The outbound VDI: Internet access while protecting enterprise systems

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
 

Connecting state and local government leaders

By

An outbound virtual desktop infrastructure can significantly reduce the risks of threats to internal corporate systems and data while maintaining the benefits of internet access.

The internet supports nearly every corporate environment, from research and communications to purchasing and billing. Unfortunately, it also has become the primary threat vector for bad actors conducting criminal activity, fraud and espionage. Finding the right balance between embracing internet use and protecting enterprise systems and data is an ongoing challenge for information security and technology leaders.

While web proxies can be used in a variety of ways to limit exposure to known risky internet resources -- and web proxy technologies can significantly reduce the overall attack surface for known threats --  the approach still directly exposes internal systems to both permitted internet resources and unknown threats. For government organizations with a low risk tolerance, one of the most effective approaches to defending against both known and unknown internet threats may be the use of an outbound virtual desktop infrastructure.

An outbound VDI uses an additional layer of virtual systems that have direct access to the internet and that receive mouse and keyboard commands from internal corporate systems but that restrict return inbound communications. Instead of accessing the internet directly, internal users connect to a virtual system outside of the core network and access the internet from the virtual host. The internal system will only display the screen for the end user and play audio content as appropriate. Because the virtual system has no access to corporate data and no connectivity to other internal resources, it can, therefore, be exposed to otherwise risky internet content without risking internal corporate systems or data. When a given session is complete, the virtual system can be discarded to free up resources for future sessions.

An outbound VDI may be the ideal solution for a number of situations. First, for organizations that have strict internet policies and aggressively block risky content, users may currently be unable to take advantage of external collaboration capabilities, virtual training, social media, webmail or research sites that have been blocked to prevent exposure to potential threats. An outbound VDI can solve this problem by allowing access to these types of risky resources while preventing exposure to internal systems and data. On the other the extreme, organizations that are currently very open to dangerous internet resources but that want to mitigate the risk can also benefit from an outbound VDI implementation. In this case, users can still be allowed to access the risky resources by using the isolated virtual systems outside of the core network, thereby eliminating the direct risk to internal systems and data.

If implemented correctly, an outbound VDI solution can allow full access, or any level of access desired, without exposing internal enterprise assets or data. Access can be permitted to resources otherwise determined to be too risky, such as personal email, social media or high-risk domains. This architectural solution protects internal resources from unknown threats as well. Users can even be permitted to download and install programs or other executable files because any malicious content will only impact the temporary virtual system. In the event that the external virtual system is compromised, damage is limited to that single virtual system, which can simply be blown away and reimaged at any time.

While there are many benefits, outbound VDI technologies also present a number of challenges. For starters, correct implementation is critical. In order to properly implement an outbound VDI, up-front planning is required, and associated budgets must be properly allocated. Additionally, the benefits of isolating virtual systems also present some unique challenges. For example, if only mouse and keyboard instructions are permitted from internal systems to the outbound VDI, users will be unable to copy (for example) links to online meetings from their internal system to the virtual environment. Returning files or content determined to be of value or interest from the VDI to the corporate environment for printing or future use is also a challenge.

To ensure a successful implementation of an outbound VDI, identifying and documenting the architecture is essential. It is critical to remember that the purpose of an outbound VDI is to provide isolation of internal corporate resources and data from the untrusted internet and associated risks. Instead of attempting to solve every possible challenge with an initial implementation, IT managers should start small and avoid scope creep. Documented requirements are important and should be the basis for all architectural decisions. Also remember that an outbound VDI solution can protect internal system resources from internet threats, but there still may be a need to monitor or restrict usage from the VDI environment for inappropriate use or productivity loss. A VDI solution can significantly improve the security posture of an organization, but it should not be considered a replacement for most existing cybersecurity tools and capabilities.

In the scenario where an outbound VDI solution gives users access to previously restricted internet content, IT managers should be prepared for wide growth and adoption by users. For environments where previous access to risky internet content from internal systems is being mitigated by an outbound VDI, users may not understand why they are being forced to do things differently. After an outbound VDI is implemented, they may need additional training to reinforce the new way of doing business. In both scenarios, and the many in between, an outbound VDI solution can significantly reduce the risks of internet threats to internal corporate systems and data while maintaining the benefits of internet access.

NEXT STORY: Local Governments Can’t Ignore Resilience Issues Any Longer

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.