VDI Broker Security Analysis Q4 2022
We wanted to look at some of the top VDI Brokers out there and look at them from a security perspective only. There are so many “it depends” functional and features differences between each broker that will determine which solution may be better for your company based on the number of user requirements, datacenters and hypervisor, and cloud choice. Ruben Spruijt and Jurjen van Leeuwen did a couple of Citrix Synergy at BriForum events with these types of sessions. Their focus is on the big questions like which OS has better density, which optimizations, and which Application Virtualization and Antivirus solution impacts virtual desktop deployments. We hope this pays ohmage a bit to the greats before me on at least the security angle when comparing these solutions.
Links for the VDI Smackdown series published with PQR by Ruben Spruijt and Team back in the day. The detail Ruben and his team went through their process always amazed me, and then their presentations on the topics too. So many of the links below are still relevant today in our Windows 10 and Cloud world because every system and addon has its pros and cons for the users and administrators and, from my point of view, security.
Sample Smackdown Documents
- http://www.projectvrc.com/white-papers
- https://www.miru.ch/images/2010/07/vdi-smackdown.pdf
- https://docplayer.net/8731558-Application-virtualization-smackdown.html
- https://docplayer.net/8731846-Vdi-smackdown-version-2-1.html
- https://docplayer.net/5415975-Vdi-smackdown-author-s-ruben-spruijt-version-1-22-date-april-2011.html
- https://www.logitblog.com/project-vrc-the-impact-of-antivirus-on-vdi/
Broker Security Review Goals
Which one has the most secure default policies?
So many deployments are installed with many defaults in session policies and other settings within the product. With the applications usually in the driver’s seat, small and large deployments with their primary goals being compatibility and performance security are usually an afterthought. With so many brokers having so many settings and options, it’s straightforward for them to be overlooked too. It would be ideal if the VDI Brokers blocked all input/output session policies and allowed easy policy deviations to enable those access points.
Which one has the best accompanying security features?
Since VDI becomes a critical part of a company’s workflow typically when deployed as it’s the conduit to applications and data for users. In this area, we look at what features outside of the default session policies are available from the vendor to help secure your deployment more. Most of these security features are add-ons from many vendors and are not installed\configured by default which is why we have this section. The effectiveness of these features will vary, but they will add more security to your deployment too.
Broker Security Candidates Evaluated
Amazon Workspaces, Citrix Apps & Desktops, Microsoft Azure Virtual Desktop (AVD), Nutanix Frame, VMware Horizon, and Workspot were chosen for this first round. We have worked with all of them in a production deployment. We also worked with them in the data collection process, and we know some pleased clients with these solutions.
Virtual desktops have been growing since 2007, but since the COVID-19 pandemic, the increase in work from home has grown exponentially. This growth has expanded the VDI deployments in 2020 faster than since its desktop OS releases from Citrix and VMware 2007-2010. While this work-from-home expansion has been happening, another major threat has expanded with more remote code execution vulnerabilities and data breaches, helping attackers get in easier. Therefore, we wanted to look at the security differences between these solutions.
Default Policies
Below are some of the default policies for each solution. We have also noted the possible severity of each of these solutions. Your industry and use case will determine how accurate the categorization will be for your deployment. We looked at the policies based on the severity of data loss and file transmission within a VDI session. If every policy were scored equally in severity, then that wouldn’t be fair either. How can allowing Audio redirection to be the same severity as mapping the local drive to the endpoint, where you are just a drag-and-drop away from data leaving the system?
Clipboard Control (Severity-High)
In many cases copying from the Client to Server is only required for many to work. We would like to see a specific policy that allows it only for whom it is needed so audit reports can be created with the list of users with this ability within the VDI session.
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| Allowed (Bi) | Allowed (Bi) | Allowed (Bi) | Allowed (Bi) | Allowed (Client to Agent Only) | Allowed (Bi) |
VMware is more secure by default with its restriction of allowing the directionality to the virtual desktop but not the other way to the endpoint. All the other Brokers are very similar, with bi-directional clipboard access.
Clipboard Format Control (High)
In most cases, you may only need to allow just text data.
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| N/A | Blank | N/A | Text Only (Default, No Policy) | Blank | N/A |
Nutanix is more secure by only allowing text formats, but the policy cannot be customized. Then Amazon, Microsoft, and Workspot not having the ability to control clipboard formats.
Finally, Citrix and VMware are the same without any restrictions in clipboard formats.
File Drag and Drop and HTML Client Upload\Download (High)
This is an excellent feature to make the movement of files more effortless, but we don’t think this should ever be allowed by default, primarily based on other brokers and their requirements for client drive mapping.
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| N/A | Allowed | N/A | Allowed | Allowed | N/A |
Amazon, Microsoft, and Workspot are more secure due to feature omission. Then Citrix, Horizon, and Nutanix are the same by default allowing these easy file transfers.
Client Fixed Drive Mapping (High)
This is a prevalent setting, but we wish it were also disabled by default to prevent a file transfer to a possibly untrusted endpoint.
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| Prohibited | Allowed | Prohibited | N/A | Allowed | Prohibited |
Amazon, Microsoft, and Workspot are more secure, with this feature prohibited by default. Then Nutanix not having this feature currently also helps their security stance by feature omission. Finally, Citrix and VMware have enabled it as they have the most concurrent users and settings history.
Client Network and Removable Drive Mapping (High)
In most deployments, we don’t need to map network drives from a client system, and Removable mapping drives are even less common. We have grouped these two policies into one chart as the results for each were the same for all vendors.
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| Prohibited | Allowed | N/A | N/A | N/A | N/A |
Amazon is more secure with this ability prohibited by default. Then Microsoft, VMware, Workspot, and Nutanix are more secure without this ability. Citrix is the only one with this enabled, and they have the most legacy settings baggage to be compatible with.
Clipboard Direction Control (High\Medium)
In most cases, you may only need to allow the client to talk to the agent. This is recommended in some deployments as users may be required to enter passwords into the session they maintain. We only recommend that users have two typable passwords within a corporate deployment with their corporate password and password manager password. Everything else should be in the password manager.
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| N/A | Yes | N/A | Yes | Yes | N/A |
Citrix, VMware, and Nutanix are more secure since they can control the directionality of the clipboard. Then Microsoft, Amazon, and Workspot cannot control the directionality, making them less secure. This is a must-have security policy if the clipboard is allowed to ensure you, as the administrator, can control the direction of clipboard access.
Client USB Control (High\Medium)
Most deployments don’t require the users to have any USB devices mapped to their session, but if they are needed, you will want to be able to control them with policies. We also expect this to be disabled by default, as many attacks start with the insertion of a malicious USB storage device.
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| Prohibited | Prohibited | Prohibited | Prohibited | Prohibited | N/A |
Citrix, Microsoft, VMware, Amazon, and Nutanix are more secure since their control USB mapping, and the default setting is prohibited, which should be expected currently. Workspot can’t map USB devices outside RemoteFX and not through its policy engine.
Webcam Control (High\Medium)
This is a newer control in some VDI solutions. This is most common when collaboration solutions are installed within VDI and a webcam is required. Many solutions will rely on USB mapping to allow this and may not consider the integrated nature of some webcams.
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| N/A | N/A | N/A | Prohibited | N/A | N/A |
Nutanix is more secure due to Webcam mapping being prohibited by default. Then Citrix, Microsoft, VMware, Amazon, and Workspot can’t control Webcam devices individually. These solutions must control webcam mapping via USB mapping and allow device classes that are less commonly configured. This can create a less secure deployment without filtering if a webcam is needed.
Printer Mapping Control (High\Medium)
This is one of the most common requirements for virtualized applications. We always recommend ensuring that printing is restricted with policies to enable the ability to audit who can print. The severity of this setting will be determined by what type of data could be printed within a user session.
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| Prohibited | Allowed | Allowed | Allowed | Allowed | Prohibited |
Amazon and Workspot are more secure, with printing being prohibited by default. While Citrix, Microsoft, VMware, and Nutanix have printing allowed by default which helps with adoption but weakens your security stance.
Client Floppy and Optical Mapping Control (Medium\Low)
This was only used for particular use cases and has been phased out in most cases by the elimination of these drive types physically.
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| N/A | Allowed | N/A | N/A | N/A | N/A |
Microsoft, VMware, Amazon, Workspot, and Nutanix are more secure since they don’t have this ability by feature omission. Citrix is the only VDI vendor that can map these legacy drive types, and its policy is also controlled and enabled by default.
LPT Port Mapping Control (Medium\Low)
This typically was only used in the early years of VDI as these printers have been phased out to USB and now mostly network printers.
