Cloudflare menaces virtual desktops with isolated browser access to internal networks
Gives cloudy email a kicking, too – but VDI should be safe in its bastions
Cloudflare has added the ability to access private networks to its browser isolation service, and suggests the combo represents an alternative to virtual desktop infrastructure.
Browser isolation requires organizations to have a Cloudflare Zero Trust account, and to install a client on users' devices. Cloudflare runs a browser in its cloud and users browse as usual – but Cloudflare intervenes so that users don't make it to whichever web server they intend to visit.
Cloudflare browses to the server and then redraws the web page on the client browser. The user's device therefore never touches the web server, so anything nasty on a page is snuffed out by Cloudflare in its cloud instead of poisoning a local PC.
Last Friday, Cloudflare added private network access to the service, meaning browser isolation can be applied to in-house web apps as well as the wider web.
Why bother using a cloud browser to access a private network? Convoluted as it sounds, Cloudflare argues that it's less complex than the virtual desktops many use to provide a secure remote browser.
"With most Virtual Desktop Infrastructure (VDI) users connecting to a remote desktop just to open a web browser, VDI's utility for distributing applications is really no longer needed," asserts Cloudflare's product manager Tim Obezuk, adding VDI "has become a tremendously expensive way to securely host a web browser."
He's not wrong. VDI requires complex rigs to operate reliably and requires some overprovisioning to handle the "boot storms" that occur when many users log on at the start of a working day. Those rigs are cash cows for VMware, Citrix, Nutanix, Dell, HPE. Lenovo, and others.
- Cloudflare explains how it managed to break the internet
- Google, EFF back Cloudflare in row over pirate streams
- Cloudflare says it thwarted record-breaking HTTPS DDoS flood
They've become cash cows despite the fact VDI is sometimes overkill. But in many other cases virtual desktops are worth the hassle because they give users access to applications not hosted in browsers, or preserve legacy apps, or offer elastic desktops to cope with demand surges, or give highly regulated organizations the kind of control they need.
Such regulated organizations will read Cloudflare's suggestion that browser isolation means BYOD devices can replace VDI, acknowledge the possibility, and point out that user-managed anything is inconceivable in their worlds.
But Cloudflare clearly sees some upside in browser isolation, as shown by another launch from last week – of email link isolation so that clicks to links from email invoke isolated browser sessions. Again, any nasties execute within Cloudflare's infrastructure, not yours. That's a handy extra layer of email security.
Which translates into more pressure on VDI vendors, who already have Microsoft's Windows 365 Cloud PCs to worry about, not to mention AWS's ever-improving Workspaces. One thing VDI vendors don’t have to worry about, at least when using on-prem rigs, is Cloudflare isolating millions of browsers by breaking the cloud – as happened last week. ®