Adaptive Segmentationmicro-segmentation March 13, 2020

Virtual Desktop Infrastructure (VDI)

Dan Gould,

Remote productivity, when employees can't be in the office, has never been more important.

Technologies like video conferencing or employer-issued laptops are helpful, but many companies don't find it necessary to issue laptops. Even when they do, employees working remotely have to connect to the corporate network with a remote access VPN. The challenge is that when more employees begin to work remotely, it is a time-consuming and expensive process to upgrade the VPN infrastructure to support them all. Most VPN infrastructures are meant to support only a fraction of the employees and contractors connecting into it, not a good chunk of the workforce.

However, what has been even more helpful in allowing us to be productive when remote? Virtual desktops.

What is VDI

Virtual Desktop Infrastructure (VDI) lets employees or contractors log in and work from any personal device through a client application delivering a desktop-as-a-service. Given its usefulness⁠—and the fact that many employers do not issue personal laptops⁠—VDI is as important as ever, with cloud companies like AWS offering WorkSpaces or Microsoft offering Windows Virtual Desktop.

Benefits of VDI
Virtual desktop infrastructure enables workforce mobility and makes it possible for employees to access their files and work from any location. Beyond remote access, VDI has several additional benefits for your business.

  • Increased Security. In virtualized desktop environments, all data lives on the server instead of on the end client. This means that if a device is ever stolen or compromised, data isn’t put at risk.

  • Centralized Management. In the VDI environment, data is centralized and controlled from a data center. This allows software patches and updates to be applied for all virtual desktops. Additionally, configurations can be changed and policies can be enforced across desktops in the deployment. With data stored in a central server, control and security becomes much more convenient.

  • Cost Efficient. When using VDI, your company can save money on endpoint hardware. Since the majority of processing is done on the server, virtual desktops can be accessed from older and less expensive devices.

Risks of VDI
The productivity this affords is powerful. However, security is a natural concern in a world where you theoretically have lots of employees sharing the same space in the cloud. This means we must engage in a Zero Trust mindset: facilitate remote productivity while properly securing and segmenting environments so workers can only access the right resources – nothing more.

In this particular instance, the VDI desktops may be managed by the cloud provider, but they are connected to an organization's other cloud environments/VPCs and on-prem environments. You can see that preventing inappropriate access or lateral movement with network segmentation is vital. 

Persistent vs. Non-Persistent VDI Deployments

In a VDI environment, administrators can deploy either non-persistent or persistent desktops. The main difference between these two desktop types is the ability to save changes or permanently install desktop apps.

In a persistent VDI, a user’s changes to applications and data are saved, allowing for full personalization. Users can customize their virtual desktop with screensavers and shortcuts. This also provides increased usability as users are able to save personalized data and rely on saved shortcuts. However, persistent VDI is run with a 1:1 ratio of virtual desktops to images and profiles, meaning there is a lot for IT admins to manage. This type of deployment also requires more storage which can increase the overall cost.

Non-persistent VDIs don’t save any changes to a virtual desktop and create a new image with each login. Since nothing is saved after the connection is terminated, the reduced number of images makes it easier for IT admins to manage and secure profiles. Non-persistent VDIs also require less storage because the OS is separate from the user data. However, limited personalization is a drawback to this type of deployment.

How Illumio helps with VDI

Our Adaptive User Segmentation capability lets organizations using VDI call on least privilege access to control precisely what applications workers are allowed to access. We can also ensure that all data in motion between cloud workloads is encrypted.

With hooks into Active Directory (AD), Illumio regulates access policies to applications in VDI based on user identities and group memberships.

Let's look at an example:

  1. An administrator creates a security policy in the Illumio PCE using AD group names. In this example, the policy allows all users belonging to the Sales AD group to access the CRM application.
  2. Kate, Mike and Ken, who are all contractors, log into their virtual desktops.
  3. The Illumio VEN, installed on the workload hosting the virtual desktop, retrieves the security policy for them from the PCE based on membership in the AD group.
  4. They are allowed access to the CRM but can't reach or see any other applications such as ERP or the HR management app. Naturally, they cannot access any other cloud or on-prem resources either.

6-1

What's more, we do all of this without touching the network, and we encrypt all data in motion between cloud workloads. This approach also limits the headaches and costs tied to remote access VPN infrastructure upgrades.

Read more on how our strong protections of VDI with Adaptive User Segmentation is another benefit of the Adaptive Security Platform. This is more relevant than ever to allow businesses to thread the needle on security and remote user productivity. 

Better yet, we encourage you to try Illumio for free to see how your organization can implement VDI.

My colleague Neil and I sat down (from a good 50 miles apart) to discuss a world of remote work, moving to VDI, and how micro-segmentation helps you stay secure and productive. We'd love for you to join the conversation or ask questions. 

 

 

Adaptive Segmentationmicro-segmentation
Share this post: