VMware Horizon Modernizing VDI and DaaS Workspace Security

Using the VMware Ecosystem to Extend Security for VDI and Apps

Over the last decade, many roads have led organizations to deploying virtual desktop infrastructure (VDI) and virtual apps. Specific industries, like healthcare and financial services, have gravitated towards VDI and apps due to compliance reasons. Other customers began using VDI and apps based on market trends like the rise of BYOD and GPU-based computing. And most recently, as employees were forced to work from home in 2020, many organizations turned to VDI and apps to provide employees secure access to corporate resources from anywhere.

Desktop and app virtualization have changed how IT thinks about managing and presenting apps and data to employees. Centralized management of virtual desktops and apps using VMware Horizon is similar to how traditional PCs and laptops are centrally managed via systems management tools. Unlike traditional PCs or laptops though, where the execution occurs, or where workloads actually run, is also centralized with desktop and app virtualization. Because of this centralized management and execution nature, VDI and virtual apps can secure data at rest, as IT admins can minimize data loss occurring at the endpoint accessing a virtual environment. Centralized patching can also help IT deploy patches quicker than compared to traditional PCs and laptops, and with reduced likelihood of missing or delayed patches. Furthermore, Horizon combines Instant Clone Technology with App Volumes and Dynamic Environment Manager so that IT admins can provide trusted images to end users, or can quickly spin up a new, pristine images if, for example, a piece of malware is discovered in an existing virtual desktop.

Relying on centralized management and execution is just the beginning of how desktop and app virtualization can play a huge role in securing remote access to corporate resources. With the rise of desktops and apps being delivered from the public cloud, IT must consider other opportunities to secure their environments, from infrastructure to client device. That’s where having end-to-end security coverage from a trusted vendor like VMware, with modern hybrid cloud technology like VMware Horizon, can help. Let’s show you how, by walking through the anatomy of a VDI and app deployment.

Building a Secure Foundation with SDDC Infrastructure

VMware Cloud Foundation is the underlying virtualized infrastructure that defines the VMware-powered software-defined data center (SDDC) stack, comprising various industry-leading products including vSphere, vSAN and NSX. With nearly 65% of the Worldwide Software-Defined Compute Software market share according to IDC, many customers rely on VMware for their foundation of delivering and hosting workloads, including virtual desktops and apps. In vSphere alone, security highlights span host security features such as Trusted Platform Module and Lockdown mode, to virtual machine encryption and guest OS security. Data at rest encryption is natively built into vSAN helps improve security within storage resources. And NSX for Horizon helps customers control VDI and app networking with security policies that help protect east-west traffic, or data in transit, in the datacenter and public cloud. These unique integrations between SDDC components and Horizon help strengthen security as we go up the hardware to software stack.

Endpoint Security Inside Virtual Desktops and Apps

With VMware Carbon Black Cloud, customers can identify, detect, and respond to the growing number of threats that physical endpoints face today. It only makes sense to extend these capabilities directly to virtual desktops and virtual apps, which is what we’ve uniquely done in a solution called Workspace Security VDI. This single-vendor solution combines Horizon and Carbon Black Cloud to help improve security posture and prevent attacks inside virtual desktop and app environments. And customers can avoid running multiple security point products as a result.

To learn more, read the VMware Carbon Black Cloud on Horizon VDI Installation Guide.

Security Across the Network

There are several components, including Unified Access Gateway (UAG) and NSX Advanced Load Balancer (Avi Networks) that span the network of a typical Horizon deployment and can help add layers of security to Horizon environments. UAG is usually installed in a DMZ and provides employees with secure remote access to Horizon virtual desktops and apps from an external network by directing authentication requests and controlling access accordingly. By placing an NSX Advanced Load Balancer in front of the UAG, not only can load balancing be controlled but web application firewall functionality can help centrally control security polices for firewall and DDoS protection. As with NSX, UAG and NSX Advanced Load Balancer can help secure data in transit across the network. And as customers move towards a hybrid cloud VDI and app model by leveraging the cloud-hosted Horizon Control Plane, services like Universal Broker can further help enhance brokering and user experience while maintaining security posture.

Device Security

Another part of the attack surface in a VDI and app environments is the actual device that is accessing the virtual desktop or virtual app. Some examples of these types of devices are refurbished laptops and mobile devices. Look no further than Workspace ONE UEM to help deliver security policies that harden physical endpoints. Policies such as configuring device passcodes, to factory wipe, device compliance and automated remediation, Workspace ONE UEM helps enable zero trust on any endpoint.


As you can see, VMware is in a unique position to help customers do more than just use VDI and virtual apps for security use cases, and instead can provide the complete breadth and depth in security that customers require today. As we move into a hybrid workplace the concept of the Anywhere Workspace will provide even more opportunity for greater employee productivity without sacrificing security, as we’ll be highlight in an upcoming blog.

To learn more about VMware Horizon, visit http://vmware.com/go/horizon.