Many organizations struggle to keep an application development workflow that is secure against data leaks, while jointly preserving developers’ experience and productivity. This challenge has driven market demand for secure development environments especially due to developers being increasingly targeted by hackers. Breaches are notably around source code and credentials, some leading to personal information leaks.
In this article, I’ll start with a quick rundown of the technologies available to organizations to address this challenge. Then, I’ll compare them across three dimensions: their applicability to support an application development process, their focus on security, and their impact on developer experience. At the end of this article, I’ll give a nuanced conclusion, in the sense that choosing any of these technologies shouldn’t necessarily be clear cut. In other words, mixing them could even be beneficial in some cases.
What are virtual desktops?
The need to protect the development workflow has led to the emergence of technologies like virtual desktops. These are general-purpose desktops where developers can install applications like Integrated Development Environments (IDE) or DevOps tools (e.g. container management) and access web applications supporting their workflow. In effect, remote access to a virtual desktop removes the need to maintain sensitive data on the local device. In addition, it provides access to an alternative source of computing power to build applications. A typical access method for the remote desktop is the Remote Desktop Protocol (RDP) that streams the desktop image to the local device.
What are enterprise browsers?
More recently, enterprise browsers have appeared as web-based alternatives to virtual desktops, although the focus is securing access to web-applications—typically SaaS services—as opposed to providing access to a desktop. However, these browsers also support protocols like RDP to provide access to remote desktops (also as virtual machines). Vendors in this field often position themselves as a VDI replacement. A marked difference is that their offerings typically do not include computing resources. Hence, it is likely that organizations adopt them in the scope of a broader infrastructure set-up including Desktop-as-a-Service (DaaS) when computing resources are needed.
What are secure Cloud Development Environments?
As a means to secure an application development process, a recent technology is secure Cloud Development Environments (CDEs) and the associated platform used to manage them. The basic role of such a platform is to provide online access to development environments with security mechanisms via an IDE, in addition to providing secured access to the web applications used by developers (e.g. for code management). For the latter, a technology similar to that of enterprise browsers is used. The combination of remote access via IDE and secured web browsing aims at protecting the entire developer workflow against data leaks. (This is explained in detail in this post.) Like in the case of a virtual desktop, local development data is in effect “removed” from local devices and computing is delivered via the cloud. Hence, secure CDEs can be seen as a technology blending aspects of the previous two presented here.
The figure below depicts the three technologies compared in this article.
Comparison of the technologies
Let’s dive into key differences between these three technologies and highlight their roles and benefits. Note that, albeit virtual desktops and enterprise browsers are business process-agnostic, I only discuss here their application in securing application development.
Code development applicability
- Virtual desktops: In the context of code development, virtual desktops are used across business units but more commonly in scenarios involving the onboarding of remote developers, implementation of BYOD policies, and others requiring centralized control and security over remote desktop environments, mostly Windows-based (although Linux hosts are also used). Any code development activities are performed on a generic desktop, which typically requires installation of tools such as an IDE to start coding. As illustrated in the picture below (left), the remote desktop is used to code using the IDE and access a code management application. The remote desktop is also the primary source of compute to build applications.
- Enterprise browsers: When used in the scope of a development process, an enterprise browser acts as a web front-end to access a remote desktop set-up for development (via RDP). Because secure browsers impose fewer infrastructure constraints than virtual desktops, they can be more easily deployed across both internal and remote developers. Still, enterprise browsers do not provide any development environments by themselves, hence in this setting, they are merely the front-end to an existing park of development machines (physical or virtual), accessed via the browser client.Hence, in the scope of a development process where a source of compute is needed, the set-up is similar to a virtual desktop. A small difference is that the code management application can be accessed securely using the browser on the developer device as opposed to a browser running on the virtual desktop. Here too, the remote desktop is the primary source of compute to build applications. This is shown in the middle part of the figure below.
- Secure cloud development: A secure CDE platform is designed to onboard both internal and remote developers (incl. BYOD) on centrally-managed and standardized environments. To run environments, the platform relies on lightweight virtualization using containers (i.e. a virtual process) as opposed to a virtual machine. Hence set-up and operations are much more efficient and more scalable because containers require fewer resources. It is easy and economical to assign multiple environments to a single developer. Each container has its own source of compute and is easy to set or reconfigure without any loss of data.
The striking difference with a remote desktop is that developers do not need a desktop to develop applications. The platform is primarily suited for cloud-native, i.e. web-based (back-end/front-end) and mobile development (left part in the next figure). The cloud environment is accessed directly via the IDE and developers typically run web applications on an environment’s port. The running application is then accessed via a local web browser. Note that it is possible to run a desktop on the containers if needed. In this case it is steamed over a port and accessed via browser as well (right part of the figure below).