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| N/A | Prohibited | N/A | N/A | N/A | N/A |
Microsoft, VMware, Amazon, Workspot, and Nutanix are more secure since they don’t have this ability by feature omission. Citrix is the only VDI vendor that can map these legacy printer types, and its policy is also controlled and enabled by default.
COM Port Mapping Control (Medium\Low)
This was typically only used in the early years of VDI as these devices have been phased out. We still see these devices in banking and retail for card readers and specific scanners.
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| N/A | Prohibited | Allowed | N/A | Allowed | N/A |
Microsoft, VMware, Amazon, Workspot, and Nutanix are more secure since they don’t have this ability by feature omission. . Citrix and Microsoft are the only VDI vendors who can map these legacy port types. Its policy is controlled and enabled by default too.
Audio Mapping Control (Medium\Low)
This is the most common item to be mapped. We have seen audio being a higher security risk only in Legal, Healthcare, and some giant corporations, as those items can contain sensitive information that could have legal or investment impacts if leaked. The severity of this finding will be determined typically by the industry and what audio could be played and what could be within that audio. (PHI, PII, PCI, and other information categories)
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| Allowed | Allowed | Allowed | Allowed – No Policy | Allowed | Allowed |
Citrix, Microsoft, VMware, Amazon, Workspot, and Nutanix all allow it by default, but Nutanix doesn’t have a policy currently to disable Audio mapping.
Microphone Mapping Control (Low)
This isn’t typically needed in most deployments other than in cases where dictation or collaboration software is required. This is one of the lowest-risk policies to be enabled, as Audio in can have less impact on a deployment than audio out.
| Amazon Workspaces -PCoIP\NiceDV | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| Allowed | Allowed | Prohibited | Prohibited | Allowed | N/A |
Microsoft and Nutanix are more secure, with it being disabled by default. Workspot doesn’t have this ability to map microphones, making it more secure by feature omission. Citrix, VMware, and Amazon all allow it by default for compatibility.
Default Policy Results Risk Summary
| Risk | Session Item |
| High | Copy\Paste |
| High | Copy\Paste Write Allowed Formats |
| High | File Drag and Drop |
| High | HTML Client File Upload |
| High | HTML Client File Download |
| High | Client Fixed Drives |
| High | Client Network Drives |
| High | Client Removable Drives |
| High\Medium | Copy\Paste Direction Control |
| High\Medium | Client USB Mapping |
| High\Medium | Printer Mapping |
| Medium\Low | Client Floppy Drives |
| Medium\Low | Client Optical Drives |
| Medium\Low | LPT Mapping |
| Medium\Low | COM Mapping |
| Medium\Low | Audio Redirection |
| Low | Microphone Mapping |
We had to categorize these policies based on the severity of data loss and file transmission. I knew if every policy was scored equally in severity, then that wouldn’t be fair too. How can allowing Audio redirection to be the same severity as mapping the local drive to the endpoint, where you are just a drag-and-drop away from data leaving the system?
Points used for each severity level
| High | 3 |
| High\Medium | 2 |
| Medium\Low | 1.5 |
| Low | 1.25 |
VDI Broker Default Policy Score Summary
These scores consider all the settings configured by default which puts Amazon Workspaces in 1st place, Workspot in 2nd Place, Microsoft AVD in 3rd Place, Nutanix Frame in 4th place, VMware Horizon in 5th place, and Citrix CVAD in last place. Citrix and VMware being the lowest at default make sense because they have more session capabilities and are trying to keep their backward capability too. This has an average score of 90.70.
VDI Broker Default Policy Weighted Score Summary
When we add the weighted scores to the same default settings, we see similar rankings but much lower scores. This puts Amazon Workspaces in 1st place, Workspot in 2nd Place, Microsoft AVD in 3rd Place, Nutanix Frame in 4th place, VMware Horizon in 5th place, and Citrix CVAD in last place. This weighted scoring lowers the average from 90.70 to just 78.77, which is almost 12 points lower than the default unweighted scores.
VDI Broker Default Policy Secured Score Summary
Then when we configured the session policies to their more secure settings, we got a much different result. This now puts Microsoft AVD in 1st place, a tie for 2nd place with Citrix CVAD and VMware Horizon, and in 3rd place is Nutanix Frame, and now Amazon Workspaces and Workspot tie for 4th place. This secure scoring now raises the average from 90.70 to 98.75, 8 points higher than the default unweighted scores. With a large amount of session policy omission from Microsoft and then between Citrix and VMware being able to control almost every policy, it gives them a very close 2nd place.
