Sunday, October 10, 2021

Securing Horizon With Cloud Hosted Workspace ONE And Carbon Black

For over a decade VMware's VDI solution has served up on-premises Windows desktops to remote Windows and Mac devices.  While the original solution at its core has stayed relatively the same, the ability to secure Horizon sessions through a tightly integrated SaaS stack represents a dramatic shift.  Using cloud instances of Workspace ONE Access, UEM, Intelligence and Carbon Black customers wrap comprehensive security around an already stellar remote Horizon user experience.   The cloudiness of these offerings means this security is easily layered onto existing Horizon environments non-disruptively, with minimal on-premises footprint. 

Base Image Stolen From Andreano "The Moose With The Juice" Lanusse

This ideal remote access scenario begins with Horizon making virtual desktops and published applications available to the external world through Unified Access Gateway.  Authentication for these Horizon sessions is brokered by a cloud instance of Workspace ONE Access that enforces contextual authentication requirements through conditional access policies.  Workspace ONE UEM informs these policies with device posture insight, while also actively managing and securing these remote endpoint devices.  Additionally, Carbon Black provides Next-Gen Antivirus protection not only for Win10 or macOS endpoint devices, but also for the virtual desktops or RDS hosts remotely accessed through Horizon.   Finally, WS1 Intelligence pulls these solutions together, enhancing automation while further calibrating conditional access policies with information regarding anomalous or risky behavior. 

This post is a primer on how cloud instances of Workspace ONE and Carbon Black are layered onto Horizon deployments to beef up security for remote access.  It starts with a brief overview of Horizon remote access, then elaborates on the security enhancements provided by these cloud services.  I'll essentially break down and explain the image above with, yet, more stolen images!  Yes, for this post I've gathered some of the best images I've ever stolen, modified or otherwise used and abused in the name of love and technical clarity.  After using these images to illustrate the security enhancements enabled for Horizon from the cloud, I’ll move on to review VMware’s Secure Access, a key component of the Anywhere Workspace offering.  VMware Secure Access offers an interesting alternative to Horizon, one that extends the benefits of SD-WAN and SASE to a less centralized remote access deployment. 

Delivering Windows Desktops Or Published Applications Through Horizon

Stolen From Todd Dayton

The above graphic presents a rudimentary but conceptually useful breakdown of VMware Horizon.  To begin with, you have a desktop or RDSH image living within a VM, supported on the same vSphere technology used for traditional server workloads.  A Horizon Connection Server, very much the brains of a Horizon deployment, has full admin access to this vSphere environment, using those rights for provisioning and inventory purposes.  This Connection Server also acts as a broker for incoming connections, routing users to their assigned desktops or RDS hosts after they've been authenticated.  User's eventually view and remotely control their desktops or published applications through display protocols like Blast or PCoIP. 

So, to extend vSphere goodness to desktops we've had to bring the desktops to the vSphere infrastructure, with the desktop OS and supported apps shifting locality from the endpoint to the datacenter.  From there, the Windows desktop is essentially converted into a service that can be consumed from pretty much any device that has network connectivity to the Horizon environment.  The benefits of this model really start to pop when folks are mobile or shifting across various devices.  While your device and network location may change, your virtual desktop stays the same, maintaining the Windows desktop session state.  This leads to a consistent and reliable user experience often referred to as a "Follow-Me" desktop, a concept that's been breaking hearts and taking names in healthcare for over a decade. 

With doctors and nurses highly mobile within the walls of a hospital this "Follow-Me" desktop experience really shines, especially when combined with a badge access solution like Imprivata.  As a 13 year veteran from the mean streets of non-profit healthcare IT, I'd say this user experience is impossible to beat when supporting clinicians and is what drives a lot of VDI adoption in healthcare.  Here's a quick demo: 

High mobility, along with the need to share work areas, make clinicians uniquely suited to benefit from this model.  That said, if you're an office worker with a dedicated cubicle and a dedicated workstation tethered to it, and all your work is done within that cubicle, then the "Follow-Me" desktop lacks wow factor.  However, as soon as you throw in any kind of mobility, even if it's just between cubicles, the question of, "Why bother with Horizon?" starts to melt away.  Throw in remote access from home, possibly in a BYOD scenario, and the question is completely obliterated.  In those scenarios, a "Follow-Me" desktop, one that follows you from work to home, then back, makes for the most ideal Windows user experience imaginable. 

Original Image From: Using Horizon To Access Physical Machines

The path these remote Horizon sessions take to your trusted network from user's homes is provided and secured through Unified Access Gateway.

