Workspot Managed Gateways and Zero Trust Control Model

  • Published on Jul 16, 2024
  • 7 minute(s) read
  • d

This document discusses Workspot’s battle-tested security with reliable, high-performance VDI, accepted and used by highly regulated organizations, including thousands of demanding, multi-monitor graphics-intensive CAD design engineers globally over the past 6+ years.

About Workspot

Workspot is the Enterprise VDI Platform engineered for simplicity, allowing users to access virtual desktops and apps from your datacenter and public clouds, and any combination thereof, to any device. The Workspot Enterprise VDI Platform is a cloud-native solution designed from the ground up to radically simplify now-outdated VDI while sharply reducing the cost of end-user computing (EUC). This modernized VDI approach, designed to take full advantage of private/public multi-cloud environments, has proven to be a high-return IT investment in multiple real-world implementations.

For operational simplicity and security without compromise, and with unmatched flexibility needed to address all your use cases, Workspot has you covered. A key tenet of Workspot’s approach is to bolster security without sacrificing performance (and thus end-user experience) and reliability. IT organizations around the globe know that unhappy users result in low adoption and worse, the introduction of shadow IT, which can create severe vulnerabilities across an organization.

The Workspot Deployment Reference Architecture

The Workspot reference deployment follows best practices for cloud deployments. Referring to the diagram below:

  1. Workspot “two box” deployment.

Workspot deploys in a “two box” model to enable high performance, security, and reliability. A “box” can be an Azure subscription, a Google Cloud project, and/or an Amazon Web Services account. The VDI box is peered to the rest of the cloud deployment. Workspot Control is given delegated authority to create and manage virtual machines only in its own box.

  1. Firewall protects east-west traffic between the “boxes”

The “two box” model enables IT to place a firewall between the VDI and the rest of the organization’s cloud deployment, which may include a variety of workloads like database backup, storage resiliency, cloud-native apps, and other workloads. This approach follows best practices to isolate and secure separate sections of a cloud deployment.

  1. Workspot Managed Gateways

Workspot Managed Gateways secure remote access to the VDI box. VDI users must authenticate with the gateways using authentication methods configured by IT.

Workspot Managed Gateways

Workspot Managed Gateways are deployed from your Workspot Control account in a redundant cluster of two to five gateways per cluster. Workspot Client users are automatically connected to the desired Workspot desktop or app through an available gateway associated with that desktop/app. IT can define as many gateway clusters as desired to appropriately isolate or segment traffic. Workspot Control automatically deploys gateways with multi-layer defense in the following manner:

  1. Gateways are “locked down” so the operating system does not have extraneous open ports or services. The Workspot Gateway Agent constantly monitors the state of the OS for unexpected changes. The state of each gateway is in the Workspot Watch Real Time Operations Dashboard.

  2. Gateways only accept domain-based credentials specific to your organization. They automatically reject any random credentials, typical of brute force and scripting attacks.

  3. Gateways are designed to work with multifactor authentication and advanced identity providers (IDP) with OIDC tokens, ensuring a higher level of security while preventing any kind of replay attack. Workspot strongly recommends using Entra (formerly known as Azure AD) or IDP and OIDC tokens as a best practice because it removes the use of domain-based credentials and is thus more secure.

  4. Gateways are deployed with IaaS best security practices for public IPs, including the use of Azure Network Security Group, Google VPC Firewall Rules, and AWS (Amazon Web Services) Security Groups.

  5. Gateways are deployed in an isolated subnet. The Workspot Gateway Agent detects all activity from the public and the secured side of the gateway records all activity, including successful and failed connections. Events data can be exported to the corporate Security Information and Event Management (SIEM) system.

  6. Gateways are deployed with security suites, which include: • vulnerability management • threat detection • patch management • compliance monitoring • EDR (Endpoint Detection Response), installed and configured to detect anomalies and attacks Workspot can share more information on gateway deployment and security suites under NDA.

  7. Gateways log, block, and alert the 24x7 Workspot Cloud Operations Team when attacks against a gateway are detected.

Security Verified by External Penetration Testing Lab

Workspot engages an external penetration testing (“pen test”) lab used by US Federal agencies, verifying the robustness of the Workspot Managed Gateways as described above.

The testing is conducted in accordance with Information Security Best Practices / GLBA and FFIEC IT security requirements, using methodology that aligns to industry best practices and PCI SSC specific guidance, including the following:

  • NIST (https://www.nist.gov/) SP 800-115 Technical Guide to Information Security Testing and Assessment Federal Information (https://csrc.nist.gov/publications/detail/sp/800-115/final)

  • OWASP (http://www.owasp.org) Top Ten – https://owasp.org/www-project-top-ten/ – https://owasp.org/www-project-api-security/ – https://owasp.org/www-project-mobilesecurity/

  • Penetration Testing Execution Standard (PTES) (http://www.pentest-standard.org)

  • Payment Card Industry Information Supplement: Requirement 11.3 Penetration Testing (https://www.pcisecuritystandards.org/document_library/?document=infosupp_11_3_penetrat ion_testing&archived=true)

Workspot can share the penetration test lab report under NDA.