Security Features
Endpoint Security Features
This is the ability to control and protect the endpoint from illegal monitoring. The amount of data gleaned from being tapped into the endpoint is dangerous, regardless of company size.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| No | AppProtection – Keylogger and Screenshot Protection | Screenshot Protection | No | Keylogger and Screenshot Protection | No |
Citrix and VMware are more secure due to their Keylogger and Screenshot protection. Microsoft has screenshot protection, and Amazon, Workspot, and Nutanix don’t have these features.
AV Solutions
Having some form of endpoint protection is a requirement in so many industry verticals, having a way to look for suspicious activity before the endpoints connect to other things and spread those infections.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| No | No | Microsoft Defender (Windows, MacOS) | No | Carbon Black Endpoint Protection (Windows, MacOS, Linux) | No |
VMware and Microsoft both have endpoint protection clients. Carbon Black is a much more mature solution with the feature set available and has a slight advantage over Microsoft Defender. Microsoft defender has rapidly changed in the past three years and will be closer to feature parity after reviewing these systems. Amazon, Citrix, Nutanix, and Workspot don’t have these features.
Edge Protection
Having the ability to protect and have visibility to the front door of any VDI deployment. We have seen DDoS attacks and attacks from countries we don’t do business with continually rising, and not having some protections in place could lead to a security incident.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| VPC Design, Route 53, AWS Shield Advanced, Amazon Inspector, and other providers in their marketplace. | Citrix ADC – GeoIP, BadIP, Bot Protection, Bad Packets, Web Application Firewall, AppQoE (DDoS) | Azure Firewall, Network Security Groups, DDoS Protection, Azure Front Door, Web Application Firewall, and other providers in their marketplace. | Nothing Native, Controlled by your tenant Cloud and/or Firewall | None at this Time (If using F5, Citrix or another ADC you can use their Security Features or other Firewall or Cloud controls) | Nothing Native, Controlled by your tenant Cloud and/or Firewall |
Amazon, Citrix, and Microsoft are more secure with their built-in abilities to secure the edge of their deployments. Citrix could have a slight advantage with its ADC product being a crucial part of its deployment for external connections and security features. Unlike Citrix, Microsoft and Amazon have many solutions but are more modular than Cloud. Nutanix, VMware, and Workspot don’t have anything native and rely on the cloud or other providers for these protections.
Active Directory
It’s the market leader for user directories and management in many industries, but it also requires many configurations to make it secure; it isn’t secure out of the box with next-next deployments. Many of these solutions will allow you to use non-domain joined machines and other identity providers, but, in many cases, those will still come back to Active Directory.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| Required | Required | Required | Not Required | Required | Required |
Nutanix is more secure as the only vendor to allow remote access without requiring Active Directory currently. This means less configuration is needed to get their solution operational. Citrix, Microsoft, VMware, and Workspot all require AD.
Non-Domain Joined Machines
This allows the ability to publish access to systems to machines that are not joined to the domain, allowing you to use Active Directory or Other Identity Providers still, but this can provide some security benefits. Launching a machine that isn’t joined to the domain can limit the user’s access, and a potential attack would have on the system.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| Required | Required | Required | Not Required | Required | Required |
Nutanix is more secure as the only vendor to allow remote access without requiring Active Directory currently. This means less configuration is necessary to get their solution operational. Citrix, Microsoft, VMware, and Workspot all require AD.
Secure Anonymous Tokens
When you want to give remote access to someone external to the company without them having to enter any credentials, this can allow an easy contractor or third-party access method and is an exciting feature related to security.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| No | No | No | Yes | No | No |
Nutanix is the only vendor that has this capability currently.
