The Role of Virtual Application Delivery in Secure Digital Workspaces

Security is a fundamental part of IT infrastructure today.  It can no longer be relegated to an afterthought or be considered a bolt-on solution. Instead, intrinsic security as part of any IT infrastructure solution is needed to defend business-critical data from modern cybersecurity threats successfully.  As businesses are finding new ways to empower remote workers since the onset of the global pandemic in early 2020, the struggle to secure remote connectivity has been a real challenge for many.  

Traditional remote desktop and remote connectivity solutions are plagued with a large attack surface that cybercriminals know very well.  The pandemic has demonstrated the importance of a secure digital workspace providing remote employees the ability to remain productive and at the same time carry out job duties in a secure way.  A modern approach that organizations are using to provide secure digital workspaces is Virtual Application Delivery.  What is the role of virtual application delivery in secure digital workspaces?  How does it shine from a security perspective when compared to traditional technologies?

What is Virtual Application Delivery?

Virtual application delivery provides solutions focused on delivering applications – not full desktops – to end-users through any HTML5 browser.  This approach drastically cuts down on the resources required to allow remote end-users to run business-critical applications.  Since the remote user is not consuming an entire desktop session but only running an application, it requires a fraction of the resources needed for full desktop sessions. 

When fewer resources are needed, this also decreases the cybersecurity attack surface.  Full VDI and Remote Desktop Session environments require many “moving parts” to deliver a full desktop session to an end-user.  The more infrastructure needed for the solution, the more vulnerabilities, and potential for attack from cybercriminals.  For most companies, it comes down to the majority of employees only needing access to applications.

Security and complexity issues with traditional virtual desktops

Organizations generally provide full desktop sessions using Microsoft Remote Desktop Services (RDS) or Virtual Desktop Infrastructure (VDI) environments made possible by VMware Horizon or Citrix Virtual Desktops. Let’s take a look at a few of the complexity and security concerns that have plagued these traditional technologies. 

Microsoft Remote Deskop Services (RDS)

Historically, Remote Desktop Services (RDS) has been fraught with security issues with the Remote Desktop Protocol (RDP).  Remote Desktops Services is notoriously known for misconfiguration.  Microsoft does not recommend Remote Desktop Protocol servers be placed on the perimeter.  Rather, looking at the reference architecture for RDS from Microsoft, it is easy to see the amount of infrastructure required to create a secure, performant RDS configuration.  It includes load balancers, Remote Desktop Gateways, RD Web servers, RD Connection brokers, and the Remote Desktop Session Host servers, to name a few.

Image for Cameyo blog post on virtual apps
RDS Deployment Architecture from Microsoft

Many businesses may forgo the recommended infrastructure and simply place the RDSH server directly on the perimeter for accessibility directly on TCP port 3389.  When you consider the myriad of vulnerabilities, including brute-force attacks and BlueKeep exploits that can lead to ransomware attacks and other cybersecurity threats, placing RDSH servers directly on the Internet is extremely dangerous. 

Even when organizations attempt to configure their RDSH architecture per Microsoft specifications, there is still significant room for configuration errors and misconfigurations resulting in vulnerabilities in the environment.  Also, network firewalls and load balancers must be configured appropriately for the right types of traffic and ports allowed, adding complexity.  Connectivity to Microsoft Remote Desktop Services allows all connections by default, meaning there must be other means in place to help protect against brute force attacks and different types of credential-based attacks.

Virtual Desktop Infrastructure (VDI)

Virtual Desktop Infrastructure is known for the amount of complexity involved with the solution.  Delivering full VDI desktops to remote end-users often requires complex clusters of compute, storage, and networking resources to ensure end-users are serviced appropriately with their desktop needs.  Most organizations build dedicated hypervisor clusters to service their VDI environments for performance and other reasons.  

In addition to the already complex nature of VDI, like Remote Desktop Services, it can be prone to security issues due to misconfiguration of the environment or improper design of the infrastructure and network connectivity.  Like Remote Desktop Services, in the case of VMware Horizon, you can expose the Horizon Connection Server directly to the Internet to service end-users connecting to pools of remote desktops.  It is not the recommended design.  VMware has a special-purpose Linux appliance called the Unified Access Gateway that serves as the edge connection point for connecting to the internal VMware Horizon environment and subsequent virtual desktops.  

Image for a Cameyo blog post about virtual desktops

 VMware Horizon VDI architecture

When designed and implemented correctly, both Microsoft Remote Desktop Services (RDS) and Virtual Desktop Infrastructure (VDI) solutions like VMware Horizon or Citrix certainly have their place in satisfying several use cases where full desktop sessions are required.  However, for many organizations that only need to serve out business-critical applications, they are complex and can introduce security risks when not implemented correctly.  Virtual application delivery allows businesses to deliver robust digital workspaces simply and securely.  

Cameyo – Simple and Secure Digital Workspaces

As organizations discover the power and simplicity of application virtualization and the modern implementation of virtual application delivery, desktop virtualization is not needed in many cases.  Cameyo provides a robust virtual application delivery solution that allows companies to have a seamless and straightforward way to deliver business-critical applications without compromising security.

Cameyo’s implementation of virtual application delivery allows businesses to deliver their applications, including legacy apps, with only the requirement of a modern browser.  Not only does Cameyo’s solution deliver a simple solution for virtual application delivery, but security is also at its core.  Cameyo provides intrinsic security built-in to secure both inbound connections and user data in each session.  

Cameyo security features:

  • Cameyo NoVPNCameyo provides a NoVPN solution, meaning there is no requirement for VPN connectivity for remote workers to access business-critical applications
  • Cameyo Port ShieldCameyo requires very few ports to interact with the solution.  These include ports for RDP and web connectivity.  
  • RDP port 3389 – Used for administrative tasks and installing applications on the Cameyo server
  • HTTPS 443 (this is configurable) – Used for end user connectivity to published applications
    • Port Shield closes external access to the specified ports at all times.  However, when an end user or administrator connects to the Cameyo portal and is authenticated, Port Shield orchestrates firewall rules on the Cameyo server to allow the specific IP address for an end user or administrator who has been granted access
  • Cameyo Layered RevertWith Layered Revert, Cameyo employs a volatile layer on which users work that is not attached to any specific user profile.  Session data is redirected to on-premises or cloud storage through a patent-pending I/O virtualization technology.  While the volatile layer with other changes are discarded, application data does persist.  When a new session is started, an empty layer is provided for the user session to take place. 
  • Cameyo Session Sync – Cameyo’s Session Sync technology allows end users to have access to specific configuration settings and user files that will follow them between settings.  Session Sync works in harmony with Layered Revert to ensure user data is persistent, while ensuring the session layer is pristine and secure upon each new connection

Wrapping Up

Providing secure digital workspaces for remote employees has become more important than ever before.  While delivering full desktops to a subset of users is still needed in certain use cases, virtual application delivery provides an extremely efficient, simple, and secure way to deliver applications to end-users.  

Cameyo provides secure application delivery for ANY Digital Workspace, allowing businesses to implement virtual application delivery in a seamless and secure way with intrinsic security built-in.  The security features it provides allow securing network connectivity for connections to application sessions and the user data itself.  This modern approach to delivering applications allows businesses to provide secure flexibility and mobility in a world going through a paradigm shift in the way work gets done.