ZTNA Is The Foundation Of Great VDI Deployments

Companies that were already using a hosted desktop solution, be that rack workstations, Virtual Desktop Infrastructure (VDI) or Desktops-as-a-Service (DaaS), probably found it a lot less onerous to shift their team members to remote and hybrid work during the pandemic. Others were eager to implement a solution, resulting in a major uptake in hosted desktop environments to enable a more modern, work-from-anywhere system that ensured employees stayed both safe and productive. 

Ensuring the safety and utility of enterprise data and applications becomes the next priority. Despite our best intentions, ensuring security in hosted desktop architectures can be a challenge.

Even though some parts of these environments are typically managed on-premises, organizations invariably use some combination of cloud/hosted and centralized resources. This is why I always advise applying the principles of Zero-Trust Network Access (ZTNA) in any hosted desktop deployment. 

Gartner came up with the term in a 2019 report on endpoint security, defining ZTNA as “an identity- and context-based, logical-access boundary around an application or set of applications.” It’s important to point out that ZTNA is not a product or technology. Instead, it’s a governing set of principles or goals around identity management, access control, and transparency.

To break that down further: 

ZTNA is “identity-based”:   Establish the user’s identity before they are granted access to corporate resources.

ZTNA is “context-based”:   Build access control rules according to the role, workload, hours of operation, and other contextual criteria. 

ZTNA employs a “logical-access boundary”:   A control plane consisting of secure gateways and a connection broker manages access, regardless of locations and devices from which users log on.

And there you have it! Well, perhaps not yet. Within each of these frameworks are some important processes for zero-trust security in hosted desktop implementations.

Identity

Multifactor authentication (MFA) should be required to verify each user. Fortunately, hosted destkop management platforms generally allow ample flexibility in the types of authentication servers and providers organizations can use, including standardized identity management services. This helps simplify integration. 

A strong MFA and identity management system should give you many choices of factors, because these may differ depending on the kind of organization you run, the tasks your users perform, and your security culture. You may want stricter MFA standards for executives who have access to intellectual property, or sales reps who can view customer financial information. 

It is not unusual for government agencies to require that one factor be a secure token generated only on a government-issued device. For a call center, on the other hand, a more lenient sign-in process would suffice. In settings where outside contractors or project-based workers only need access to a machine while doing that specific job, time-based/one-time passwords are likely to be fine. 

Context

Context is how—and why—specific access policies are applied to those identities. A user’s role in the organization is probably the main factor for determining what resources they are entitled to access, but other common contextual signals are device, device health, geographic location, and time window. 

As you can imagine, policies can become complex, and setting up ZTNA-based access control rules is time-consuming for large user pools, large data sets, and/or hybrid environments with both cloud and on-premise resources. Hosted desktop management platforms go a long way towards simplifying this chore by automating as many configuration tasks as possible. 

I recommend setting up standard policies for different groups of users and roles, so you can onboard a new employee by simply adding their identity to the appropriate group. For example, third-party contractors could have access to the applications they need via public cloud without gaining access to the corporate network. 

Logical-access Boundary

In a zero-trust environment, a logical-access boundary replaces the physical boundary or perimeter security model of the past that sealed off networks to outside access. Instead, a security gateway with a connection management platform can control access and execute policies even for remote workers. The connection/trust broker manages remote access more or less to the letter of ZTNA principles: authenticate first, control access, and audit the trail. 

VDI is typically hosted and managed on an organization’s own infrastructure, but in a hybrid environment with a combination of cloud and on-premises applications and desktops, there may be fewer choices in connection broker platforms. Organizations often use the same access policies for on-premises workers, so a purely cloud-based trust broker may not be appropriate. Some providers offer both cloud-based and on-premises solutions that work in hybrid scenarios. 

ZTNA-based practices are ideal for hosted desktop deployments enabling remote work: you achieve identity- and context-based access, with a logical-access boundary that enforces security. 

Karen Gondoly is CEO of Leostream                                       Image: Arthur_Bowers

You Might Also Read: 

Mapping Out The Journey To Zero Trust:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Cyberwar In Israel & Gaza
Cyber Security In Space Communications »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ForgeRock

ForgeRock

ForgeRock, the leader in digital identity, delivers comprehensive Identity and Access Management solutions for consumers, employees and things to simply and safely access the connected world.

Athena Forensics

Athena Forensics

Athena Forensics is one of the UK's leading providers of Computer Forensics, Mobile Phone Forensics, Cell Site Analysis and Expert Witness Services.

Apcon

Apcon

Apcon's mission is to provide valuable network insights that enable security and network professionals to monitor, secure and protect their data in both physical and virtual environments.

Cyberbit

Cyberbit

Cyberbit empowers cybersecurity teams to be fully prepared with a product portfolio ready to detect and respond effectively across both IT and OT networks.

WizNucleus

WizNucleus

WizNucleus develops, markets and supports a software platform (Cyberwiz-Pro) that enables Critical Infrastructure enterprises to ensure the future state of their cybersecurity and remain compliant.

Edvance

Edvance

Edvance operates a range of cybersecurity businesses including value added cybersecurity solutions distribution, security technology innovation and development, and SaS solution offerings.

Ashley Page

Ashley Page

Ashley Page offer a unique cyber insurance and risk management solution - Cyber+Insure.

Careerjet

Careerjet

Careerjet is a leading online job search engine with a large presence worldwide, sourcing millions of job ads from thousands of websites from all over the world in areas including Cybersecurity.

Ten Eleven Ventures

Ten Eleven Ventures

Ten Eleven is a specialized venture capital firm exclusively dedicated to helping cybersecurity companies thrive.

Grayshift

Grayshift

Grayshift is the leading provider of mobile device digital forensics, specializing in lawful access and extraction.

ATHENE National Research Center For Applied Cybersecurity

ATHENE National Research Center For Applied Cybersecurity

ATHENE is the largest research center for cybersecurity and privacy in Europe, conducting application-oriented top-level research for the benefit of the economy, society and the state.

Port443

Port443

Port443 specialises in providing Security Orchestration, Automation and Remediation (SOAR) "as a service".

Evo Security

Evo Security

Evo Security is an Identity and Access Management company focused exclusively on serving MSPs, MSSPs and their SMB and Mid-Market customers.

NewEvol

NewEvol

Don’t React, Evolve! Outsmart threats with real-time AI-powered dynamic defense capability of NewEvol all-in-one cybersecurity platform.

Getvisibility

Getvisibility

Getvisibility enables customers to detect, classify and protect sensitive information increasing data security, governance, compliance and lowering the risk of losing valuable data.

WIIT Group

WIIT Group

WIIT Group are focused on a single goal: securing our clients’ critical processes and enabling them for digital transformation.