Designing Your Enterprise’s End-User Computing Setup

Tal Zamir
March 31, 2021
end user computer setup

In the first part of this article, I tried to portray the ideal characteristics of a trusted computing environment for users in the post-COVID world: future end-user computing should strongly isolate corporate assets, allow enterprises to adopt modern apps, with a blazing-fast user experience, on any device, anywhere, all in a scalable cost-effective way.

Most enterprises are not yet there and are struggling with one or more of these aspects. Furthermore, some enterprises are currently building/designing future IT architectures that would not have meet these requirements. For example:

  1. Some enterprises are designing their end-user computing environment around Virtual Desktop Infrastructure (VDI) or Desktop-as-a-Service (DaaS) as the main desktop environment of users – both employees and external. However, this approach has severe flaws. First, it requires users to always be connected with a high-bandwidth and low latency connection. Users that don’t have such a connection, would end up with a mediocre/bad experience in which every click and keystroke is agonizingly slow. Second, it requires a huge ongoing investment in high-end expensive infrastructure, including high-end storage, networking, and compute resources – not to mention the IT staff that needs to maintain this infrastructure and troubleshoot performance issues. Are there good enough reasons to pay a fortune and make users go through a remote desktop when most of their apps are cloud-based?
  2. Other enterprises let users access enterprise apps via a zero trust model in which users access web apps (and others) through a cloud-based security broker. This broker decides what type of access to grant users, per app, and based on device health, user risk, and other attributes. The main design flaw of this approach is that it doesn’t really isolate enterprise assets from endpoint threats: the same operating system mixes access to sensitive corporate apps together with personal/external/malicious apps. A single device compromise can let attackers take over enterprise data and apps. Note that device health checks do not fix this flaw as they cannot be trusted on a compromised operating system. Furthermore, for the vast majority of apps, zero trust only controls the initial access: once authenticated, attackers on the device can just ride your authenticated session to do anything they wish with that app; files saved locally by the user can be exfiltrated; human error can paste data into social networks, etc.

Watch our on demand webinar: From Physical Workspaces to Virtual ones- securing Endpoints in the WFH era (no sign up required)

There’s a better future-ready design that enterprises can implement today. It is now possible to instantly provision local, lightweight, and isolated VMs on every laptop. By having such a local VM, we can have the best of all worlds. Enterprises can decide which type of isolation to apply to each type of app:

  • No isolation
  • Local isolated VM
  • Remote isolated VM

For example: users may access personal and non-sensitive apps locally with no isolation, most business apps will run in a locally isolated VM, and super-sensitive legacy apps will run on a remote desktop via DaaS. This kind of setup will actually allow users to use their own personal laptops to securely and efficiently access any enterprise app, be it next-gen video conferencing apps, cloud-based collaboration tools, or the Office app suite.

It doesn’t matter where users are, they will always get a local native experience with no latency, even offline. From the cost perspective, the ability to immediately spin up local VMs in a distributed manner dramatically reduces enterprise cost and makes end-user computing scalable by design.

Hysolate allows enterprises to get their hands on such locally-isolated VMs today. There are many aspects that make Hysolate’s local VMs completely different from past attempts, including:

  1. The VMs are instantly deployed – it requires just 5 minutes on a user’s device (total time) to get started.
  2. The VMs do not require IT to manage/patch another enterprise OS image – the VM OS inherits the patching level of the host OS.
  3. From the user’s perspective, the VM looks just like another desktop / space on your laptop. Users don’t need to know anything about VMs – it just works.
  4. Hysolate automatically launches apps/documents in the right zone (either in the VM or not), so that users don’t get confused.
  5. Hysolate isolates every aspect of the VM – including the isolation of memory, CPU, disk, network, keyboard, display, USB devices, printers, etc.
  6. All of VM’s policies are cloud-managed via an easy enterprise cloud console, including all security policies, etc.
  7. The VM is optimized to not take any overhead when not in use and to take just enough memory when in use, including optimizations for video conferencing, CPU scheduling, graphics acceleration, etc.

It’s time to create a win-win situation for users, security, and IT. You don’t have to choose between security and productivity or between local or remote desktops. We believe locally isolated VMs will become a standard OS feature in our endpoints, empowering people everywhere to work in a secure and productive manner.

Ready for your team to work more securely and productively? Request a demo to learn about the full power of Hysolate today.

Tal Zamir

Tal is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works. An entrepreneur at heart, he has pioneered multiple breakthrough cybersecurity and virtualization products. Before founding Hysolate, Tal incubated next-gen end-user computing products in the CTO office at VMware. Earlier, he was part of the leadership team at Wanova, a desktop virtualization startup acquired by VMware. Tal began his career in an elite IDF technology unit, leading mission-critical cybersecurity projects that won the prestigious Israeli Defense Award. He holds multiple US patents as well as an M.Sc. degree in Computer Science, and the honor of valedictorian, from the Technion.