Applying Windows Virtual Desktop Solution in a secure manner with Aufsite
The Challenge
As businesses, we’re facing unprecedented challenges as we deal with a pandemic. We’re scrambling to find creative ways to work remotely while also trying to plan for a long-term solution to avoid this mishap from happening again in the future. When Covid hit, most U.S. based, non-tech companies were ill-prepared for remote work or ever considered the possibility of it being a plausible solution. Particularly in the Health Sciences industry, remote work was frowned upon because of the security concerns it raised. With strict compliance and regulations, the complexity would deter most companies because the option of maintaining the data locally, as cumbersome as it was, was believed to be the safest way.
So the idea was, let’s host our clunky servers at a facility, pay for racking, stacking, power and all the maintenance fees that come along with it. Or worst yet, let’s keep the servers on premises and hire highly paid staff to maintain it for us. And when it comes to remote desktop solutions, you’ll need quite a few servers, expensive software and licensing (Citrix, terminal server, etc) and you need experts who understand it to make it a viable and stable solution for your workers. In retrospect, that idea makes little to no sense.
The idea of remote work is not something that spawned out of Covid. Quite the contrary, remote desktop solutions have been around for decades. However, under the advent and rapid progression of cloud, they have really become much more advanced. The fat has been cut and the new remote desktop solutions are streamlined, responsive, and most of all secure…if done right.
Let’s take a look at the difference in how remote desktop worked prior to the cloud solutions available now.
Until recently, a business would have to decide whether they’d like to have their infrastructure in house (in the office building) or hosted or collocated in a data center. For the sake of simplicity we’ll just call it “Hosting site” although each come with very different roles and responsibilities as we eluded to earlier.
As you can see in the diagram above, most of the responsibility falls on to the business. And by “responsibility” we mean the costs and management/maintenance which essentially add more indirect costs. What is hard to depict here are some of those indirect overhead costs of management that come along with each of those components so I’ll list some here:
- Compute
- Storage
- Networking
- Operating Systems
- Firewalls
- Routing
- Data Management and Encryption
What a lot of the above directly impacts is security. And in this model it is 100% the responsibility of the business. Furthermore, when it comes to compliance, the facility itself has to meet certain standards to be acceptable for hosting systems that contain medical records, personally identifiable information, etc. Those standards include restricted facility access, cameras, key cards, etc. The good news is that many of the software vendors are shifting their software, such as EMR, to the cloud. So what does that mean?
Essentially, that means the remote worker doesn’t have to connect to the business hosting to get to the application.
The major advantage is that the EMR is hosted and managed by someone else. The business does not have to bare the responsibility of keeping the application running, updating it, making sure it is compliant, etc. The business’ responsibility begins and ends with the remote workers laptop. As great as this seems, there is still a major concern with the remote user’s laptop. The user is remote and what that means is he or she can be in a Starbucks, an internet café or even in their own home, on an insecure network. The data they are getting from the EMR and possibly saving on to their laptop or emailing to their colleagues is now compromised. If they lose the laptop or it gets stolen, the data is compromised. The business spends a lot of money and time to manage inventory, keep those laptops up-to-date with security patches and configuring VPN clients for secure communication, and software such as Intune to remotely manage it. It’s a ton of work and as the remote workers grow, it becomes a larger overhead for the company to manage. So what is the best solution?
Enter WVD…
Windows Virtual Desktop is a Microsoft Azure product offering. It helps us to tackle exactly those challenges mentioned above in a secure and scalable way. Let’s take our Healthcare remote worker’s example in to the world of WVD…
Our Healthcare business decides they want to go down the route of shifting their users to WVD. They contact Aufsite and explain their requirements are as follows:
- The business uses a cloud based EMR which all remote workers need to be able to access from a secure system
- Some remote workers are nurses and they need access to a telehealth application currently hosted in their on-premise environment
- Not all users need a full desktop experience but some do. Some just need certain applications as mentioned above
- The data has to be fully encrypted at rest and in transit to meet compliance requirements
- The business already has Active Directory and group policies that they want to retain and integrate with the WVD solution
- Users need the ability to access the solution, from anywhere and on any device since the company is moving to a BYOD (Bring Your Own Device) model
So how is the WVD solution going to help this business get passed all the pitfalls we discussed above and meet those requirements? Let’s take a look at the solution Aufsite puts together.
The Solution
Aufsite runs a full discovery on the client’s environment and determines it is a good fit for Azure. They tested the client application in a proof-of-concept and validated its functionality in the Azure Cloud. Once that was confirmed the rest was a standard deployment.
Aufsite launched a virtual network in Azure and established connectivity with the Healthcare business’ on-premise location. Once the connection was established Aufsite extended the client’s Active Directory via AD Connect in to Azure. This would allow Aufsite to now launch virtual machines in the cloud and join them to the client’s AD domain on premise.
Aufsite then configured a Windows Virtual Desktop environment and added the required virtual machines to support the client users. The virtual machines were configured and imaged with the required applications (Telehealth and chrome browser to access the EMR). By creating Workspaces with Application Groups, Aufsite was able to create assignments for users based on their requirements. For example, the nurses who needed access to the Telehealth app were assigned to a specific application group while other users who needed access to run Chrome to access the EMR had their own application group.
All remote users were able to access the resources in one of two ways –
They could use a browser to connect to their workspaces or use the Microsoft Remote Desktop App. Via a simple setup by providing their existing AD login and password, the users would have access to their assigned resources in a secure manner. The group policies already defined in the client Active Directory were inherited to the new VMs that were added on the cloud network. And because this was a secure web based access, no VPN was required and devices such as Macbooks, linux machines, Windows machines, and Ipads all were acceptable.
Moreover, the business was able to take advantage of a Windows 10 Multi-session deployment which is only offered under Azure WVD. When comparing the option of going down the route of single session, Windows10, on-prem solution, the customer realized the tremendous savings. On average in an on-prem solution our customer would be looking at ~$40 per month per user. This does not include any of the direct/indirect costs we’ve discussed earlier. In the Azure solution, the customer was paying $7 per user. Aufsite used its host sizing recommendations to determine the requirements. By understanding the workload type, applications, and user type, Aufsite was able to confirm the maximum users per vCPU and instance types to right-size the solution.
All of the customer requirements were met and exceeded in many ways. They no longer need a team to manage their infrastructure and much of their tedious processes such as onboarding/off boarding, maintenance and patching had been reduced to simple two step tasks. Their capital expenditure dropped significantly as they move to an op-ex model.