,
multi-session Windows 10 access, optimizations for and native integration with Office 365, and support for Remote Desktop Services (RDS) environments for server and admin scenarios.
SDP tools: These can actually take the place of a traditional VPN, with brokered access to on-premises apps or cloud software-as-a-service (SaaS) apps managed by a deployed endpoint client and the service provider infrastructure as a
new “hub.” These can help organizations start down the road of creating a flexible, highly available software-defined perimeter (SDP) that moves away from traditional hub-and-spoke VPN architecture. However, it is important to note this
market is somewhat new and changing rapidly, and with that, consideration should be taken into account.
The first three non-VPN options (VDI, VMware/Citrix and Windows Virtual Desktop) require some up-front considerations in terms of specific applications supported, etc. The fourth, SDP tools offer a newer remote access model that can replace a traditional
VPN. With SDP tools and services, the “VPN” is actually a cloud service provider environment that brokers connectivity, whereas the virtual desktop options are full desktops hosted on-premises or in the cloud.
With SDP services, an SDP client is deployed on the endpoint and end users manually or automatically connect to an SDP service provider’s point of presence (PoP) in the cloud. From there, users can connect back to on-premises resources, cloud services
or both, and all users, endpoints and policies are managed from a single console.
There are additional considerations with these newer solutions, including, but not limited to the following:
Important to note, here is the potential of local client conflicts with other installed software, so be sure to test carefully.
Organizations considering SDP providers based on networking and networking security capabilities should consider taking two areas into account:
All four non-VPN solutions come with costs. For on-premises VDI, the capital costs could potentially be high, including storage infrastructure, high-powered servers for clustering, software, gateway platforms and bandwidth/networking controls.
For cloud-based scenarios, the cost is more operational in nature, with new configuration and policy definitions needed (but there is also a licensing cost for any users/desktops). Plus, it's important to be comfortable with cloud service provider security
controls and audit reports.
Organizations have begun to use different solutions for remote access than traditional VPNs. For those with an existing next-generation firewall (NGFW) platform, some traditional VPN access is commonly still employed. However, with many remote users simultaneously
needing access following the onset of Covid-19, cloud-based services are gaining traction. To that end, it's important for organizations to consider:
Important to remember, all remote access solutions require some degree of investment, both financial and operational. Several new options are simpler to set up and manage than traditional VPNs. However, each may bring additional risks, because they require
organizations to use third-party brokers and service environments for hosting and/or facilitating access.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.