By Bryan Zanoli, Principal Architect, Entisys360
Most digital workspace solutions will not and probably should not be built from a single product. But that does not mean we should not attempt to consolidate as much as possible in the solution stack which builds out our digital workspace. Both Citrix Workspace and VMware Workspace ONE are the common go-to solutions which tie-in most, if not all (depending on organization requirements and use cases of course!) of the necessary components required to build a secure, high performing and comprehensive digital workspace platform.
Let’s now review the design, construction and focus of a successful digital workspace platform. The sort of platform we need to address the drivers and challenges presented in my previous blog post, Delivering a True Digital Workspace Experience.
Users and Endpoints
A modern digital workspace solution has endpoint management built in. With the introduction of Windows 10, nearly all “mobile” management platforms can support the delivery of applications and updates, as well as other device management capabilities on PCs, phones, tablets and much more, under what is commonly termed Unified Endpoint Management.
This new type of unified control allows for businesses to manage Bring Your Own Device (BYOD), Corporate Owned Personally Enabled (COPE), and standard corporate managed endpoint devices, all from a consolidated digital workspace management platform. No longer do mobile devices need to be handled separately from standard desktop management systems. Newer IoT devices, such as Alexa for Business are also being brought into the fold.
Access and Identity Management
We started where it counts, with the users and the devices they work from – which where we need to deliver or integrate this digital workspace. Now, we need a way of granting users access to the wide range of applications and data sources in a manner that is contextual, both secure and easy on the user. Enter the concept of a Gateway with Multifactor Authentication and Single Sign On (SSO).
How does this work? All application, desktop and data resources are presented by an intuitive and easy to navigate store or portal. From any device, users will use a browser to navigate to the Gateway URL or launch a Workspace specific client application which prompts them with the necessary number of authentication mechanisms, such as Active Directory and Token (I recommend at least two forms!). This login process may even examine the endpoint location and type, to determine even more granular access control. Once authenticated, the digital workspace will leverage the users logged on security context to provide and control access to any combination of SaaS applications, datacenter applications, virtual desktops, as well as on-prem (Network Shares) or cloud based (Box, OneDrive) data.
Control and Management Layer
The control plane is what ties together applications and services with endpoint access. It stores information about which applications and data are available to which users, and how those resources are allowed to be accessed, leveraging contextual security policies.
Endpoint management administration and policies are handled at this layer, defining what applications, updates and devices policies are delivered to your devices. Any automation leveraged, image management methods, and even user profile management would be incorporated into the control or management plane.
To make the most of your digital workspace, advanced monitoring systems should be implemented to provide real-time, and even predictive metrics around user performance and security. Being able to dive into logon times, applications launch errors, and metrics such as round-trip time, will ensure IT is offering the best user experience possible, and reacting quickly whenever users are impacted.
Most digital workspace solutions offer the control plane as a cloud based subscription service, giving you an evergreen deployment with access to all the latest features and current security updates. This is not a requirement though, as on-prem and even hybrid cloud options are available. Breaking it down, the first option is cloud hosted service, next we have cloud hosted standard deployment (AWS or Azure), and finally we have our on-prem hosted standard deployment. Select the option, or combination of options, which best meets requirements and business objectives.
The digital workspace should be able to accommodate any common infrastructure platform for deployment, whether it’s a standard 3-tier storage/compute/network infrastructure, a fully developed on-prem private cloud, or public cloud IaaS deployment. Consider deploying the control plane in the cloud, publishing access to VDI, application, or data resources on-prem or expand your on-prem control plane to connect to resources in the cloud. If leveraging VDI or Remote Desktop Services (terminal services), Hyper-Converged Infrastructure is an excellent option for simple to deploy and manage hardware infrastructure. Both access and control components can be deployed to cloud or on-prem based on the specific requirements of the business and its workforce.
The adoption of the cloud, and continued expansion of IoT means further adding onto the number of locations, data centers, cloud providers, and devices. SD-WAN provides a simple way to create a single Software-Defined WAN, which not only can provide resilience and availability, but can also speed up access to key applications! SD-WAN can also enable the use of common public internet circuits to supplement expensive MPLS links to remote sites.
First, security is a critical part of each layer or component within a digital workspace solution. User devices, access components, management servers, and the infrastructure must all conform to a robust security posture. The reason I include security separately, is not to make it an afterthought, but emphasize its importance in terms of how the properly architected and implemented digital workspace can enhance the security of any organization, all while minimizing its impact to the end user.
Contextual Security – Matching access to resources with the right user, based on additional context such as device type, location, and numerous other factors
Analytics and User Behavior Analysis– Using machine learning to flag, alert and provide corrective action on aberrant user behavior
Micro-segmentation– Policy driven and dynamic firewall enforcement on a per VM and per application basis
Device/Application Sandboxing – Places an application in an isolated and encrypted sandbox, using policy to control access to networks, applications and data
Secure Gateway and Data Loss Prevention – Gateways can be used to provide secure reverse proxy access to data center resources, considerably hindering malware attacks, and sensitive data exfiltration
Per Application VPN Tunneling – Often used in conjunction with application sandboxing to ensure encrypted connectivity directly between a single application and the designated backend resources
High Availability– There are tradeoffs between cost, complexity and high availability. Be sure to design the solution with SLAs and proper expectations in mind. Accounting for individual component failures is easy and affordable. Accounting for entire data center failures with Active/Active sites will introduce complexity and cost, but may be a requirement for uptime goals.
Consolidation and Simplicity– While some complexity will be a component of any IT solution, be sure to focus on consolidating onto the fewest number of products possible. Don’t let your digital workspace solution lose adoption due to difficult to manage, intricately managed systems, and complex or disparate user access methods.
Data Locality – If virtual desktops or virtual application delivery hosts (terminal services) will be part of your digital workspace, it’s important to keep such resources close to where the data resides. Most applications still require very quick response times to access files or databases. Don’t sacrifice user experience by deploying workloads and data in the cloud, but leaving virtual desktops on-prem.
Align with DevOps / IT Automation Initiatives– More and more of our customers are evaluating how concepts and methodologies behind DevOps, IT Automation, and Self Service can benefit them. The digital workspace is a great place to start. Build automation into your virtual desktop image management process. Utilize self-service to allow users to gain access to applications, based on an easy and automatic approval workflow. Bring synergy within IT by aligning the digital workspace with any DevOps initiatives.
Compliance and Regulation– The above considerations are all derived from their direct value to the organization and to the end user experience. Compliance and regulations add to these requirements by dictating certain constraints and obligations in terms of data storage, access limitations, and other security measures. It’s important to consider these from the initial design phase of any digital workspace environment. For example, if you have a datacenter in Europe hosting private customer data, a Virtual Desktop Infrastructure in the US would have to be disallowed from bringing data to the virtual desktop. Instead, a designated Virtual Desktop Infrastructure may have to be deployed in Europe to accommodate GDPR requirements. digital workspaces are also a great way to streamline compliance for common regulations such as PCI and HIPAA.
Toolsets for the Digital Workspace
I wanted to finish with a list of common digital workspace components for two reasons. One, if you’re focusing on any of these individually, you may want to take a step back and consider building a true digital workspace. Second, these are the elements you may want included as part of a “shopping list” for your digital workspace. Not all of these are required, and the platform architecture should be designed according to each organization’s objectives and requirements.
- Virtual App and Desktop Infrastructure
- Workspace Portal or Application Store
- Identity and Access Management
- User Profile and Personalization Management
- IT Automation
- Enterprise Mobility Management (EMM)
- Enterprise File Sync and Sharing (EFSS)
- Collaboration and Content Delivery Platforms