Providing Remote Access To Your Horizon Service

Remote Horizon access is enabled through Unified Access Gateway (UAG), a Linux virtual appliance that's typically deployed in a DMZ.  It acts as a gateway for your external Horizon users, ensuring all traffic from the remote endpoint device to the virtual desktop or RDS host is on behalf of a strongly authenticated user.  Below is a depiction of Blast, Horizon's display protocol of choice, as it traverses a UAG appliance after successful authentication.  Encryption of this traffic is handled end to end for the entire session through the Blast protocol itself. 

Now, as far as the initial authentication goes, there's various options with UAG.  The default authentication method is passthrough against Horizon's local AD environment by typing in an AD username and password.  However, when Workspace ONE mode is enabled on Horizon Connection Servers, UAG passes SAML traffic for authentication instead, ensuring all Horizon Blast traffic passing through the UAG appliance is for users that have been authenticated according to conditional access policies defined in Access.  Leveraging WS1 Access in this fashion provides admins with the most flexibility and widest range of options when it comes to securing remote access to Horizon.

Brokering Authentication For Horizon Using Workspace ONE Access

Conversations around Workspace ONE Access typically focus on the portal and SSO experience it provides for Horizon and 3rd party SaaS apps.  What's often neglected is how WS1 Access acts as broker for different authentication methods as someone initially logs into the portal or accesses a specific app.  Through conditional access policies admins enforce contextual authentication against the various security solutions WS1 Access has been integrated with.  Auth requirements for any particular app will be determined by the specifics of theses policies and a user's current context.  App access may be a simple SSO experience or as complex as MFA from a fully enrolled and compliant device.  For a deeper dive on conditional access polices and SAML check out this overview on youtube. 

Base Image Stolen From Peter Bjork

Several of the inbound authentication options detailed above are made possible through the deployment of a Workspace ONE Access connector in the customers trusted network.  This connector is key to an integration with an AD environment, syncing AD users to Workspace ONE access and providing the ability to authenticate to AD.  It also enables your tenants integration with on-premises resources such as your Horizon environments or security solutions that support RADIUS. Depending on the specifics of your deployment these WS1 Access Connectors may be the only necessary additional on-premises resources required for securing Horizon from the cloud. 

Now when it comes to integrating WS1 Access with 3rd party security solutions, SAML chaining allows for integration with popular names like Okta, Ping, Azure, as well as any other solutions that support SAML.   After configuring these 3rd party solutions as trusted IDPs for WS1 Access we can  leverage their authentication mechanisms for applications managed through Access.  Below is an example of this process for an Okta integration, something I'm seeing a lot of nowadays.  With a fully documented process for configuring Okta as an IDP, "Integrating VMware Workspace ONE With Okta,"  it's a very accessible option for Workspace ONE customers who already leverage Okta for MFA.  

WS1 Access is basically integration goo, allowing you to integrate Horizon, or any other SAML compliant apps, with whatever security solutions you already have in place.  By linking up with these 3rd party solutions we enjoy a richer set of conditional access policies, as we pick and choose amongst various auth requirements for Horizon across different use cases and scenarios.  This ability to integrate with the security solutions customers are already using to protect their environments makes WS1 Access truly compelling.  You end up with something a bit motley and Frankenstein-ish, or pickle-Rick-ish if you will,  but arguably that's sort of unavoidable when you're stitching together disparate solutions from across your enterprise.  

A WS1 Access deployment is only as interesting as the solutions it's been integrated with.  While support for SAML and RADIUS integrations with 3rd parties offer many alternatives,  where things get really exciting is with the built-in support for Workspace ONE UEM.  When looking at the Inbound/Outbound graphic above, mechanisms like, "Certificate," "Mobile SSO For Android," "Mobile SSO For iOS," and "Device Compliance," result from the integration between Workspace ONE Access and Workspace ONE UEM.

Informing Conditional Access Policies With Device Status Insight From UEM

When Workspace ONE Access and UEM are integrated Horizon access can be predicated on enrollment or even device compliance. This leads to a much more discerning, richer set of conditional access policies.  Essentially, we're taking WS1 Access conditional access policies and juicing them with UEM insight, leading to more informed polices to drive contextual authentication.

