Virtualization Technology News and Information
A Better Alternative to the 5 Most Common (but Inadequate) Approaches to Secure Remote Workspaces

By Tal Zamir, Founder, CTO, Hysolate

One year after the COVID-19 outbreak, more and more organizations around the world are acknowledging that the "short-term" changes they instituted to address social distancing and business continuity are most likely here to stay. Chief among them is the idea that many workers will be returning to the office only on a part-time basis, if at all.

To stay in business, organizations must enable their workforce to function remotely in a secure and productive manner. They must also take into account the cost, scalability and manageability of the various remote workspace options.

How are organizations tackling the remote-work challenge today? We can run through the five most common approaches, but what you need to keep in mind is that none of the big five is truly viable for the long haul.

Option 1: Just Say "No" to Remote Work

Some organizations on the extreme end of the spectrum do not allow employees to access corporate apps or data from home. This applies to some government/military organizations, but it's also the favored approach taken by some of the more conservative, data-sensitive industries, including financial services and healthcare, among others. One need look no further than the experiences of the past year to see why allowing no remote workspaces is completely untenable.  


Option 2: Lock ‘Em Down 

Some organizations choose to provide employees with corporate locked-down endpoints. These are managed laptops with many restrictions, like being limited to connecting to the corporate network only via an "always-on" VPN solution. Further, users may not have local admin rights (which prevents installing many productivity applications), they may not be able to plug in thumb drives, and they likely are prohibited from browsing the full web, etc.

Employees are typically frustrated by these locked-down laptops because they are less useful or more burdensome in a remote setting. For example:

  • Workers might not be able to use that laptop to simultaneously work with corporate-related apps and productivity/collaboration apps, which forces them to constantly switch between multiple devices -- a factor that degrades productivity and annoys users.
  • Users typically don't have two sets of peripherals (multiple monitors, keyboard, mouse, power supply, etc.) at home. This means that switching between their personal laptop and their corporate laptop requires them to disconnect their peripherals and then reconnect them to the other device.
  • When users travel (which will happen again some day), they might need to carry an additional laptop with an additional power supply just to be able to work with corporate apps.
  • Users won't be able to print with their home printers when the VPN solution doesn't allow connectivity to their home network and when USB policies prevent the connection of USB printers.
  • Always-on VPN solutions might introduce friction between various WiFi networks that require authentication or present a "captive portal" before the user can access WiFi.
  • Troubleshooting issues with malfunctioning corporate laptops is trickier when performed remotely. A corporate laptop that fails to connect to a VPN or receives a faulty Windows Update and therefore doesn't boot requires re-imaging or re-provisioning of the laptop/OS remotely, which is a time-consuming and complex operation.

Option 3: Bring Your Own and Hope for the Best

Some companies let workers use their personal laptops/desktops to directly connect to corporate apps and data. Organizations using this approach might require users to connect through a cloud-based access broker (AKA "zero trust") or simply allow direct connectivity to cloud-based apps like Office365, G-Suite or Salesforce. This approach is typically convenient for users. They might need to provide additional authentication (2FA) to connect, but they can still use their existing personal devices.

This approach, however, is riskier compared with the alternative of corporate endpoints:

  • Personal devices can easily become infected in a variety of ways -- via web browsing, email, infected external devices, malicious user-installed apps, pirated software, malicious networks, etc.
  • Once user devices are compromised, attackers can fully impersonate the users and take over their accounts, steal corporate data, or do other harm to corporate systems.
  • OS health checks performed by some zero trust solutions wouldn't protect against persistent attackers because they rely on the integrity of an infected OS.
  • This architecture makes it easier for insiders to leak data at scale.


