Virtual Desktops vs. VPN

Companies these days are very security conscience and large data breaches seem to be a daily occurrence – Verizon, Equifax, Deloitte and Whole Foods just to name a few. Meanwhile, research firms are reporting a significant increased trend in both work from home and BYOD initiatives, either demanded by employees or adopted by companies looking to reduce real estate and corporate assets and get broader access to talent. So a big question is how do you secure this type of employee and increase your odds of not being the next name in the news for a data breach?

VPNs

Virtual Private Network (VPN) is a popular option, the most common type being endpoint or client VPN. An endpoint VPN or a client VPN allows a laptop or desktop to establish a secure connection or tunnel to your corporate organization, most commonly established to a firewall that acts as a VPN terminator or concentrator. Once the endpoint establishes the VPN tunnel, users are allowed to gain access to corporate resources that are specifically configured in the VPN access policy.

The use of VPNs have been around for years and have been a very popular solution for extending corporate networks to remote user populations. If you are a skilled network engineer, they are easy to initially setup. The firewall vendors also make clients compatible with a wide range of devices. Organizations that don’t want to expose some of their internal resources, like SharePoint and other Intranets, to the Internet can also benefit from this technology.

As anything, times are changing and more and more workloads are moving to Cloud and the VPN solution is becoming outdated as your services are no longer just located in your office or datacenter, but a combination of some on-prem and some Cloud based (SalesForce, Office365, Five9, Workday, Concur, ZenDesk, etc…) services. How does your company centrally control access to these systems while keeping a security focused posture?

Get details about Dizzion’s security and control features >>

The Security Issues with VPN

While VPN solutions offer some security benefits, they also leave a lot of issues unaddressed.

There are both pros and cons to endpoint/client VPN tunnels. The number one pro is the ability to download data to your endpoint (desktop, laptop, tablet, etc…) and have the ability to work on the document offline, or more simply put, without an Internet connection. This pro does bring up many associated cons: how are you preventing data leakage, how do you ensure the data is encrypted and what data protection are you using to back that data up? Companies that use an offshore workforce can really benefit from cheaper labor, but using a VPN solution that allows your sensitive data to leave US soil can be problematic and may cause you to fall out of security compliance, or even worse, your intellectual property may be stolen.

Client VPN tunnels also don’t address the risk of a ransomware attach infecting your entire network. When you have an endpoint that is infected with ransomware and it makes a connection to your corporate network, it can spread the threat throughout your organization. This can result in a very costly and sometimes unrecoverable tragedy.

Clearly, that pro of being able to work offline has a bag of cons tightly attached.

Because VPN solutions create a tunnel between the corporate network and the desktop it also doesn’t do much to help keep the physical endpoints updated, patched and secure. This still requires per-device attention from IT, or you’re left relying on end users to keep their machines updated and secure. There are organizations that still operate in this model, but they need to invest in a lot of additional technologies to help manage and operate this environment securely. The chances of a breach are higher in this model. 

Another common issue when relying on VPN is the difficulty of trouble shooting for remote employees. Software like “GoToAssist” or many others that use a client installed on the local endpoint is one option, or you can opt for a screen sharing solution. While these are possibilities, it involves considerable setup as you have to install it manually on each desktop – including employee’s personal devices for BYOD situations. Maintaining it while it’s out of your network isn’t as easy either.

VDI and Virtual Desktops

Now that we have a better understanding of what a VPN connection is, let’s talk about virtual desktops, cloud desktop workspaces, DaaS or VDI, whatever nickname you are more comfortable with. When you look at preventing data breaches and really focus on centralized management of that data, virtual desktops are a shining star. Your organization can confidently enable work from home and BYOD programs as your data always stays safe in the data center. Employees with any device and an Internet connection can login to their corporate issued virtual desktop where they can access all of their work files, Intranets and applications, securely, over the latest encryption protocols. In addition, they no longer require large bandwidth connections, as the data does not actually download to their endpoint, the virtualization software only sends the screen pixels and mouse and keyboard strokes back and forth. This eliminates the need to worry about encrypting the hard drive of the endpoint in the event the device is lost or stolen (something that is still required for a secure VPN).

Other advantages of using virtual desktops over a VPN solution include less time troubleshooting. When you centralize your desktop in the datacenter, IT staff has a wide arrange of toolsets to support end users. If an employee is having problems with an application, a tier-1 support tech can open a portal and view all the statics of the end user in question. They can see how much RAM, CPU and Disk the end user is using. They are able to send a request to the end user to gain access to view their screen, this really helps expedite the troubleshooting. Another advantage of virtual desktops is the use of a golden image. You can install applications on a single desktop and all changes are replicated to all other virtual desktops in that pool. This ensures all users are always running the same exact version of the software, which really optimizes your support posture. If the latest zero-day threat is released, you are able to update all of your machines at the same time or in phases without having to touch each one individually.

When considering PCI or HIPAA compliance workloads, the advantages of the desktop staying in the data center are almost endless. How many times have you heard of companies having to pay for identity theft protection due to an employee losing a laptop that had compliant data on it? As time goes on there are more and more guidelines being enforced to ensure companies are keeping their customers safe. When a desktop leaves your premise with data, you are setting yourself up for more risk. VPN does not help in this situation since data is still ultimately downloaded and potentially stored on the endpoint.

Both VPN and virtual desktops can be secured, but virtual desktops present the least amount of risk to data as they secure data all the way through the endpoint and offer IT teams a faster, easier way to patch known vulnerabilities.

You may also like:

• Separating Applications from Virtual Desktops
• 5 Considerations for Supporting BYOD
• 6 Questions CIOs Should Ask About Patching