Software Defined Secure Digital Workplace

    A big part of the challenges of Enterprise IT is delivering some sort of End User Computing (EUC) for users, whether that is simply providing users with an endpoint such as a laptop, traditional Citrix session based solution or a virtualised desktop infrastructure (VDI) solution such as VMware Horizon.

    Each of these solutions provide their own challenges, one of which is security.  For instance, to manage many physical endpoints is difficult to keep up to date, manage applications for each endpoint and to ensure each endpoint is secure.

    Recent Ransomware attacks have highlighted some of these issues.

    Session based solutions such as Citrix or Microsoft Remote Desktop Service (RDS) overcome some of the manageability providing fewer endpoints to manage and secure, they do introduce further challenges though such as managing user profiles and scaling the solution.

    A VDI solution provides the advantages from virtualisation whilst still providing the users with a full desktop experience. Challenges such as managing users profiles and applications still exist but a VDI solution can be easily scaled when planned and designed right.

    Security is still a major concern, a VDI solution can be configured in a way where each underlying desktop is stateless meaning it is a clone of an offline image that is deleted and re-provisioned as soon as a user logs off.  This helps combat the spread of things like malware but it doesn’t prevent it.

    NSX and VDI – Better Together

    By combining VMware NSX with VMware Horizon the same advantages NSX can deliver for the datacentre can be delivered for each virtual desktop.  NSX can secure not only external access to the desktops but also “East-West” – desktop to desktop with the use of Micro-segmentation.

    Micro-segmentation provides granular firewall protection at the VM level, rules can be applied simply using policies that ensures the correct level of protection is applied no matter what endpoint the user choses to log into and no matter their location.

    For attacks such as the recent ransomware attacks, when applied properly, this can prevent any further malware infection if one of the desktops is compromised.

    Further protection can be added by integration security 3rd party solutions that partner with VMware NSX such as Trend Micro.  These solutions can scan VMs agent free from the guest OS and automatically apply a security tag to any infected VMs.  Using this security tag NSX can then block all traffic to that VM effectively quarantining the VM from the network.  Once the threat has been dealt with the VM can be introduced back into the network or in a VDI solution a new virtual desktop is simply cloned from an offline image.

    NSX can further compliment Horizon by automating virtual networks and providing virtual load balancers but for this piece the focus will be on security.

    Access to applications can be controlled and delivered by using one of the products within the Horizon suite – App Volumes.  This provides read only access to virtualised applications, as a user requests an application it is delivered instantly to a virtual desktop.  Each application can be managed and updated individually without affecting all users or making changes to the offline VDI gold image.

    Workspace ONE

    Workspace ONE is VMware’s digital workspace platform that can integrate with the Horizon VDI infrastructure but also with VMware Airwatch and SaaS applications that can be delivered securely to any device.

    The users access Workspace ONE via a portal and can simply choose the applications they want to run or, if required, can pick a full desktop session that will be delivered securely to their device. 

    Access to applications can be controlled by different user identification methods, on-premises LDAP access, SAML-based access and federated Single-Sign On (SSO). 

    SaaS applications can be delivered to users using SAML-based SSO from the same portal along with public mobile apps if required.  On-premises applications can be delivered real-time using App Volumes with granularly controlled access and internal web apps can also delivered through a secured browser and seamless VPN tunnel by combining NSX with Airwatch Tunnel.

    Multi-factor authentication can be added if required using 3rd party authentication brokerage services such as RSA SecurID, Imprivata Touch and Go along with others.  Endpoint devices can even leverage biometric services as a form of authentication.

    Further conditional access can be added.  For instance conditional access such as the strength of authentication, the users location, network access and device compliance (protection from rooted devices or jailbroken devices).

    Summary

    A digital workplace improves IT manageability, agility and scale whilst providing end users with an excellent experience from anywhere they choose and from any device.  By combining Workspace ONE with an Horizon VDI solution protected by NSX provides a single access point, secure digital workplace for end-users to any device.

    To explore a secure digital workplace further, please get in touch via your Insight account manager to speak to a solutions specialist.