By Mark Casey, CEO of Apcela

Millions of people worldwide have receded from their offices to work from the safe confines of their home cocoons. As a result, enterprises are looking for easily deployed technologies that will allow workers to access their necessary business applications from home or wherever they happen to be. Virtual Desktop Infrastructure (VDI) fills that need nicely.

VDI provides the ability to virtualize and run a number of Windows desktops on a centralized server in a data center and access them via a remote client or web browser. Relative to a fleet of standalone PCs, VDI offers great manageability because virtual desktops can all be maintained as a single device. VDI improves data security with data being centralized on the server rather than residing on each user’s local device. And, VDI promotes mobility and remote access. It’s like having an office on demand from anywhere. For some enterprises, it’s an intelligent replacement for VPNs.

As with everything else, VDI hosting is shifting to the cloud. This allows enterprises to rapidly expand their VDI farm without having to invest in more infrastructure in their on-premises data center. The cloud’s scalability can easily accommodate hundreds or thousands of new users when people need to work remotely. 

As VDI Goes to the Cloud, So Should Security

Regardless of where the VDI is hosted, enterprises still need a security stack around it to protect both data and the desktop systems. VDI users likely will be accessing SaaS and IaaS applications and browsing the public Internet, and those activities need safeguards around them, including Data Loss Prevention, Secure Web Gateways, Next Generation Firewall, and Anti-Virus/Anti-Malware.

It’s really about the application of security policy to everything that workers do. Security infrastructure is needed to do that. The challenge is how to deploy that infrastructure to impose the policies the organization needs in an efficient manner. 

If the VDI is in an on-premises data center, there’s already a security stack there that VDI can use. When the VDI is hosted on a cloud platform such as AWS, Azure, or GCP, the enterprise needs to have security in place to protect this backend. It doesn’t make sense to route traffic from a user’s local client to the hosted-VDI in the cloud and then to an on-premises data center to apply security treatments. Rather, hosting a security stack close to the VDI location – but not necessarily in the same cloud – is the optimal option.

Why not host the security in the same cloud as the VDI? Putting all the security in, say, AWS means it will work great with AWS, but it won’t work for GCP or Azure, or for SaaS applications. There are too many security components that don’t integrate and run well in public IaaS. Also, cloud-native security services such as DLP or AV from Microsoft, Amazon, and Google tend to be not as robust as their legacy-branded counterparts. For instance, many enterprises prefer their Blue Coat DLP over Azure DLP because it simply works better.

This, then, begs the question: Where can the enterprise run its security stack so that it’s close enough to the VDI to not increase latency, but it’s not in a single IaaS cloud?

AppHubs Host Security in Neutral Data Centers

The simple solution is for the enterprise to deploy its security stack in one or more cloud-based centers known as application hubs (AppHubs). AppHubs are virtual data centers that include switching and routing equipment deployed in carrier neutral colocation data centers. These AppHubs are interconnected with high-capacity, low-latency circuits that create a high-performance core network. 

At the edge of this network, an enterprise can directly connect its on-premises data centers, branch offices, and remote and mobile users to the core network. This model essentially brings the enterprise into the cloud with virtual data centers that create a distributed infrastructure. AppHubs are an ideal neutral location to host a security stack to protect cloud-based data and applications, including VDI. 

Having a network presence in a series of AppHubs allows the enterprise to peer with various cloud-based applications and platforms. In most instances, AppHubs are one hop or one cross-connect away from SaaS and IaaS providers. Peering means that traffic travels very short distances—virtually eliminating latency and maintaining high performance of cloud-based applications.

Security Hosted in AppHubs Reduces Latency

How this works with VDI is best illustrated with an example. Consider the case of an enterprise organization using VDI hosted in the Azure cloud. The VDI users work in branch offices or their own homes. The company has an on-premises data center where it hosts a traditional security stack. It replicates that security stack in AppHubs in regions where its branch offices are located. Also, the enterprise uses various SaaS applications, including Office 365, and has applications hosted on AWS. 

Now, an end user fires up a VDI instance and wants to retrieve a document from OneDrive, which is part of Office 365. The VDI and Office 365 are both in Azure, so they are proximate to each other. The company wants to apply its Blue Coat DLP to the OneDrive document before the user can work with it. The document comes out of OneDrive in Azure and routes to the AppHub data center via an ExpressRoute connection, gets the DLP treatment and goes back to Office 365, all within one hop. Latency is minimized and performance is optimized, giving the user a satisfying experience.   

Contrast that to a scenario without AppHubs. The document would come out of OneDrive and route to the enterprise’s on-premises data center for the security scrutiny before going back to the cloud for use. This very long round trip would add considerable latency to the process and lead to a poor user experience. 

In summary, cloud-hosted VDI needs a cloud-hosted security stack. Hosting that stack in an AppHub minimizes latency and makes the security services available to traffic heading to SaaS, IaaS, and even the public Internet. 

VDI Diagram

How can we help? 

We love talking about software-defined networks and the cloud! Let us know if we can help by filling out the form. Cheers!