Security focus of the technologies
What about their security focus?
- Virtual desktops and enterprise browsers: Virtual desktops secure the end-user environment by centralizing data and desktop applications, reducing endpoint vulnerabilities. Citrix offers data leak prevention (DLP) measures that protect from data exfiltration via system hardening measures encompassing user access, data egress restrictions, etc. Enterprise browsers aim at protecting the organization from phishing, malware, and other threats when accessing web applications and from user operations that could result in data leaks, including insider threats using DLP.In the case of enterprise browsers, security measures are primarily “client-focused”, because users do not have access to the backend of the application they use. Security measures are more complex and include network policies in the case of virtual desktops. Such policies might be necessary to avoid data exfiltration using internet connectivity once on the remote application. This shows a potential limitation of enterprise browsers as a VDI replacement when accessing desktops: it is likely that no secure measures are provided to protect from operations on the desktop. However, this aspect could depend on the vendor.
- Secure cloud development: A secure CDE platform focuses on securing data in development environments and the web applications against exfiltration. This is akin to client-side DLP.The platform also provides “back-end DLP” by protecting access to the data used for development. This is achieved by controlling the network and providing authentication services to the organization’s resources.Although a CDE-based infrastructure is simpler than a virtual desktop counterpart, it is indeed this simplicity that allows it to build a more holistic approach to data loss prevention with minimal impact on the local device used to access the platform.An additional aspect is that, because a secure CDE platform is designed to support application development, security mechanisms can beneficially use the context to make security a productivity enabler as opposed to a hassle. I explain this concept in details in this post.
Impact and benefits to the developer experience
Accessibility to the platform and, more generally, the developer experience are important factors when assessing the fitness of these technologies to support development.
Virtual desktops let developers interact with a remote desktop via a locally installed client by streaming the image of the remote desktop to the client. Such access protocol can sometimes suffer from latency due to network requirements which could impact the developer experience. (Check out this real-life story.)
Enterprise browsers let developers access web applications without usability issues. However, because developers need access to a remote desktop for coding, this requires again the use of a streaming protocol such as RDP and results in display latency impacting the developer experience and productivity.
A secure CDE platform provides developers access to the online development environment via a web-based IDE and to web applications via a secure browser. The web-based IDE is a web application on its own and renders natively in the browser on the developer’s device. Therefore no streaming is required which provides optimal developer experience (see the above figure).
In contrast, the chosen implementation for the secure browser can impact the experience. However, in practice, developers spend the majority of their time in the IDE and use web applications for less frequent operations such as pull-requests.
Opportunities when combining technologies
In general, virtual desktops and enterprise browsers play an important role across enterprise business processes by providing general-purpose security for desktops and web applications, each with distinct infrastructure requirements and performance outcomes. Historically, virtual desktops have been a staple in the enterprise environment, representing the oldest technology among the ones that I discussed in this article.
In comparison, enterprise browsers are designed as a lightweight alternative to virtual desktop infrastructure. They are optimized mainly for SaaS applications delivered through the web. Their utilization for accessing developer desktops via RDP is akin to a modern reinterpretation of virtual desktops via a web browser.
To protect the application development process, a secure CDE platform centralizes all essential resources, including access clients (IDE and web applications) and development environments, in one place. The targeted usage allows the platform to offer context-specific security and preserves the developer experience when working in a secure environment.
In a larger organizational context, integrating a secure CDE platform with virtual desktops or an existing enterprise browser setup might be necessary. This provides an opportunity to balance development productivity, security and asset utilization optimally.
One key feature of a secure CDE platform is its use of a dedicated browser for safe access to web applications. This feature is particularly enhanced when integrated with an enterprise browser or application virtualization technologies. Essentially, this integration allows for replacing the CDE platform’s secure browser with a more seamless solution and incorporates secure CDE technologies into the existing infrastructure.
This way, organizations can standardize security mechanisms across the infrastructure, ensuring access to legacy applications while modernizing application development. It also offers them an opportunity to improve asset utilization by leveraging lightweight virtualization for on-demand access to cheap computing power dedicated to development workloads (see the next figure).
In the implementation of a virtual desktop infrastructure, incorporating a secure CDE platform elevates the developer experience by providing on-demand development environments (with associated computational resources) and bolstering data access security.
In conclusion, integrations between secure CDE platforms, enterprise browsers, and virtual desktops provide opportunities for enhancing both security and productivity of the development process, while jointly improving developer experience and resource utilization.
Although a secure CDE platform alone provides a contemporary approach to prevent data leaks during application development, it also delivers an opportunity to enrich the existing infrastructure ecosystem of modern organizations.