When to replace, or complement, a VDI Environment with a Security Service Edge (SSE) platform
The majority of organizations use some kind of VDI environment for remote access today. Whether it’s for their employees looking to access private resources for day to day life, a recent merger or acquisition, or third-party user access. Popular VDI technologies include on-premises VDI solutions like Vmware Horizon, Citrix XenDesktop, or Desktop-as-a-Service options like Amazon Workspaces, and Windows Virtual Desktop.
With 65% of organizations looking to adopt Security Service Edge (SSE) services in the next two years, one of the most common questions we get asked is can SSE replace VDI? Can SSE complement VDI?
The most important thing to consider before answering either of these questions is understanding the different ways VDI is used today. Below are seven common use cases for VDI technologies that we’ve seen.
- Granular access – Minimizing over privileged access to key business resources
- Visibility into traffic – VDI can be used to route traffic through on-premises security appliances
- Data loss prevention – ensuring sensitive data is not stored or placed on the end users smartphone or desktop, while also ensuring data remains within the corporate environment
- Desktop environment management – Frictionless desktop experience and allowing connectivity from a variety of end user devices via browser
- License optimization – Instead of have a license every user, VDI allows for hosted pools, which are a collection of one or more identical virtual machines
- Data optimization – Reducing latency or lag due to client-server connections
- Traditional application support – Support for legacy protocols (i.e. Windows 2003)
One of the most exciting benefits of SSE is their ability to ensure secure access to specific business resources, without requiring network access. The policies that are created within, and enforced by the service, allow for advanced access control via policies that determine the context in which data can be accessed. Another key capability is the visibility into all session traffic that is made available to security and network admins. User logs can be used to determine which users access what resources, commands used, content that was downloaded etc. Role based access controls even help to ensure privilege account management to control visibility levels of sensitive data for compliance needs. These SSE capabilities can either replace VDI, or be coupled with the remote access solutions for a potent combination – depending on the use case.
SSE services can be used to replace VDI in the above use cases 1, 2 and 3. So, if these are the main reasons for using VDI, IT leaders can feel confident that an SSE service can be used to help remove the need for VDI. That means granular security, and a seamless experience – without springing for expensive VDI licenses.
For use cases 4,5,6 and 7 SSE is best used as a complement to the VDI technology to introduce more security and control over the environment.
See the image below for an example of accessing SharePoint with our Atmos ZTNA solution, part of our Atmos platform, or a combination of Atmos ZTNA and VDI, together.
One easy way to reduce the exorbitant costs of VDI, and adopt zero trust security, is to think about potential use cases where using SSE would be best within your business. The low-hanging fruit.
- Insurance brokers or healthcare professionals – For example, if you are an Insurance company, you most likely employ insurance brokers that are technically third-party users. These brokers need access to web-based applications running in your application portal. Granting these brokers secure access to your portal becomes a breeze with SSE. This is the same for healthcare institutions that employ healthcare professionals who technically do not work for the hospitals they work in
- B2B customers or supplier access – if you are currently using VDI to connect B2B customers ro resellers to web portal resources to learn about your products, or suppliers to web-apps to create or cancel orders, using SSE could be a better option than VDI.
- M&A – Perhaps you’re an organization who often grows through mergers and acquisition. Standing up an expensive VDI stack becomes unnecessary if your goal is simply to allow newly acquired employees to access birth-right applications like HR and benefits. SSE not only saves money, but is much easier to manage, and more secure in this case
- Financial advisors or auditor access – Or perhaps you’re an organization that has auditors (E&Y, KPMG, etc.) who need access to your books, SSE can be a great, cost-effective alternative to VDI if these apps.
Ultimately, determining whether to replace VDI with SSE, or complement, is really up to the customer. They must take the time to first understand how they are using VDI today, then look for ways to reduce VDI use where possible by using SSE. After-all, placing users on a /22 network, and poking holes in firewalls, just to allow access to VDI environments is not ideal when it comes to protecting the network from threat actors and malware. And, neither is spending on pricey VDI licenses. The good news is that in many cases there’s a new alternative for IT to leverage.
Cheers to SSE.