work from home | Accops

What does your remote workforce need – VPN or VDI?

6 min read

As work from home is becoming the new normal, more and more organizations are looking to go remote on large scale for sustained periods. While evaluating various remote work solutions, organizations often find themselves choosing one between Virtual Desktop Infrastructure (VDI) and Virtual Private Networks (VPN). Although both options are capable of enabling remote working, they are based on two completely different mechanisms. VPN is a ubiquitously available tool which comes in-built with all firewalls. Although easy to deploy, it poses some serious security and management issues. VDI is a more secure solution where all business applications and the corporate environment are hosted within data centres or cloud, and delivered to end-users in the form of virtual applications or virtual desktops.

Although both VDI and VPN provide secure encrypted connectivity to corporate networks over internet to all users, irrespective of their physical location, which is the very basic need from a work-from-anywhere solution, VDI scores over VPN by satisfying a lot of other business needs.

VDI benefits organizations by offering better security, more flexibility and strong control over data, as compared to VPN.

Security while providing remote access

1. Preventing cyberattacks on corporate networks

When a user gets connected to the corporate network through an L3/L4 VPN, his/her device is bridged to the network. This, in essence means, that as long as the user remains connected, the end-device remains a part of the network. It gets a virtual IP address which is routable within the corporate network. So everything, including malware, keyloggers that is present in the end-device, will now have the same access as the user would have when working from office network directly. So, any malware attack at the endpoint is capable of spreading and infecting the entire network and all the other devices connected with the network. The exposure of the corporate network also allows malware to discover the internal network topology for planning the attack later. Thus, despite providing seamless connectivity, VPN increases the possibilities of malwares entering the corporate network. It is to be noted that an application gateway (L7 only VPN) will not have such issues.

With VDI, there exists only a secure https-based connection between the user and the corporate network. The end-device never really gets connects to the corporate network directly, and sends traffic only to the VDI application and nothing else. The IP address assigned to the end devices cannot be used to route traffic internally in the corporate network. So, there is no possibility of a malware residing in the end-device to gain access to any business application in the corporate network.

2. Mitigation of risks arising from unpatched, out-of-date devices

In a generic L3/L4 VPN solution, when a user is working with corporate applications, the original corporate data gets to stored in his/her device. Stealthy malicious forces residing in the endpoints, of which the users are unaware of, shall get access to those files, resulting in losses of valuable data. So, if an access is made from a device that does not have the best possible security posture, the risk of a malware attack looms large.

In case of VDI, data never enters the endpoints, and always resides in the controlled cloud or data center environment, which mitigates the data security risks posed by malicious forces potentially sitting in a user’s device.

3. Preventing data leakage from distributed endpoints

VPN does not provide any feature to prevent data sharing between the user end-device and the corporate network. Remote users can do anything from their devices that they could do while working from the office premises. End-users can copy-paste data, take screenshots, do screen recording and IT teams will not have any control over this, which opens up the possibility of intentional and unintentional data leakage.

With VDI, it is possible to run all applications from a secure container, which does not permit any kind of copy-paste or download operation. VDI architecture can be designed to provide DLP features and prevent the users from screen-recording, taking screenshots, printing screen, copy-pasting data.

Better Flexibility

1. On-demand application delivery

With VPN solutions, it is IT teams’ responsibility to provision all business applications on the end-devices and preconfigure them appropriately. Getting a new device provisioned might take a significant amount of time – generally in the order of few days. The severity of this limitation has evidently increased now, compared to the pre-Covid era, as all users are working from home. Delivering application installations, management and upgradation of applications are next to impossible.

In VDI, applications are running within the data center, and what users need is just a browser to get instant access to all applications. IT teams can provision new applications to any user within a matter of minutes, thus enabling a near instant roll out to end users.

2. Providing access over low bandwidth of user

Most of the legacy business applications were built to work in the high bandwidth network provided in the corporate environment. These applications will have the same high bandwidth requirements when the users connect remotely from their lower bandwidth connections at home, which will result in significantly poorer performance. The application traffic will have to travel over the internet, secured by encryption. The fact that VPN adds up to the default application traffic by way of encryption further deteriorates the app performance.

In case of VDI, the application traffic does not travel over the internet at all. No matter how heavy or light an application is, the bandwidth requirement for the VDI connection will always remain the same. VDI provides the same seamless user experience for all remote workers, irrespective of their internet speed.

3. Application delivery to non-Windows devices

Application delivery to devices operating on Mac OS or Linux OS may not be always possible with VPN. VPNs are known to have very low compatibility with non-Windows devices.

In VDI, as all applications are run on a browser or a display protocol, compatibility with non-Windows devices is better.

4. Emergency access from alternate devices when user PC fails

In case of a user device failure  or need for an emergency access from an unauthorized device, VPN solutions do not enable users to just switch over to another device and log in. The end-device needs to be provisioned with a VPN client and all the needed business applications. Making another new device secure enough for emergency access would require IT team’s intervention which may not be possible in many remote work situations.

VDI enables users to switch over to any device and log in, without exposing corporate data or applications to any outside risk. This can be done instantly by end-users and requires little to no intervention from IT teams.

Strong control over data, users and devices

1. Restrict users from copying any data or printing anything

In a VPN, organizations do not have complete control over their data as users can copy-paste data, take screenshots, do screen recording. The users can also tamper with the corporate data easily, as data exchange between the end-device and the enterprise network is always possible.

VDI architecture can be designed to features to prevent the users from screen-recording, taking screenshots, printing screen, copy-pasting data. VDI design can also ensure there is no data exchange between the end-device and the corporate network. Data exchange between the user-device and the enterprise network can only be enabled on need basis or policy basis.

2. Detailed auditing, recording, and monitoring

VPN struggles with providing detailed auditing, monitoring and recording of the user activities as they work on L2 or L3 based connectivity. VPNs’ visibility of who accessing which applications is very low, and so a detailed application access log cannot be generated. VPN also falls short in effective productivity monitoring, which is a major concern for organizations adopting remote working.

VDI systems are aware of which application is being run, by which user, for how long, and granular auditing in terms of the IP addresses and URLs accessed through business applications can be generated. Enterprises can make use of automated tools to implement productivity monitoring, as well.

3. Data back-up and availability

In a VPN setup, as data resides in the end-device, backing up data will consume more bandwidth. Work from home situation increases the magnitude of this problem.

In VDI, as data always remain within the data center, it is always backed up. No extra bandwidth, or end-user time is needed.

Thus, considering all the above points, VDI scores better than VPN and tends to meet almost all business requirements. Virtual Desktop Infrastructure offers better security, flexibility and control, which makes it more desirable for enterprises looking for a sustained remote work solution.