MFA Capabilities
Any deployment, especially any exposed to the internet with just a username and password, is a breach in the waiting, especially with the massive number of stolen credentials out there to be weaponized against your company. More Options = More Secure.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| SAML 2.0 + RADIUS Solutions | OpenID Connect + SAML 2.0 + RADIUS Solutions | OpenID Connect + SAML 2.0 + RADIUS Solutions | SAML 2.0 + RADIUS Solutions | OpenID Connect (IM) + SAML 2.0 + RADIUS Solutions | SAML 2.0 + RADIUS Solutions |
Citrix, Microsoft, and VMware are more secure, with three primary options for authentication standard integrations. Amazon, Workspot, and Nutanix are missing OpenID Connect, giving fewer options even with SAML as the primary authentication integration method. Each of these authentication standards will allow multiple vendors to be integrated, and having more flexibility typically allows more deployments to have MFA configured. Each MFA solution will also add a varying amount of IT burden & risk, along with the understanding that MFA can be subverted with social engineering, phishing attacks, and other methods.
Session Input\Outputs Policies
Being able to control what can go in and out of your VDI session is critical. You need to be able to handle policies for all users and specific user groups and segments. The more accessible these are to manage, the more likely they will be edited. As we have seen in our research, the default policies from each vendor will leave a varying amount of security gaps in what can leave your VDI deployment and what can come in from your endpoint.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| Yes – GPO Bundle Required | Yes – Citrix Studio | Yes – Azure Console | Control – Frame Control Platform | Control – GPO Bundle Required | Yes – Workspot Dashboard |
Citrix, Microsoft, Workspot, and Nutanix are more secure because these policies are integrated into their management consoles. VMware and Amazon rely on GPOs to be configured to control the policies.
Clipboard Audit
This relatively new security feature is only used in secure version deployments with strict compliance requirements to see what was used in the clipboard. This clipboard audit information is only from the endpoint to the agent(VDI) and not within the session.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| No | No | No | No | Yes | No |
VMware is more secure as it’s the only vendor with this feature and multiple audit modes. Citrix, Microsoft, Amazon, Workspot, and Nutanix do not have this feature currently.
Session Recording
This is typically used in high-security deployments or with applications with strict compliance requirements. It can also be used to help diagnose user issues also by recording when certain events happen.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| No | Yes | No | No | Yes | No |
Citrix and VMware are more secure with this feature. The Citrix solution is much more advanced in its capabilities to record and correlate events than VMware but having that recording ability is vital in high-security deployments. Microsoft, Amazon, Workspot, and Nutanix do not have this ability currently.
Session Watermark
This gives administrators the ability to add a semi-transparent watermark to the display of users that can display the username, agent name, client IP, and other session details to help identify users if they take a picture and a screenshot of the screen.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| No | Yes – Policy Controlled | No | No | Yes – Policy Controlled | No |
Citrix and VMware are more secure with the ability to use session watermarking. Microsoft, Amazon, Workspot, and Nutanix do not have this ability currently.
Adaptive Access Policies
This allows the administrator to control the level of access and the resources based on their location or other parameters. A typical example is that an internal user can do this, but if they are external, they cannot.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| No | Yes – Smart Access | Partial – Conditional Access (Authentication Only) | No | Yes – Smart Policies | No |
Citrix and VMware are more secure as they can with their policy engines to change access rights based on many criteria. Microsoft, with conditional access, has some of the abilities of other vendors. Still, it has feature gaps within the AVD session policies for conditional access, as pools are configured similarly. Amazon, Workspot, and Nutanix don’t have this ability currently.
SaaS App Solution
This new feature introduced by Citrix in late 2020 allows administrators to publish SaaS websites with Copy\Paste, Printing, and other controls in place for things that generally would not be able to be controlled by traditional access.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| No | Yes – Access Control | No | No | Partial – Workspace One Access | No |
Citrix is more secure as it has more control capabilities over SaaS-based applications. VMware is a close second with some of the ability Workspace Once Access, but with the session and adaptive policy, differences keep it just behind Citrix. Microsoft, Amazon, Workspot, and Nutanix don’t have this ability currently.
Secure Browser
This allows the proxying of websites in a published browser with policy controls to ensure certain websites stay internal and which sites to use these browsers. This is also an emerging space of Enterprise Secure Browsers where you can deliver more secure website access with a policy engine beyond what we are used to with group policy on local endpoints and within VDI.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| No | Yes – Remote Browser Isolation and Secure Internet Access | No | No | No | No |
Citrix is currently more secure as they are the only vendor with a product within this space. The only vendor that has this ability. Microsoft, VMware, Amazon, Workspot, and Nutanix don’t have this feature.
