Why you need ZTNA with Desktops-as-a-Service

By Karen Gondoly

By Karen Gondoly, CEO of Leostream

As the world increasingly works remotely, Desktops as a Service (DaaS) are becoming ubiquitous in many industries. Remote workers need access to cloud and on-premise data and applications, and delivering that access in a way that maintains productivity and security is one of IT’s most important tasks today.

Few vendors will acknowledge it, but organizations incur some level of risk whenever they implement DaaS. This is why I urge heightened security, and recommend Zero-Trust Network Access (ZTNA) in any DaaS deployment.

ZTNA is not a product or service per se; rather, it’s a set of concepts and practices that prioritize identity, authorization, good governance, and visibility. Applying the ZTNA model in remote access is the ideal way to protect data, applications, and the organization itself in the modern work-from-anywhere world.

Here is a basic action plan for using ZTNA principles to enhance DaaS security:

Trust no one

As the term implies, zero trust means zero. To establish trust, end users must first be authorized to even enter your environment. Currently the best system is multi-factor authentication (MFA). MFA is a foundation of the ZTNA playbook, because it’s a secure way to establish the end user’s identity, before they are granted access to the organization’s resources.

MFA should be required with any DaaS environment, but the factors can differ for various access locations. In your physical office, you can allow employees to sign-in with only a username and password, since they probably used a key or key card to get in. That’s still two-factor authentication: their sign-in credentials plus their physical key. When that same user is working from home, you will need different factors, for example, username and password and then a one-time password token or dynamic password.

Access control rules

Access control rules dictate the information and applications each end user or group of users is permitted to, well, access. Grant and restrict access based on the user’s identity, not the asset itself. Then fine-tune that privilege depending on locations, devices, and workloads for even finer-grained control if needed.

DaaS environments offer a great deal of flexibility to pool and share resources, use hybrid platforms, assign peripherals like printers, and other nice features; they also offer flexibility in creating access control rules. This is especially welcome when applying ZTNA practices to large user pools, large data sets, and environments combining cloud and on-premise resources.

Ditch the VPN

Also fundamental to ZTNA is eliminating virtual private networks (VPNs), which ironically introduce weaknesses. Using VPNs essentially opens the entire network to end users, when zero-trust dictates otherwise.

Secure DaaS requires replacing VPNs with a gateway managed by one or more connection brokers that carry out access control rules and other governance policies. With secure gateways and a connection broker, you account for the many different locations and devices from which users log in, and the various resources they need to connect to.

Secure it, but faster

DaaS will probably never be as fast for the end user as working on local machines, but properly configured, they should offer more than adequate performance for the workload. However, introducing multiple security checkpoints tends to slow connection traffic.

VPNs are notorious for choking performance, so replacing a VPN with a secure gateway goes a long way towards addressing the performance overhead of new security practices. Still, it’s important to maintain performance without introducing new bottlenecks, and deliver the expected end-user experience. If necessary, multiple connection brokers can be clustered to distribute the login and processing load.

Trust, but verify

No security, business continuity, or data protection system can be relied on if it’s untested and unaudited. Monitor for unusual activity and track user logins, login locations, resource connections and usage, length of sessions, and other details to ensure that nothing strange is going on. In other words, don’t even trust your zero-trust systems.

Along with troubleshooting, identifying potential breaches and vulnerabilities, this will help you spot trends in workloads to help prepare for the future.

My intention certainly is not to scare anyone away from DaaS. Quite the opposite: DaaS enables a level of remote and hybrid work that is necessary today as people work from home, from the office, from the road, and in the field, using data and applications that can also be anywhere. In fact, supporting a remote and hybrid workforce is likely the most relevant and in-demand IT skill today. Using the ZTNA model in a DaaS environment is the ideal way to keep your organization secure and your end users productive.


Karen Gondoly is CEO of Leostream, a remote desktop access platform that works across on-premise and cloud, physical or virtual environments.


No posts to display