Delivering High Performance and Reliability

The Workspot gateways are designed to use a public IP address on the public cloud to ensure performance and reliability, based on Microsoft requirements and detailed below. A public IP address is of course mandatory if Workspot Client users are to connect via the public Internet.

The Workspot Client automatically selects an appropriate gateway for the user’s desktop/application session, using an algorithm that distributes sessions across the appropriate available gateways and reconnecting to an active gateway if the user’s current gateway fails.

We are often asked about deploying a L3-L7 firewall with load balancers in front of the gateways. For performance reasons, user sessions use both a TCP and UDP connection between the user and the VM. Since L3-L7 style firewalls with load balancers do not have the session affinity capabilities, they cannot forward two connections to the same next-hop destination, which breaks the user session. In any event, sessions are already distributed across the available gateways.

Workspot Gateway’s Operating System Is Used by Millions of Users Daily

The Workspot Gateway uses a Microsoft RD Gateway running on Microsoft Windows Server, with layers of additional monitoring, control, and reporting managed by the Workspot Gateway Agent. Millions of users globally use the Microsoft RD Gateway daily. With this proven, strong track record, RD Gateways combined with best practices result in a highly secure solution.

Workspot’s Zero-Trust Access Control Model

Workspot’s approach to multi-layer security enables zero-trust access controls for users. Workspot’s layered security model enables device, identity, user, and location compliance prior to successful connection. This approach links Workspot’s big data to the corporate SIEM to verify zero trust compliance and surface anomalies.

  1. Posture Check

  • The Workspot Client can perform security posture checks and refuse to allow the user to connect to their Workspot desktops/app if any of the checks fail. Posture Check is fully supported on the Workspot Windows Client, and can check for compliance with the following requirements: o Windows version:

    • The minimum release number for Windows 10 and 11.

    • Windows Update: How out of date the operating system is compared to the latest Microsoft Update patch.

    • Antivirus Enabled: Whether an antivirus package is currently running.

    • Firewall Enabled: Whether a firewall is currently enabled. o Connected via Wi-Fi: Some organizations allow only wired network connections.

    • Running in a VM: Some organizations do not allow end-users to run Windows in a virtual machine.

    • Connection Origin (geolocation): Whether the Client is running in an allowed (or disallowed) country. (Note: this feature is not currently available.)

    • Domain Joined: Whether Windows is joined to a mandatory AD domain. For example, a corporate managed PC.

    • Processes/Services: Whether specific processes and services are running.

    • Custom Script: Whether an optional custom script reported success

In addition, Posture Check for mobile devices prevents any jailbroken device from launching Workspot.

  1. Strong Authentication

  • Workspot Client leverages corporate identity and authentication mechanisms, including biometrics and YubiKey. Workspot strongly recommends using Entra or IDP and OIDC tokens as a best practice because it removes the use of domain-based credentials, and is thus more secure.

  • Leveraging the IDP’s conditional access for additional control prior to Workspot Client connecting to the network lends additional strength.

  1. Workspot Lock Down Mode

  • Lock Down Mode allows administrators to isolate the data in Workspot desktop and app sessions to the Workspot cloud, preventing end-users from transferring information from their Workspot desktop/apps to their local device, as follows:

    • Saving, copying, cutting, pasting, screen capturing, and so on from the Workspot resource to the local device is blocked.

    • The Workspot desktop windows cannot be minimized or restored. To regain access to the local desktop, the user must close the Workspot Client session.

  1. Granular Security Policies IT can configure multiple security, network, and device polices based on requirements. Fine-tuned policies can be set based on user location, resource, and resource’s location, allowing complete and granular control based on a range of factors. For example, a single user can be managed by multiple security policies:

  1. All Admin and User Connections Logged

  • All sessions, including administrative access, to VMs are logged.

6. Leverage Workspot Data in Corporate SIEM Sending Workspot collected data to SIEM helps to verify the Zero Trust model is operating correctly, and the security team can be made aware of any surface anomalies.

Securing End-User Remote Access – From Anywhere

Workspot is the Enterprise VDI Platform engineered for simplicity, security, performance, and reliability – without compromise. Workspot’s multi-layered approach to security has been battle tested by multiple highly regulated companies with critical workflows for over the past 6 years. Workspot simplifies and modernizes VDI and can help any organization extend and optimize their overall zero trust security profile.