Security Analytics
This proactive security alarm system looks at usage information and threat feeds and can automatically block or add other controls to high-risk users. This was just introduced in late 2018 by Citrix, and then VMware released Risk Analytics (Workspace One Intelligence) in mid-2020, and everyone else is playing catchup with this feature.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| No | Yes – Citrix Analytics | Partial – Log Analytics | No | Yes – Risk Analytics | No |
Citrix and VMware are more secure with this feature. Microsoft does have some logs, but they are still focused on diagnostics, and there isn’t an integrated security dashboard yet. Amazon, Workspot, and Frame don’t have any options currently.
Network Segmentation
This has been growing in popularity over the past eight years, especially with the Zero Trust branding. The basic concept in the VDI use case is that desktop01 shouldn’t be able to talk to desktop02 (east\west) as they should only be talking upstream to the applications and other supporting components (north\south). This feature can help stop or at least slow lateral movement if there is a compromised system. Its use outside VDI is recommended if possible, as it can provide many security benefits to any deployment.
| Amazon Workspaces | Citrix CVAD | Microsoft AVD | Nutanix Frame | VMware Horizon | Workspot |
| Yes – VPC Design (Manual) | No (Requires another solution) | Yes – Network Security Groups (Manual) | Nutanix Flow if using AHV Onsite only or by your tenant Cloud and/or Firewall | Yes – NSX (One-Click East-West and North-South more work) | No (Requires another solution) |
VMware is more secure as it’s the leader in this space with NSX, especially with their simple deployment of East-West segmentation so quickly for Horizon workloads. Microsoft and Amazon have options depending on how you do your NSGs and VPCs. Then Nutanix has Flow in the Cloud or on AHV too. Citrix and Workspot don’t have a native feature and will require another solution to have this capability.
VDI Broker Security Feature Score Summary
With all these security features and session policy differences, the race is close than we thought when we started this research. With the security features, Citrix CVAD is in 1st place, VMware Horizon is in 2nd Place, Microsoft AVD is in 3rd Place, Nutanix Frame is in 4th place, Amazon Workspaces is in 5th place, and Workspot is in last place.
Overall Score Summary
The matrices below look at all these solutions, Session Policies, and Security Features to show a complete picture of each product’s possible security stance. We also wanted to use the same scoring differences with the session policies with the default policies, weighted policies, and secured options paired with the possible security features from each vendor.
Overall Default Policy Score
With the Default Policies along with the available security features, Citrix CVAD and VMware Horizon are tied for 1st place, Microsoft AVD is in 2nd Place, Amazon Workspaces is in 3rd Place, Nutanix Frame is in 4th place, Workspot is in 5th place, and Workspot is in last place. This was expected with the previous results based on Security features alone from Citrix and VMware. This has an average score of 180.
Overall Weighted Policy Score
With the Weighted Default Policies along with the available security features, Citrix CVAD and VMware Horizon continue to be tied for 1st place, Microsoft AVD is in 2nd Place, Amazon Workspaces is in 3rd Place, Nutanix Frame is in 4th place, Workspot is in 5th place, and Workspot is in last place. This was expected with the previous results based on Security features alone from Citrix and VMware. This weighted scoring lowers the average from 180 to 167, almost 65 points lower than the default unweighted scores.
Overall Secured Policy Score
With the Secured Default Policies and the available security features, now Citrix CVAD 1st place, VMware Horizon and Workspot are tied for 2nd Place, Microsoft is in 3rd Place, Nutanix Frame is in 4th place, and VMware Horizon and Workspot are tied for last place. This was an exciting finding as it broke the tie for first but made a new tie for 2nd and last place. This is because the slight advantage Citrix has on Security features gives them the one-point advantage for first place. This secure scoring now raises the average from 180 to just 190, which is 50 points higher than the default unweighted scores.
Overall Conclusion
This was a great look at the VDI Brokers through a security lens. Those comparisons showed us many more differences than we initially thought between them in Security Features and their Session Policies. This also proves Citrix’s security features are why it could win overall by the slimmest margins. With more development, VMware, Workspot, and even Microsoft AVD could become serious contenders. We know there are other brokers and solutions out there that we will want to look at other vendors, and we will have to keep watching the releases for updated session policies and new security features. We hope this helps you and your team compare these solutions from a security perspective. Let us know if there are any other vendors we should look at or any features or policies we missed so we can update this (Reach out to our founder Patrick @VDIHacker on Twitter on LinkedIn for any follow-up communications).
