Adaptive Segmentationmicro-segmentation March 13, 2020

Virtual Desktop Infrastructure (VDI), Real Productivity

Dan Gould, Sr. Product Marketing Manager

Remote productivity, when employees can't be in the office, has never been more important.

Technologies like video conferencing or employer-issued laptops are helpful, but many companies don't find it necessary to issue laptops. Even when they do, employees working remotely have to connect to the corporate network with a remote access VPN. The challenge is that when more employees begin to work remotely, it is a time-consuming and expensive process to upgrade the VPN infrastructure to support them all. Most VPN infrastructures are meant to support only a fraction of the employees and contractors connecting into it, not a good chunk of the workforce.

However, what else has been equally helpful in allowing us to be productive when remote? Virtual desktops. Virtual Desktop Infrastructure (VDI) lets employees or contractors log in and work from any personal device through a client application delivering a desktop-as-a-service. Given its usefulness – and the fact that many employers do not issue personal laptops – VDI is as important as ever, with cloud companies like AWS offering WorkSpaces or Microsoft offering Windows Virtual Desktop.

The productivity this affords is powerful. However, security is a natural concern in a world where you theoretically have lots of employees sharing the same space in the cloud. This means we must engage in a Zero Trust mindset: facilitate remote productivity while properly securing and segmenting environments so workers can only access the right resources – nothing more.

In this particular instance, the VDI desktops may be managed by the cloud provider, but they are connected to an organization's other cloud environments/VPCs and on-prem environments. You can see that preventing inappropriate access or lateral movement is vital. 

How Illumio helps

Our Adaptive User Segmentation capability lets organizations using VDI call on least privilege access to control precisely what applications workers are allowed to access. We can also ensure that all data in motion between cloud workloads is encrypted.

With hooks into Active Directory (AD), Illumio regulates access policies to applications in VDI based on user identities and group memberships.

Let's look at an example:

  1. An administrator creates a security policy in the Illumio PCE using AD group names. In this example, the policy allows all users belonging to the Sales AD group to access the CRM application.
  2. Kate, Mike and Ken, who are all contractors, log into their virtual desktops.
  3. The Illumio VEN, installed on the workload hosting the virtual desktop, retrieves the security policy for them from the PCE based on membership in the AD group.
  4. They are allowed access to the CRM but can't reach or see any other applications such as ERP or the HR management app. Naturally, they cannot access any other cloud or on-prem resources either.


What's more, we do all of this without touching the network, and we encrypt all data in motion between cloud workloads. This approach also limits the headaches and costs tied to remote access VPN infrastructure upgrades.

Read more on how our strong protections of VDI with Adaptive User Segmentation is another benefit of the Adaptive Security Platform. This is more relevant than ever to allow businesses to thread the needle on security and remote user productivity. 

Better yet, we encourage you to try Illumio for free

TL;DR: My colleague Neil and I sat down (from a good 50 miles apart) to discuss a world of remote work, moving to VDI, and how segmentation helps you stay secure and productive. We'd love for you to join the conversation or if you have questions, ask away



Adaptive Segmentationmicro-segmentation
Share this post: