With the onset of Covid-19, newer, cloud-based desktops, application delivery services and software-defined perimeter (SDP)-like services were adopted to help simplify remote access on a broad scale. However, doing so can brings its own risks and costs.
In this piece we examine the options for, and considerations of, non-VPN remote access controls.
Non-VPN Remote Access Category Options
VDI: These virtual desktops are accessed through a VDI gateway and load balancing technology. This is not a low-cost or simple option to implement in the short-term, and as a result, can be more attractive an option if a VDI infrastructure
is already up and running.
VMware Workspace ONE or Citrix Workspace: These options are cloud-hosted virtual applications that also provide endpoint monitoring and management. These could be options for organizations that want to offer application provisioning and
workforce management, but don’t want to install and manage in-house VDI platforms. With VMware Workspace ONE, applications are delivered to any device through the VMware online cloud. Once authenticated through the VMware Workspace ONE Intelligent
Hub app, remote users can access their personalized enterprise app catalog and subscribe to any mobile, Windows and Mac apps you provision. Workspace ONE helps simplify application and access management by offering single sign-on (SSO) capabilities
and support for multifactor authentication (MFA). This is a way to provision business apps to existing remote desktops and mobile devices.
Windows Virtual Desktop: Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in Microsoft’s Azure cloud. It’s essentially a VDI platform that delivers simplified and streamlined management,
multi-session Windows 10 access, optimizations for and native integration with Office 365, and support for Remote Desktop Services (RDS) environments for server and admin scenarios.
SDP tools: These can actually take the place of a traditional VPN, with brokered access to on-premises apps or cloud software-as-a-service (SaaS) apps managed by a deployed endpoint client and the service provider infrastructure as a
new “hub.” These can help organizations start down the road of creating a flexible, highly available software-defined perimeter (SDP) that moves away from traditional hub-and-spoke VPN architecture. However, it is important to note this
market is somewhat new and changing rapidly, and with that, consideration should be taken into account.
In-Depth Look at SDP Tools
The first three non-VPN options (VDI, VMware/Citrix and Windows Virtual Desktop) require some up-front considerations in terms of specific applications supported, etc. The fourth, SDP tools offer a newer remote access model that can replace a traditional
VPN. With SDP tools and services, the “VPN” is actually a cloud service provider environment that brokers connectivity, whereas the virtual desktop options are full desktops hosted on-premises or in the cloud.
With SDP services, an SDP client is deployed on the endpoint and end users manually or automatically connect to an SDP service provider’s point of presence (PoP) in the cloud. From there, users can connect back to on-premises resources, cloud services
or both, and all users, endpoints and policies are managed from a single console.
Additional SDP Considerations
There are additional considerations with these newer solutions, including, but not limited to the following:
- Number of global PoPs available, which impacts end-user latency and connectivity.
- Potential ease-of-use challenges
- Different security controls in various areas
- Varied app support. Not all cloud applications are natively supported for easy integration, and some may require additional configuration and tuning.
- Most implementations entail testing with preconfigured clients that are set to connect to local provider PoPs based on current location. Once the system and user are identified, a set of security and connectivity policies are then applied and enforced
to allow/prohibit access to certain cloud or on-prem applications and services. Depending on the type of access provisioned, some tuning of controls and bandwidth usage may need to be done to improve end user experience. Also, if you have a large
variety of end user devices, apps and use cases, you should plan on much longer implementation cycles (potentially 12-18 months).
Important to note, here is the potential of local client conflicts with other installed software, so be sure to test carefully.
SDP Decision Factors
Organizations considering SDP providers based on networking and networking security capabilities should consider taking two areas into account:
- Performance: Be sure to heavily scrutinize uptime and availability service-level agreements (SLAs), along with the breadth in PoPs for connectivity.
- Security: Carefully assess network and network security capabilities. Not all providers have the same level of maturity in each area. However, these services are being updated regularly, too, so make sure to find out what the latest features and improvements
are.
Non-VPN Cost and Operational Investments
All four non-VPN solutions come with costs. For on-premises VDI, the capital costs could potentially be high, including storage infrastructure, high-powered servers for clustering, software, gateway platforms and bandwidth/networking controls.
For cloud-based scenarios, the cost is more operational in nature, with new configuration and policy definitions needed (but there is also a licensing cost for any users/desktops). Plus, it's important to be comfortable with cloud service provider security
controls and audit reports.
Remote Access Options
Organizations have begun to use different solutions for remote access than traditional VPNs. For those with an existing next-generation firewall (NGFW) platform, some traditional VPN access is commonly still employed. However, with many remote users simultaneously
needing access following the onset of Covid-19, cloud-based services are gaining traction. To that end, it's important for organizations to consider:
- Researching viable cloud service alternatives to traditional on-premises VPNs.
- Investigating providers’ security and compliance controls, and ensure they meet your requirements.
- Evaluating providers’ overall transparency regarding risk mitigation, via reports like SOC 1 and 2, ISO 27001, etc.
Important to remember, all remote access solutions require some degree of investment, both financial and operational. Several new options are simpler to set up and manage than traditional VPNs. However, each may bring additional risks, because they require
organizations to use third-party brokers and service environments for hosting and/or facilitating access.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.