ZTNA or VDI? … Or Maybe Both!

Data leak protection is one of the major problems that a SASE architecture endeavours to solve. For this reason, ZTNA solutions should inspect for sensitive data at the upload and download.

In saying that, data can be leaked in other ways too. For example, let’s look at these scenarios:

1.    A remote user with her/his BYOD can take a screenshot of sensitive data in a file, that she/he cannot download but can still view.

2.    A 3rd party, not authorised to view the file, can stand right behind this remote user, and view the file displayed on the BYOD’s screen.

3.    The remote user her/himself can use her/his mobile camera to take photos of the displayed data.

For the 1st scenario, I know that Citrix Systems with its VDI and App Protection feature, can prevent screen captures within the VDI session as well as on the host itself.

For the 2nd scenario, there should be some sort of a “recognition” technology that only allows file viewing when the BYOD device camera is turned on and only the user her/himself is sitting in front of it.

For the 3rd scenario, camera pattern recognition should also recognise arm movements associated with holding a mobile phone in a position for a photo to be taken.

Personally, I am not aware of a technology that can deal with the 2nd and 3rd scenarios.

Finally, the question here is: Is it easier to implement these protective measures within VDI and to establish ZTNA from a VDI session running on the BYOD? or can these features be implemented natively in the ZTNA solution? Bear in mind the additional cost of VDI.