Internet users can go just about anywhere on the internet, which can be concerning when you consider that many enterprise employees continue to work from home and require access to sensitive web-connected corporate resources. To prevent security concerns, experts recommend allocating a portion of the internet towards Zero Trust or, more accurately, â€œnever trust, always verify.â€ Zero Trust is especially critical for VDI and DaaS solutions, where the corporate network denies first, always authenticates, restricts, and audits access. Karen Gondoly, CEO of Leostream, says a well architected hosted desktops solution can provide that level of secure access.
The internet is inherently trusting, which is ironic if you think about it. No matter who you are or your intent, you can go anywhere on the internet. That’s frightening when you consider that a good deal of the enterprise workforce continues to work from home and needs access from the internet to sensitive corporate resources.
To belay that fear, you must steer your portion of the internet towards Zero Trust or, more accurately, â€œnever trust, always verify,â€ a definition for zero-trust concepts long touted by vendors in the space. The evolution to Zero Trust is a many-step journey, but where do you start?
GartnerOpens a new window carved out a segment of the Zero Trust landscape and coined the term Zero Trust Network Access (ZTNA) for technologies that create â€œan identity- and context-based, logical-access boundary around an application or set of applications.â€Â Â Â
To a tee, that describes a robust hosted desktop deployment: a data center of racked workstations, a Virtual Desktop Infrastructure (VDI), or Desktops-as-a-Service (DaaS). At the heart of each of those architectures is a connection broker that implements identity- and context-based access control rules and a security gateway bound to those rules to enforce the logical-access boundary.
Why then start your journey to ZTNA with VDI? Because when done right, you can overcome the common obstacles faced when implementing ZTNA and gain experience and confidence for taking the next step.Â
Here are five common obstacles to implementing ZTNA.
In many cases, organizations compare the cost of ZTNA to that of their VPN, but that cost comparison considers only the access control portion of an enterprise infrastructure. However, the total cost of a VDI or DaaS deployment goes beyond the per-user, device, or workstation model for the access control plane.
VDI or DaaS, particularly an architecture that leverages a public cloud, enables organizations to manage costs across the stack. For example, the management plane of the environment can automate capacity in a public cloud to help organizations minimize cloud costs. It can also maximize resource usage by intelligently managing access to shared pools of resources, which may allow an organization to purchase less hardware.
While the VDI platform’s cost may not be competitive against ZTNA or VPN devices, they can help manage and mitigate costs in ways that ZTNA and VPNs cannot.
Limited Support [for different display protocols]
Outside of VDI, ZTNA devices tend to support a limited number of protocols for connecting end users to their permitted resources, for example, Microsoft RDP. However, display protocols are not a â€œone size fits allâ€ technology.
RDP may be sufficient for task workers accessing productivity applications. Still, knowledge or power workers who perform more complex, graphics-intensive tasks on large datasets need a high-performance display protocol.Â
Also, some users may access applications running on Microsoft Windows while others run on Linux or macOS. Those users may log in from different device types, from corporate laptops to BYOD devices. Different display protocols support different combinations of operating systems on the two ends of the connection.
A robust and flexible VDI deployment supports various display protocols and devices, enabling delegated access to all applications and users.
Weak Identity Management
One key aspect of ZTNA is securely authenticating and identifying users so that access control rules can be assigned appropriately to guarantee access. VDI management platforms allow organizations to leverage different authentication servers and services.
Enterprises with standardized identity providers in the cloud or on-premises can continue leveraging those services with their VDI management platform. This compatibility simplifies IT and improves the end-user experience, as users are already familiar with the login process.Â
No On-premises Trust Broker
Trusting another vendor to host the control plane that secures access to your corporate resources may seem unintuitive. So don’t do it! VDI management platforms can be hosted and managed entirely by an organization on its infrastructure.
These access control plans can then be used to manage hybrid resources. Organizations can build VDI or DaaS solutions that leverage a mixture of on-premises and cloud-based desktops and applications.
Building access control rules to manage ZTNA can be a full-time job. VDI management platforms simplify that job by allowing rules to be configured in ways that automate as many tasks as possible.
For example, IT can create standardized policies for different groups of users, so onboarding a new employee is as simple as adding them to the appropriate group. Or, IT can automate capacity in the public cloud for third-party contractors to ensure they have access to the applications they need but do not have access to the organization’s corporate network.Â Â
The journey to Zero Trust has no real end, but you can simplify the beginning by looking at VDI and DaaS solutions. At their core, these are remote access and connection management platforms, which is essentially what ZTNA is all about. Deny first; always authenticate, restrict and audit access. A well-architected hosted desktops solution does all of that and more.Â