Stolen Image From Andreano Lanusse

This progression towards zero trust begins with the various certificate based authentication options supported by the integration of UEM and WS1 Access.   Going back to the Inbound/Outbound graphic of the previous section, the arrows for, "Mobile SSO for iOS," "Mobile SSO for Android," and "Certificates," for Win10 and macOS, are enabled through the integration of WS1 UEM and Access.   While these methods are enforced through Access, the certificates are delivered through UEM, effectively mandating device enrollment in UEM for access to Horizon.  Further, "Device Compliance," can only work in conjunction with one of these authentication methods.  So, in the case of modern management, we're talking about a combination of Certificate auth through WS1 Access, certs delivered through UEM, as well as UEM device compliance policies for Win10 and macOS.  

While device compliance policies wonderfully highlight the ability to interrogate devices with UEM, WS1 UEM enrollment actually MAKES devices more secure.  It's not just about interrogation, but also the ability to help the device course correct and achieve a secure posture.  The nitty gritty, under appreciated work that is, none the less, absolutely critical to security, like patching, firewall configuration,  device encryption and general configuration management falls right in the wheelhouse of WS1 UEM.  So along with vouching for the state of the device it's also literally making it more secure.  This management and control is further extended through an integrated deployment of Carbon Black, a Next-Gen Antivirus solution for Win10 and macOS.

Carbon Black

While UEM management addresses security concerns from the perspective of system configuration and maintenance, Carbon Black addresses security head on when it comes to fighting off hackers, malware and Ransomware.  Core to the suite is cloud based Next-Gen antivirus and behavioral EDR, with an option to fall back to more traditional signature protection.  Carbon Black's NGAV and EDR entail the application of machine learning and AI against data aggregated from millions of customer endpoints. We're talking over 500 TB of endpoint data, over 1 Trillion events a day, getting reported to and processed in the Carbon Black cloud.  This insight is then brought to bare when controlling behavior on endpoint devices.

While cloud is core to Carbon Black's security insight, it has the added benefit of making Carbon Black easier to deploy and manage.  For a typical customer there's zero on-premises infrastructure to be concerned with.  You have a cloud tenant to configure and an agent to deploy to your Win10 or macOS devices and that's the extent of your concern.   For Horizon VDI environments you can simply add the agent to your gold images and you're off to the races. For endpoint devices Workspace ONE UEM itself can easily distribute the agent to managed endpoints.  

Workspace ONE Intelligence and VMware Carbon Black: Automating Device Quarantine Feature Walkthrough

Even more exciting is the ability to trigger actions in Workspace ONE UEM based on threats detected by Carbon Black on managed endpoint devices.  So, for example, if a threat is detected on a device not only can Carbon Black respond, but additional measures can be automatically executed through WS1 UEM to remediate the endpoint.   This is made possible by WS1 Intelligence and the ruthless automation it can enable for  WS1 environments.  

Workspace ONE Intelligence - Gelling It Together Even Further

For this ideal remote access Horizon scenario, Workspace ONE Intelligence introduces ruthless automation while also informing conditional access policies with User Risk Scores and Login Risk Scores.  As mentioned above, we can trigger automated workflows within Intelligence based on threats detected by Carbon Black.  We can also trigger this automation based on device info gather from WS1 UEM, which includes over 200 data points.  Should you require data not collected by UEM out of the box, you can collect additional attributes using custom Sensors for your modern management scenarios.  Sensors enable this extensibility using PowerShell scripts on Win10 or bash, python and Zsh scripts on macOS.  

The data collected within the Intelligence data lake drives ruthless automation that ensures Win10 and macOS devices are properly configured.   This data is also leveraged to generate User Risk Scores and Login Risk Scores ingested by conditional access policies.  In this manner, WS1 Intelligence Risk Analytics enable WS1 Access to calibrate contextual authentication with data regarding anomalous or risky behavior.   

VMware Anywhere Workspace 

Cloud instances of WS1 and Carbon Black offer existing Horizon customers a clear path forward for enhancing security.  However, if Horizon isn't viable but you still have a remote use case you'd like to enhance with the security capabilities  discussed so far, then you probably want to check out VMware's Anywhere Workspace. Workspace ONE and Carbon Black are core to the Anywhere Workspace solution and can enhance VMware Secure Access with some of the same benefits they lend to Horizon. Secure Access marries together Workspace ONE with VMware's SASE solution based on SD-WAN by VeloCloud, offering an alternative that overlaps with remote Horizon access but, more notably, enhances connectivity and security for remote endpoints from the cloud. 

