WVD Workspaces managed by IGEL UMS and CloudJumper CWMS
This is Part 1 of a 2 part blog on creating a secure cloud workspace.
Securing end user computing environments is an evolving challenge in today’s world of constant ransomware and malware attacks. Attacks affect all businesses, but small businesses are the victims nearly 3 times as much as healthcare and Public sector entities and more than 4 times that of the financial industry. (*1)
Some small businesses completely close shop, others grind to a halt. Remote work solutions can mitigate security challenges like these and be a godsend to your business continuity planning.
Providing a secure workspace to company employees while simultaneously ensuring easy access to applications and data requires a well thought out workspace architecture.
Security must be a first-class citizen at the table during the initial design of your digital workspace strategy and not the result of one-off remediation attempts and an ever-growing collection bolt-on security software tools. Yet, according to a 2018 Verizon report, 62% of those surveyed believe that their company lack the in-house skills to deal with security issues. This is where Windows Virtual Desktop (WVD), IGEL and CloudJumper can come together to extend the reach of your security teams by offering a modern cloud solution.
A secure architecture begins with the client endpoint. The IGEL OS is a secure Linux distribution that runs in memory. The small footprint of the OS allows you to load it from a simple USB device, called the UD Pocket, that can attach to the USB port of any computer with minimum hardware requirements – 2 GB of RAM and a 64 bit processor. Utilizing the UD Pocket extends the life of older PCs and laptops and the locked down operating system minimizes the attack surface.
With the IGEL USB device, you can repurpose older nodes as your endpoints knowing that the IGEL secure OS is used as a launching point into your secure WVD desktop in Azure. The endpoint becomes passive – which is good. As one administrator put it – “switching to the IGEL OS creates a target poor environment for hackers, and the fact that it runs from the UD Pocket means we don’t even need hard drives in the endpoints. In fact, we prefer that the drives are removed or disconnected so they can’t be used to circumvent the endpoint security.”
IGEL’s Universal Management Suite (UMS) is the software used to manage the IGEL endpoints. The individual IGEL OS endpoints can be managed from the IGEL UMS control plane – restricting users from seeing setup or configuration options, enabling local applications like the WVD client or a SIP compatible soft phone, and even activating the WVD client at user login are all configurable options via UMS.
The next component is WVD. WVD represents a new frontier for secure computing. WVD takes the infrastructure component out of VDI. Since the desktops are running in Azure, the physical, compute, networking and storage layers are abstracted away from local (on-premise) hardware and run in a secure Azure datacenter. This means that many/most of the 90+ compliance offerings in Azure are inherited by WVD.
Your WVD workspace looks and feels like a full Windows OS, but it’s really running as a collection of secure Azure PaaS services, served through a virtual machine (VM). Abstracting these infrastructure components from on-premises to Azure addresses many key issues facing business such as security management, regulatory compliance, and privacy assurance. Certainly, WVD environments are prone to security risks, but the Azure cloud provides more defenses to minimize damage and disruption through better response and recovery.
WVD starts with a clean slate deployment – no inherited security issues, APTs, etc. Further, other native Azure PaaS services, like Azure NetApp Files (ANF) can flow directly to your Azure tenant to scale storage and better separate WVD user profiles with FSlogix.
The other piece of the secure digital workspace centers around the control plane of WVD – orchestration, management and maintenance of the WVD digital workspace. WVD, however, is a complex collection of Azure services and requires, arguably, an intermediate level of PowerShell expertise. CloudJumper removes the barrier of PowerShell expertise by providing a simple Graphical UI to deploy, manage and maintain your WVD environment(s). CloudJumper simply funnels the hundreds of WVD setup options into a few key questions and then builds out your custom environment.
CloudJumper’s Cloud Workspace Management Suite (CWMS) creates and orchestrates all the required components – host pools, session servers for multi-user Windows 10, and app groups that define user access to desktops and applications. With CloudJumper, you are just minutes away from deploying hundreds or thousands of new WVD VMs for a variety of end user use cases.
CloudJumper’s CWMS operates on the control plane for VDI and RDS. The management plane is left untouched, therefore, native PaaS services, like Azure security services, are directly available to the tenant. CloudJumper’s native Azure integration ensures that you can get the most out of your Microsoft Licensing position. Leverage your existing Azure Management and Security services into your WVD tenant — like Azure Backup, Azure Automation, Azure Sentinel, Azure A.D. Premium services like Azure MFA, Conditional Access, etc. These services will deliver immediate value to your security posture.
WVD offers the assurance of Microsoft trusted datacenters to run your remote desktops and applications on the back end. Securing the endpoint with the IGEL OS and leveraging CloudJumper’s Cloud Workspace Management Suite (CWMS) to deploy and manage the backend WVD Azure workspaces gives administrators modern, efficient tools to ensure secure end user access and empower administrators with Azure Security PaaS services.
WVD + CLOUDJUMPER + IGEL
CloudJumper’s CWMS and IGEL’s Universal Management Suite (UMS) are complementary control planes. CWMS handles the provisioning and management of WVD, while UMS handles the provisioning and management of IGEL endpoints.
At CloudJumper, we believe WVD is the natural evolution of EUC. The new and upcoming industry trends — 5G bandwidth, new remote work scenarios, proliferation of ransomware, new privacy laws, changes in Microsoft licensing — are coming together to make WVD the remote desktop of choice.
Part II of this blog will go into more detail and discuss WVD’s reverse connect technology as a mitigation to the recent Citrix NetScaler vulnerability which has left up to 80,000 of their business customers at risk.
CloudJumper is an automation, orchestration and workflow solution used to deploy and manage VDI and RDS workspaces. Consider us the industry’s best alternative to the big guys. CWMS is a native web service running a graphical UI for the deployment, orchestration and management of WVD, VDI and RDS workspaces – no PowerShell needed. CloudJumper is a recognized Microsoft Preferred Solution Provider for WVD. Our product team worked alongside Microsoft for two years developing a native Azure solution.
Customers and MSP Partners have been trusting CloudJumper for nearly 20 years in the managed workspace industry. We have thousands of customers running tens of thousands of applications and desktops.
Underserved and Unprepared: The State of SMB Cyber Security in 2019, Vanson Bourne for Continuum