Zero trust network access for Desktop as a Service
When you support a remote workforce, you risk opening your data, applications, and organization to the world. How can you sleep soundly at night while enabling a modern “work from anywhere” workforce?
Acknowledging the inherited security challenges in remote access is a good place to start. From there, design your Desktop as a Service (DaaS) offering using concepts and solutions that implement zero trust network access.
Zero trust network access (ZTNA) includes technologies that provide secure remote access to applications, desktops, and data based on access control rules. In the context of DaaS, implementing ZTNA essentially requires a secure gateway managed by a flexible connection broker.
Step 1: Authenticate users accessing your environment
Zero trust begins with user authentication, and multi-factor authentication is a must. ZTNA for DaaS must implement MFA but also allow for MFA methods to be chosen and changed based on the user’s location.
For users returning to the office, you may be able to consider the keycard the used to access the building as one of the authentication factors, then authenticate them into your DaaS environment with a single username/password factor. However, if that same user is working from home, perhaps you should require that they enter a username/password and a one-time password token (OTPT).
You can balance end-user experience with security by taking the user’s physical location into consideration.
Step 2: Identify what they are allowed to access
The key to ZTNA is the access control rules that indicate what assets an authorized user may access. Just as with authentication, access control rules should take the user’s physical location into consideration, changing what the user may access based on whether they are in the office, at home, or on the road.
In the case of ZTNA for DaaS, the access control rules have the added benefit of allowing you to pool and share resources, leverage hybrid hosting platforms, and manage peripherals (e.g., printers and USB devices).
Step 3: Connect users from anywhere
All ZTNA solutions have one thing in common: they require you to ditch your VPN. That’s a good thing because VPNs are less secure if they open up your entire network to authenticated users, and they have negative scaling and performance consequences.
For ZTNA with DaaS, replace your VPN with a secure gateway that is intelligently controlled by the connection broker that implements your access control rules. Ensure that you architect a solution that includes gateways for all the possible combinations of where users may log in from and what they need to connect to.
Step 4: Provide adequate performance for their connection
Another aspect to keep in mind when selecting a gateway is how it handles the user’s connection traffic. You want to improve the user’s connection performance, not replace the performance bottleneck associated with your VPN with a new type of bottleneck.
Also, consider what type of display protocol your chosen gateway supports. Task, knowledge, and power workers all access different types of applications and data, and the display protocol used to connect to those resources needs to be functioning well enough to provide an at-desk experience for each type of user.
Step 5: Maintain visibility into what users are accessing
No matter how carefully you implement ZDNA in your DaaS environment, if you really do want to sleep at night, you need to always monitor user access. Knowing who is logging in, from where, what they are connecting to, and how long they are using it allows you to track trends, look for outliers in user behaviors, and even plan for the future.
Remote work is here to stay, whether that means working from home, from a job site, or from the office and connecting to the cloud. Make your CISO proud while keeping employees productive by blending zero-trust concepts with seamless end-user experience, and make your modern workplace a reality.