Where Secure Access first differs from Horizon is that instead of providing remote connectivity to a desktop or RDS host back in the datacenter, you're running applications locally on your modern managed Win10 or macOS devices. Workspace ONE UEM can provision these applications as well as provide them remote access back to your trusted network through Workspace ONE UEM's Per-App VPN.  With this model a TLS session is automatically established back to your trusted network for specific applications based on device compliance policies.  This is ideal for a traditional client/server application running locally on your endpoint or perhaps a browser hitting an internal site.  Per-App VPN has always distinguished itself from traditional VPN solutions by limiting VPN connectivity to specific defined apps, rather than the whole device.  Further, it simplifies access because there's no need for a user to manually launch a VPN client. Instead, a TLS session is automagically established on behalf of the users when the enabled app is launched.

Deploying VMware Workspace ONE Tunnel: Workspace ONE Operational Tutorial

Per-App VPN has been part of the AirWatch portfolio for over half a decade, supporting modern management use cases for years.  Secure Access innovates by delivering this Per-App VPN capability through VMware's SASE offering, merging WS1 with VMware's SD-WAN solution. (Velo-Cloud). With this model instead of supporting Per-App VPN through VMware Tunnel on a UAG appliance sitting in the customers DMZ, the VMware Tunnel Service is hosted on behalf of the customer within SASE PoPs.   In a nutshell, VMware Tunnel is hosted as a service, in containers, simultaneously across various SASE PoPs.  Per-App connections are routed from the Tunnel app on endpoint devices to the closest SASE PoP, with most users able to find one within 10 milliseconds of latency.  Once traffic hit's this PoP the benefits of VeloCloud SD-WAN are extended to this VPN access, with optimized connectivity to corporate data centers as well as SaaS and cloud service providers.    

Along with enhancing network connectivity we're getting security enhancement from within the SASE PoP through Cloud Web Security.  This new offering introduces features like SSL inspection, URL filtering and content filtering.  So with the VMware Secure Access model you're not only farming out management of VPN concentrators or UAG instances, you're also moving traditional security security services from on-premises to the cloud.  Running these services within the SASE PoPs circumvents the need for hair pinning internet traffic back through your on-premises network for inspection, certainly a boon for remote performance.  

Though there's overlap between Horizon and VMware Secure Access capabilities, they are very different solutions with different strengths and caveats.  If you're looking to offer a highly curated Windows experience, particularly one that supports a traditional client/server app hosted internally, Horizon is compelling.  All that nitty gritty, unsexy, and persnickety Windows management, in particular customization of Windows applications, is centrally handled and managed by Horizon in a model that's over a decade old. Further with Horizon itself supporting SAML, you're extended the full breadth of WS1 Access capabilities when protecting legacy Windows applications. That said, VMware Secure Access is certainly an intriguing proposition, offering optimized connectivity to corporate networks and the cloud while moving security services closer to remote users.  Ideally, as a customer I'd want Horizon around for the more meticulous Windows requirements, while leveraging Secure Access for everything else.  


Final Thoughts

A couple months ago I presented this best case scenario for remote Horizon access to a session full of jaded, cynical and curmudgeonly IT veterans.  As we digested the current state of the entire VMware EUC stack regarding remote access, I think our collective experience was similar to a parent who has just realized, "holly cow, my baby has grown up and baby is bad!"  While VDI over the last 5 years, at its score, has stayed largely the same, albeit with tons of polish and stability enhancements, the methods for securing its remote consumption have very much changed and evolved. A decade ago it was all about, "slap a horizon client on whatever you want, no data will be at rest on that remote device, so, don't worry, be happy." Fast forward to 2021, we can now ensure that a device remotely accessing Horizon is absolutely secure and virus free, while authenticating a user from that device according to a wide range of contextual authentication options. This is all achieved leveraging mature and proven solutions delivered from the cloud, services that not only radically improved remote Horizon security but are also the foundation of VMware's new Anywhere Workspace offering.  

VMworld 2021 Announcement

Several VMworld 2021 announcement regarding futures certainly shore up the already impressive story covered in this post.  Continuous authentication, enhanced conditional access policies and support for Horizon on SASE show a lot of promise and further reenforce overall confidence in the VMware remote access vision.  Additionally, cloud driven enhancements for simplifying on-premises Horizon management further elucidates a general trend of, "if you can't bring desktops to the cloud, bring cloud services to the desktops."  I only failed to mention these announcements till now because, as a drearily sane engineer from healthcare IT, if a technology wasn't at least 6 months old, I just couldn't take it seriously.  Along those lines,  everything covered in this post up till this section is grounded in the here and now of what is GA'd and available.  Yes, there are some shiny improvements on the way, but there's plenty to be accomplished with the stack as it stands today.