Workspace as a Service is the right architecture for enterprise mobility

by Amitabh Sinha on Sep 27, 2014 7:37:00 AM

(Also, posted on

Jack, Thank you for making the connection.

Brian, You are absolutely right. The right end user experience is a “workspace” where end users can securely and easily access all their applications and data. There are multiple solutions offering a workspace solution today:

(1) Citrix and VMware want to solve it with a Workspace Suite (a collection of their existing product portfolio)

(2) Citrix Online has ShareConnect which is the next generation client of GoToMyPC

(3) nComputing has OneSpace

(4) Workspot is offering a Workspace as a Service solution

The key difference between all these approaches is the architecture. The right architecture leads to better user experience, lower total cost of ownership, and faster time to value. There may be three different right architectures: one for SMB, another for enterprise, and a third for regulated industries.

Here’s why I believe the Workspot architecture is right for the enterprise:

(1) Mobile web and hybrid applications win: Already more than 70% of the applications in an enterprise are web applications. Many of them are responsive web applications, i.e., the UI adapts to the size of the end point display. Further Gartner predicts that 95% of the enterprise applications of the future will be either mobile web or hybrid. The delivery of mobile web and hybrid applications can be optimized with a secure browser inside the workspace. A Windows remoting solution for these applications will always have poorer user experience because the application will not respond well to screen size and touch. Therefore, we have embedded a secure browser into the Workspot client.

(2) The protocol wars are over and RDP won: Even if 70% of the applications in the enterprise today are web applications, many business critical applications are still Windows client server applications. Further IT still needs to connect to Windows Servers and Desktops. Folks on the Workspot team (Rana Kanaan, Puneet Chawla, and myself) have spent nearly a decade at Citrix and VMware optimizing the remoting experience with different protocols. In today’s world, where bandwidth is not an issue (100Mb/s for $100/month) the difference between RDP and other protocols is small. Unless you are planning on accessing a Windows app from the space station or more realistically from another continent, RDP is probably sufficient. The tie breaks in favor of RDP because it is so widely available – every single Windows server (10 million+) and desktop (1 billion+) comes with RDP. Hence, we have chosen to embed RDP into the Workspot client.

(3) Most corporate data is in network shares: Box and Dropbox are important tools, but the majority of corporate data resides in network shares. And a lot will stay in the network shares going forward either for security reasons or just because existing business processes are built to use these network shares. In order to make access to these network shares simple, we have chosen to embed a CIFS engine into the Workspot client.

(4) The default option must be for data to stay within the workspace: Most companies want to have control over their data. Some of them want really fine-grained control over their data – data from this network share can go to Box, but data from this other network share can never leave the workspace. We have embedded viewers for different file types (Office documents, PDF, videos, etc.) into the Workspot client so that data can be viewed/edited without ever leaving the workspace. We also allow the open-in option. The IT administrator can choose the desired behavior for the data.

(5) The VPN appliance isn’t the problem: In my experience, the networking team has the toughest security criteria in an enterprise. I would like to see a VPN-less solution that connects to enterprise resources that has been blessed by the networking team. The problem becomes slightly simpler if you introduce a new box into the DMZ, but only slightly. Every new box in the DMZ needs to be vetted for security, reliability, scalability, and needs to connect to the crazy combination of authentication schemes in the enterprise. At Workspot, we have integrated with the existing VPN appliance inside an organization. It can be Cisco (one million boxes deployed worldwide), Juniper (20% of enterprise customers), F5, or SonicWall (we are working on others). In all cases, we want the networking team to be able to enable a clientless configuration option on these boxes and make no other changes. No changes to authentication. No need to vet a new appliance.

(6) The problem is the poor VPN client experience: I haven’t met anybody who likes the client experience of the VPN. But this is a client problem. Not a problem with the VPN appliance. The poor experience is because of the lack of integration between the OS, the VPN client, and the application. Hence on a PC today, you fire up Windows, launch the VPN client, enter your credentials, maybe an RSA token, then fire up a browser, find the bookmark to the SharePoint application, maybe authenticate with the application, and 3-5 minutes later you are accessing SharePoint. On a mobile device, not only is the experience poor, but it also comes with poor battery life. We spent the first 18 months of Workspot collapsing this experience into the workspace. So an end user launches SharePoint – the Workspot client has a built-in VPN that is launched in the background to connect and authenticate with the VPN appliance, then a browser is launched and the user is authenticated with SharePoint. In a few seconds, the end user is in SharePoint. Battery life is not affected, because we open the VPN connection only when the app needs it and close it when it is no longer needed.

(7) 100% Cloud Control: Having cracked the code on the VPN, we can deliver a workspace solution without installing anything in the data center. We leverage the existing VPN, authentication, applications, and network shares. The Workspot solution can be delivered as a 100% cloud service. But our cloud solution is only a control plane. No data or credentials ever flow through our cloud.

workspace as a service right architecture

(8) Finally, Workspace as a Service: You can get started with a Workspot pilot in 60 minutes – your apps and data on your devices. If you like it, buy a few licenses and get started. And then pay as you grow. We want customers to pay for value – you don’t need to spend hundreds of thousands of dollars up-front and you don’t need to spend the next year on a deployment plan.

I believe that ShareConnect and OneSpace might be the right architecture for SMB, Workspace as a Service is the right architecture for enterprise, and an on-premise architecture like Workspace Suite may be the right architecture for regulated industries.

I hope this long post helps. Would love comments.

Want to know more about Workspot today? Click the image below to download the solution brief:
Azure DaaS

Subscribe To Our Blog

author avatar

This post was written by Amitabh Sinha

Amitabh has more than twenty years of experience across enterprise software, end user computing, mobile, and database software. Amitabh co-founded Workspot with Puneet Chawla and Ty Wang in August 2012. Prior to Workspot, Amitabh was the General Manager for Enterprise Desktops and Apps at Citrix Systems. In his five years at Citrix, Amitabh was VP Product Management for XenDesktop and VP Engineering for the Advanced Solutions Group. Amitabh has a Ph.D. in Computer Science from the University of Illinois, Urbana-Champaign.

Connect with Amitabh