What to Consider Before Using VDIs for Secure Access
A Virtual Desktop Infrastructure looks like a great match on paper. What’s not to like?
You know where it is on Friday night, with your apps and data on your servers, not cruising the internet or making out on someone’s BYOD. It seems safe since it forces web access through the ‘house’ security stack and requires an ID check at the front door. It can be exclusively available only to users on your network via VPN, SD-WAN, or local network connection.
A VDI is nice to the old folks – offering legacy app support for older operating systems that you keep getting told “can’t upgrade – it’s too expensive” (but you still have to secure it.) VDI looks like a cheaper “per date” expense for those looking to spend less on laptops. VDI also looks like a convenient way to date partners and contractors with laptops you don’t manage. But in the big picture, costs are not cheap.
Comparing VDIs with Zero Trust Network Access solutions
So let’s compare typical remote access scenarios (including VDI) with Zero Trust Network Access (such as with Axis Security), when you’re looking for a fulfilling secure access relationship that doesn’t empty your wallet.
- Using a VDI solution for remote application access can cost $1,200 per person per year. This cost varies depending on if you use a VPN, if you still need that WAN, or if you offer web access with a gateway. And remember, if you use a portal to the web, you need your full perimeter security stack to protect your organization.
- Using company-owned laptops with agents, VPN, and a WAN for remote access can cost $1k per laptop. This option offers the least visibility, control, and certainly isn’t zero trust.
- If you skip VDI and go for something like AWS AppStream to remotely access applications, you might spend $500 per user/year. This assumes AppStream even covers your use cases.
- Alternatively Zero Trust Network Access (ZTNA) such as the Axis Security Application Access Cloud costs under $150/user/year. Plus you get better visibility, granular control, and end-to-end zero trust connectivity with security for your apps. That’s a much more affordable and secure long-term relationship.
VDI can be “high maintenance”, requiring a lot of setup and accessories when, in the end, all most IT architects want it for is secure access. Also, VDI doesn’t give you zero trust. There’s a lot more to a Zero Trust architecture model than what you get from standard VDI access – which doesn’t answer more than one use case in a good Secure Access Service Edge (SASE) solution.
The best secure access solution for remote access
Axis Security App Access Cloud is a comforting voice of reason all the time, providing continuous authorization, and monitoring of any user accessing any app in any location. Beyond that initial knock on the door and the obligatory authentication before letting the kids out on their date, Axis Security monitors and governs the entire access session like a high-class chaperon. The App Access Cloud looks out for the youngsters by tracking activity and providing application behavior during each session to make sure that no one is behaving oddly or aggressively in a way that’s out of character. And if they do, it cuts them off.
And lest we drift into creepy Big Brother territory, that just means Axis monitors each user session in context based on adaptive policies which can change as the risk changes. This includes the ability to revoke or change access permissions if the session runs past the end of business hours. It also includes context-based limitations on copy and paste, print, or downloads based on attributes such as the user device — checking device security posture and hygiene – that’s a touch of data loss/leak prevention.
VDI doesn’t walk you home, although it may integrate with your directory or IdP there’s no end-to-end zero trust connectivity. VDI’s rely on public internet-facing portals or VPNs for connectivity, with weak encryption and IP or DNS Leaks. These have been specifically targeted with a year+ of Remote employees. (Pondering the NordVPN hack, the Cisco VPN Zero-Day, Pulse Connect Secure, and all those RCE attacks on web facing applications.)
And if things ever go really wrong, the Axis Security App Access Cloud is there for you when your security team needs a step-by-step log of activity for incident investigations – or hey, for future capacity planning in the event that the relationship brings more kids into the picture later on.