Option 4: Your Endpoint, Our Tunnel

Some organizations let users connect from their personal devices, but via a VPN client. This popular traditional route forces users to connect through a VPN to access corporate apps and data. On top of the issues mentioned in Option 3, this introduces additional challenges:

  • The user's experience might be degraded if home network connectivity (bandwidth and latency) is not robust enough. Some applications (particularly data-intensive communication apps) suffer when the network conditions are not ideal.
  • If the connection to enterprise cloud-based resources is achieved via the VPN as well, the user has to suffer an unnecessary hop in the network through the corporate network before reaching the final destination in the cloud, further increasing latency and bandwidth issues.
  • If the enterprise doesn't allow "split tunneling" (allowing the user to simultaneously connect to the corporate network via VPN and to the user's home/external network), the user cannot enjoy direct access to cloud resources such as YouTube or other sites for training videos, or to non-sanctioned open-source code repositories like GitHub while accessing corporate resources over VPN. On the other hand, if the enterprise does allow split tunneling, it gives more flexibility to malware that can communicate with a C&C/exfiltration server on the internet (via the home network) while it is also actively connected to the corporate network -- practically connecting the corporate network to the wild internet.


Option 5: BYOPC + VDI

Like Option 4, this alternative lets users connect from their personal devices, but via VDI. Workers will use their personal laptops for their personal apps and a remote VDI desktop for corporate apps. On top of the issues above, this option introduces additional challenges:

  • The user experience of VDI over a bad network connection is challenging. Every action the user performs is subject to additional latency, which leads to significant frustration for users.
  • Some applications, such as VoIP, video and 3D, don't work properly in a VDI environment.
  • The organization's VDI infrastructure (either on-prem or in the cloud) might not be ready for a massive number of users connecting simultaneously. This means that the user's experience would be further degraded: applications would not respond; the network would be choked; and the data center's underlying storage devices would not be able to serve data for VDI fast enough.
  • Users cannot continue working on corporate apps/documents offline.
  • The solution is expensive, especially if it has to support a massive number of users.
  • With VDI, malware can still take over the VDI desktop by controlling the user's physical device.


OS-Based Isolation: The Better Alternative

There's an alternative to these traditional approaches to remote workspaces that doesn't limit the user's freedom and doesn't compromise corporate security. It capitalizes on virtualization, but in a novel way. With OS-based workspace isolation IT can split a user's device (either corporate-owned or personal) into higher-risk and lower-risk isolated environments so users can work freely without compromising security.

Workspace isolation allows IT to manage the behavior of the workspace from the cloud, while the VM workload is running locally on the user's machine. For the IT administrator, remote management allows for instant provisioning of the additional hypervisor-isolated operating system, splitting the physical device into two environments. For the worker, the user experience is native, free of the lag and bandwidth issues that can bog down legacy VDI and VPN approaches, and free of restrictions on activities they need to engage in to do their jobs.

This approach provides several distinct advantages:

  • There's no need to manage another OS image for the virtual machine. The VM is instantly provisioned based on the corporate OS already running in the machine and is always up to date. Further, the VM looks and feels to the end user like just another space on the laptop screen.
  • Organizations can limit what users can do in the corporate environment while still providing them with the latitude to take any action on the isolated OS running on their device, including visiting any website, installing any app, getting local admin rights, and using modern cloud collaboration tools.
  • If a user clicks a link or installs an app that turns out to contain malware, there will be no impact on the corporate OS and no corporate data will be stolen/encrypted. The malware will be confined to the isolated OS running on that designated VM workload. Because the VM is tunneled out of the corporate network, the ransomware won't be able to move into that network. In a single click, IT can revert that OS back to a clean snapshot and users can go back to business as usual.
  • This isolated workspace can be provisioned to new users in minutes, is fully scalable, and can be wiped instantly after a task is finished or when employment ends.

OS isolation is the next phase of workspace evolution -- one that offers elegant, unencumbered protection against cyberthreats.  As organizations move toward near-permanent reliance on remote workers, this methodology is providing employees the IT freedom they seek while keeping corporate assets safe and secure.



Tal Zamir, Founder, CTO, Hysolate

Tal Zamir

Tal is the Co-Founder & Chief Technology Officer of Hysolate. A passionate entrepreneur and veteran R&D leader with 15 years of experience in the cyber and IT domains, Tal had been building and hacking software for decades.
Published Friday, March 26, 2021 8:42 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2021>