Explore Caylent’s Activities at AWS re:Invent

Achieving 5-Figure Annual Savings and a Secure, Flexible VDI with Amazon Workspaces

Caylent Team Caylent Team

Managed Services

An online leadership development program provider partnered with Caylent to migrate its virtual desktop infrastructure to Amazon WorkSpaces, enabling secure, flexible access for over 100 contractors while achieving 5-figure annual cost savings through a scalable, cloud-based VDI solution.

Client Overview

An Online Leadership Development Program Provider partners with the world's top business schools to deliver high-impact, career-enhancing programs and solutions to enterprises globally. The client’s proprietary platform offers on-demand experiences designed to build leadership capabilities, supporting a broad population of leaders. In their commitment to providing equitable opportunities and driving meaningful business results, they recognized the need for a secure, reliable, and cost-effective infrastructure to support their operational staff, particularly their large contractor base.

The client required a strategic partner to transition a core operational component—Virtual Desktop Infrastructure (VDI)—to the cloud. Caylent engaged with the client to architect and implement this critical migration, ensuring the new virtual desktop environment was secure, flexible, and integrated seamlessly with their existing systems.

Challenge

The client supported VDI for more than 100 contractors using an existing infrastructure. While this VDI was functional, it presented a high-priority financial and operational challenge: optimizing costs and complexity. The client estimated an opportunity for 5-figure annual savings by migrating these contractors from the existing VDI infrastructure to Amazon WorkSpaces.

The migration was complex due to the varying technical and security requirements mandated by four distinct user groups:

  1. Business Coaches: This group needed non-persistent desktops (WorkSpaces Pools) that were domain-joined and ran a Windows OS. They also required specific features like automatic shutdown after one hour of inactivity.
  2. Salesforce Data Analysts & Non-Salesforce Data Analysts: These two groups needed persistent desktops (WorkSpaces Personal) running Windows OS and had to be domain-joined. Critically, they required persistence and the client would manage specific application installations, such as Data Loader, Alteryx, and Tableau. The non-Salesforce analysts also needed secure access to the client’s RedShift cluster.
  3. Offshore Developers: This group presented a unique requirement, needing persistent WorkSpaces running the Ubuntu Desktop OS and the ability to run Docker. The feasibility of Amazon WorkSpaces supporting these specific specs was initially unclear.

In addition to handling these disparate needs, the client faced strict security and governance requirements. They sought specific data exfiltration protections, such as blocking screenshots, preventing file extraction, and controlling directional copy/paste. The platform needed to be "air-tight enough to pass NHS security standards" and to instill confidence in its new security posture. Furthermore, the entire solution needed to be integrated into the client’s existing identity provider.

Initial research also highlighted limitations and complexities: Terraform did not support WorkSpaces Pools; Amazon WorkSpaces did not provide screenshot blockage as a security feature, though remote clipboard management was available; and implementing customized persistence and complex backup strategies for different Amazon WorkSpaces types required tailored solutions.

Solution

Caylent worked with the client to define a detailed implementation strategy, documented in the CARDIM (Costs, Assumptions, Requirements, Deliverables, Implementation, and Monitoring) framework. Our solution focused on creating the necessary AWS environment, supporting infrastructure, and integrating the overall solution into their identity provider using Amazon WorkSpaces.

Strategic Architecture and Directory Integration

To support the varying needs of the four contractor groups, Caylent deployed a dual Amazon WorkSpaces strategy:

  1. Amazon WorkSpaces Pools (Non-Persistent): Deployed for the 110 business coaches. WorkSpaces Pools are limited to Windows Server OS and do not require Active Directory (AD).
  2. Amazon WorkSpaces Personal (Persistent): Deployed for all data analysts and offshore developers (approximately 20 users). WorkSpaces Personal requires Microsoft AD but supports both Windows Server and Linux OS.

A crucial component of the architecture was implementing the identity provider integration. For WorkSpaces Personal authentication and domain joining requirements, we implemented AWS Directory Service, Managed AD. The implementation plan mirrored best practices shared by the AWS Solutions Architect, including:

  • Creating an AWS Managed AD instance.
  • Creating a standalone Amazon EC2 helper instance, domain joining it to the Managed AD, and utilizing it to administer the Directory Service AD instance via GUI.
  • Deploying a side-car Amazon EC2 instance to support the Okta <-> AD synchronization. This side-car instance was specified to run Windows OS with 2 vCPUs, 8 GiB memory, and an 80 GB storage volume.
  • Setting up SAML authentication between Okta and Amazon WorkSpaces.

Caylent took responsibility for deploying the base infrastructure and ensuring connectivity, networking, and data access at the infrastructure level. This included deploying the Directory Service using the tf-directory-service-module and Amazon WorkSpaces Personal using the tf-workspaces-personal-module. However, the client retained key responsibilities, including building custom Amazon Workspace images, integrating and configuring the Okta <-> AD sync, vetting application compatibility (i.e. CrowdStrike, Alteryx, and Tableau), and managing maintenance for Amazon WorkSpaces Pools.

Implementing Security and Persistence

Caylent addressed specific security and data needs for the different groups:

  • Data Access Segmentation: A deliverable was segmenting access to the Amazon RedShift cluster in the relevant account so that only the necessary Amazon WorkSpaces (non-Salesforce data analysts) could call out to that account.
  • Backup Configuration: Caylent configured backups for the Amazon EC2 and Amazon EBS volumes using AWS Backup, including daily snapshots retained for 30 days and monthly snapshots retained for 12 months. For Amazon WorkSpaces Pools, the client enabled Amazon S3 versioning and created cross-region Amazon S3 replication, with lifecycle policies to purge older versions. We relied on the built-in 12-hour snapshot for Amazon WorkSpaces Personal and the 5x daily snapshots for Directory Service, excluding additional manual scripting from the scope.
  • Data Exfiltration Controls: While direct screenshot blockage was ruled out as infeasible by the AWS Solutions Architect, the solution confirmed the feasibility of managing the remote clipboard for both Amazon WorkSpaces Pools and Personal, and the optional ability to enable/disable the file transfer feature on Amazon WorkSpaces Personal. Notably, Amazon WorkSpaces Pools does not have a file transfer mechanism whatsoever.

Results

Our partnership resulted in a modernized, secure, and financially beneficial cloud VDI solution that successfully met the goal of transitioning over 100 contractors to Amazon WorkSpaces.

Financial Savings and Operational Efficiency

The primary outcome of the migration was the realization of substantial financial benefit. The client estimated a 5-figure annual savings by moving contractors from their existing VDI infrastructure to Amazon WorkSpaces. The detailed operational cost analysis provided by Caylent, covering infrastructure components like AD domain controllers, helper Amazon EC2 instances, and the sidecar Amazon EC2 instance for Okta integration (estimated at $205 monthly for base infrastructure), allowed them to clearly manage and budget the variable costs associated with Amazon WorkSpaces usage.

By utilizing Amazon WorkSpaces, the client gained access to secure, flexible, and cost-effective virtual desktop services capable of handling every use case, from non-persistent Windows environments for coaches to persistent Ubuntu desktops for developers.

Robust Security and Governance

Like Chuqlab, which achieved a higher security posture necessary to service accounts with stringent security needs, the client established a highly governable VDI environment:

  • Identity Integration: The overall solution was integrated into their existing identity provider (Okta/AD), establishing a centralized authentication mechanism for all virtual desktops.
  • Segmented Access: The segmentation of access to the critical Amazon RedShift data store ensured that only specific groups of persistent Amazon WorkSpaces (non-Salesforce analysts) had the required outbound access, enhancing data security governance.
  • Data Control: Even without native screenshot blocking, the solution provided controls over the remote clipboard and file transfer capabilities, helping them manage potential data exfiltration risks.
Structured and Accelerated Implementation

Caylent provided deep expertise and structure, requiring an estimated total effort of only 64 hours of focused delivery time from our teams. This covers initial discovery, CARDIM documentation, infrastructure provisioning (Directory Service, WorkSpaces Pools/Personal), data access configuration, and backup implementation.

Our clear delineation of responsibilities ensured the client was prepared for long-term ownership, outlining that the client would manage application installation (i.e. Alteryx, Tableau, and CrowdStrike) and custom image creation, while Caylent provided the secure foundational infrastructure. This approach enabled the client to rapidly deploy a custom, scalable VDI solution tailored to the diverse needs of its contractor base.

By migrating its VDI to Amazon WorkSpaces, the client successfully implemented a flexible and highly secure cloud solution that supports their operational needs while delivering significant recurring financial benefits.

Managed Services
Caylent Team

Caylent Team

View Caylent's articles

Learn more about the services mentioned

Caylent Services

Managed Services

Innovate at the speed of light with modern applications powered by modular architectures running on purpose-built AWS services.

Accelerate your cloud native journey

Leveraging our deep experience and patterns

Get in touch

Related Blog Posts

Enabling StateRAMP Moderate Compliance for a Global Education Publisher with AWS Config

A global education publisher partnered with Caylent to strengthen security controls for sensitive data and achieve compliance with StateRAMP Moderate requirements, enabling them to better serve university clients with increased confidence and trust.

AWS Foundations
Managed Services

Global Fitness Center Migrates Critical Member Acquisition Application to AWS for Enhanced Reliability and Security

Discover how we helped a global fitness center migrate a business‑critical online enrollment application to AWS for improved stability and reliability.

Migrations
Managed Services
View all blog posts