workspaces and vpns
Share on facebook
Share on twitter
Share on linkedin

With VPNs besieged, cloud desktops get their close-up

Forrest Brazeal
Forrest Brazeal

Predicting the “year of Linux on the desktop” may always be a fool’s errand. But I think we can safely say that 2020 is the year of desktops in the cloud.

Amazon Workspaces alone is reporting tenfold usage increases over the past few weeks, and it’s not hard to see why: people need managed work environments they can access from home, and good luck procuring laptops right now. But there’s a deeper shift taking place here.

Working from home is killing the corporate network (literally and figuratively)

The traditional “castle” model of network security surrounds trusted services with the high wall of a private network, accessible only through the drawbridge of a VPN. These networks were designed for a cloudless world, with most applications and data accessed by users who were themselves directly connected to the corporate LAN.

The rise of remote work and cloud-based tools like Slack and GSuite have been eroding assumptions that work only happens inside the corporate moat. But nobody could have predicted the sudden, worldwide shift to working from home over the past couple of months.

What happens when every employee’s house suddenly becomes their own mini-outpost around the castle? Strained VPNs and an overloaded network, as the drawbridge can’t withstand the strain of the thundering herd trying to access their applications remotely.

In the short term, sysadmins report scaling up their VPNs by maxing out licenses to deal with the unprecedented traffic. But just like laptops, VPN hardware is tough to come by right now, and the procurement process can take weeks. So many people also configure “split tunneling”, pushing only sensitive traffic through the VPN and letting other traffic flow over individual users’ regular networks. This has advantages for bandwidth costs and user speed, but can also besiege your network with security threats from compromised end user devices. (That’s why some regulators aren’t cool with it.)

The future: Identity

Just as gunpowder made castles obsolete, the real solution to our suffering networks won’t come from building a better VPN, but from reimagining the way we access and secure data itself.

Corey Quinn, the well-known cloud economist and AWS pundit, calls trusted corporate networks accessible only through VPN an outdated design. “Identity has to be the new frontier,” he says. 

Identity-based networking means short-lived credentials tied to services, rather than long-lived “service accounts”. It means SSL traffic, not a “trusted network” that might well be compromised. As exemplified by Google’s “zero-trust” networking policies, the “BeyondCorp” movement foresees a VPN-less world where our work exists on cloud services that can be accessed by employees from anywhere. When your network infrastructure is the internet itself, you can scale without limits.

But plenty of practical obstacles exist to a BeyondCorp setup. As Quinn points out, many enterprise applications are still architected under the assumption that network requests are traveling over the LAN to closely colocated systems. A world connected by cloud services requires very different assumptions to avoid drowning in latency. And we haven’t even started on the constraints from regulators who haven’t caught up with the cloud.

Desktops-as-a-Service: bridging the gap

So, okay. You can’t have everybody clobbering the VPN from home, but a massive organizational shift to cloud-native apps and perimeter-less security isn’t going to happen by the end of next sprint.

That’s where desktop-as-a service (DaaS) providers like Amazon Workspaces and Azure Virtual Desktop come in. Instead of your users logging into an environment hosted in your corporate data center, you can deliver a similar experience to them using the cloud provider’s infrastructure (VDI). 

The cloud desktops let you treat end-user devices — which at this point may well be personal laptops — pretty much as unprivileged dumb terminals. IT can still control what lives on the cloud workspace, right down to the antivirus and the certs. But this time, the scaling and hardware management isn’t your problem. If somebody’s BYO device dies, no worries about backups — it’s all in the cloud.

Quinn endorses this as a first step toward a true cloud-native work environment, but reminds of the importance of usability: “Even nontechnical people need to be able to set this up.” You want the DaaS experience to be as simple as logging in, no complex client configuration required. I haven’t used Windows Virtual Desktops yet, but I’ve been an Amazon Workspaces user off and on for about six years, and I can confirm that the PCoIP technology works about as well as Jeff Barr says it does. It’s not quite local-desktop responsive, but it’s not noticeably laggy and it gets the job done.

You’ll still want a VPN client on your cloud desktop if you need to access services back on the corporate network. (Although Workspaces sits in a VPC — so if you are accessing AWS services via VPN, you might be able to just VPC-peer the workspace.) But at this point your goal should be reducing the number of cases where you need to make that connection. GSuite or Office365, Slack and Zoom — these tools scale so you don’t have to. Workspaces has slashed prices through June, so that helps too. 

You might not feel ready to leave the walls of the corporate network castle right now. But you also might not have a choice. The year of the cloud desktop is here, and the transformation of work from on-premises networks to the cloud has only begun.

ACG For Business accelerates your move to the cloud.


Get more insights, news, and assorted awesomeness around all things cloud learning.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?