I’m currently facing a dilemma and could use some guidance from our sysadmin and fellow Redditors.
Our organization business is healthcare. We have a diverse workforce comprising employees, contractors, and a third-party outsourced team of developers who need access to our resources hosted at on-prem data centers. Compromised of mix devices BYOD and Corporate managed. Typically, contractors and 3rd Party outsourcing companies will use their own company-provided devices. However, I’m having trouble deciding on the best solution for secure remote access.
Legacy VPN and direct IT resources are a definite “hell no” for me, as they seem outdated and potentially risky. I’ve been researching alternatives solution, namely, Cloud hosted VDIs and ZTNA, but I’m still confused about which option would be the right fit for our organization. when it is appropriate to use each of these solutions.
Some eye raising words: Healthcare, BYOD, and External Contractors. I see the challenge you have ahead of you.
In regards to ZTNA or VDI… both! If it turns to be a the well optimized engineered solution your organization can afford.
FWIW you may find yourself setting up VDIs for this solution but know ZTNA is still worthwhile pursuit on top of the cloud hosting and almost because you are moving in that direction.
ZTNA is a security model for your network and infrastructure where as cloud hosted VDIs are a small subset that may or may not need to exist within this ZT security model. Additionally the technology is currently at a place where there are various stages of ZTNA and a debatable selection of vendor required products to be purchased.
However to move this along I would recommend researching a user VPN client that also runs a pre-connect HIPS check on devices before allowing connections. This is configurable by n Cisco and Palo Altlo VPN clients respectively
Based on what you wrote, you might want to investigate a SDN (Software Defined Networking), SDP (Software defined perimeter) or ZTNA - Yes, the lines blur and they generally do the same tricks - ztna seems to get used more often. The goal is to define access and put rules in place to only allow access once a give standard is met - like a BYOD has to have a EDR, or be up to date, before you allow it to connect to that one thing you grant access to.
I’d recommend reaching out to AppGate - what you describe is right in their wheelhouse. Perimeter 81 is another option and I’m sure others. The costs are not crazy for the capabilities.
It would not help your problem though, as VPNs lack the access/accountability granularity (I think) you are aiming at. So just curious.
VPNs are still relevant. Since these days malware are network based, I am not particularly fond of solely relying on VPNs for network access, as it grants direct access to RDP or applications.
VDI is a pretty good solution. I’m wondering whether the implementation of ZTNA like Prisma Access or Zscaler is necessary when utilizing Azure Virtual Desktop or an on-premises VDI solution.
We are a windows shop but same principle- need our mdm, our EDR, our dlp agent on byod. But we aren’t healthcare I’d lean more in the vdi direction there.
That is precisely why we are interested in implementing Azure Virtual Desktop. By doing so, we can enforce security measures such as prohibiting file copying or clipboard access to prevent any potential data leaks. All data will remain within the virtual machine (VM), ensuring that there is no direct network access apart from the VDI portal. Additionally, we can implement conditional access and IP filtering, as well as utilize multi-factor authentication (MFA) and privileged access management (PAM) for any privileged access. Furthermore, session recording can be enabled. VPNs are still relevant, I am not particularly fond of solely relying on VPNs for network access, as it grants direct access to RDP or applications.
BYOD used to refer to being able to access company resources from a personal device. But then people realised that was a stupid idea and started providing policies about all the company spyware you need to install on personal devices to access company resources. And suddenly everybody who owns a personal device hates the situation and everyone who was expecting to save money on BYOD hates the situation.