How to Keep Work-From-Home Engineering Secure

When the pandemic response forced engineering departments to move to dispersed operations, at first there were probably as many work-from-home plans as there were engineering IT managers. Companies were spinning up solutions quickly, usually on an ad hoc basis. Collaboration tools like Microsoft Teams or the eponymous Zoom replaced in-house meeting rooms. File-sharing tools like Box, Dropbox and Google Drive became the common way to share data. No one realized work from home would last for months.

Almost a year later, product development is still coping with the myriad issues created by moving to dispersed engineering teams. The initial use of collaborative meeting and file sharing was relatively simple to deploy, but awkward for IT departments to manage. There were new employee-owned notebook computers as well as computers deployed for home use by companies. Companies like Zoom quickly implemented security features. 

“It is a tangled spaghetti mess” for IT, notes Mike Leach, workstation portfolio manager for Lenovo. 

Such ad hoc connectivity for collaboration means there are many more potential gateways into the engineering network—gateway cybercriminals are eager to exploit. 

“The best approach is a hybrid,” says Lenovo’s Leach. “[It should be] a mixture of the right hardware configured the right way. For IT decision makers, it sounds complex—and it is. We see multiple ways our users are responding. But the challenge is not fixed, it is constantly moving.” 

Three Mature Technologies

Only a few years ago, engineering was considered too complex and graphically intense for virtualization, which is defined as the use of one computer environment to host an environment that resembles a separate service (a Windows-based server can host a virtual instance of Linux, for example). Transfer times were too slow, processing power was decreased by the extra layers of software, there were limits on how many users could be online and security was not considered robust. 

All that has changed. Three technologies have become more robust and synergistically powerful enough to serve up engineering for remote, virtual use. Server-side rendering considerably speeds up the process of using graphics in remote sessions. Remote visualization performs intensive graphics operations on a high-end graphics server then generates a 2D pixel version that can be sent quickly to the remote users. Both NVIDIA and AMD offer technology for creating virtualized GPU sessions on a server, which can be fed to individual remote users. 

The more an IT department can keep the actual computation work of engineering behind the company firewall, the more secure the remote computing session. A remote user on a virtualized CAD session can’t plug in a USB drive and download engineering data—on the user’s computer, the “data” is just pixels. Thus virtualization becomes the new technology that allows work from home for even the most intense computational activities—including product development—to work as well remotely as in the office. 

Several virtualization platforms suitable for product development are now available. Here is an overview of a few leading products. 

Mechdyne TGX 

Mechdyne TGX is a desktop utility that connects remote computers with their workstations back in the home office. TGX transmits only pixels between the two computers, allowing data to stay in the office while work continues remotely. It is designed specifically for graphics-intensive applications at up to Ultra HD (or 4K) resolution. The remote user can connect to either a physical or virtual machine as needed. 

Lenovo sells TGX along with its workstations; it is also available directly from Mechdyne. Leach says TGX “allows engineers to connect to the office workstation and get an ‘as local’ user experience.”  

A copy of TGX Sender must be running on the host workstation, and the TGX Receiver software is installed on the Client computer. TGX leverages NVIDIA GPU NVENC & NVDEC capabilities end to end, to compress, encrypt and send information from the host/sender to the client/receiver, where the data is decoded. 

“It is a low bandwidth, low latency solution,” Leach says. “Other remote software is very ‘laggy’ by comparison.” Mechdyne claims sub-10 ms response time, subject to the user’s bandwidth.

AMD Remote Workstation 

Another approach to connecting to a server back at the office is AMD Remote Workstation, included with every professional AMD GPU. Remote Workstation works with Citrix Virtual Apps & Desktops or Microsoft Remote Desktop Services to support remote workstations. The product was first released in 2018, when AMD realized it could “borrow” code from its server unit that would benefit remote users. Like Mechdyne TGX, Remote Workstation transmits pixels, not data. For users of AMD-equipped workstations, there is no extra software to install and generally no changes to settings are required.

Nutanix Frame 

Nutanix Frame is a desktop-as-a-service (DaaS) solution that hosts every part of the desktop experience on the cloud. Frame offers cloud-based virtual desktops for any application, and has a keen interest in CAD and related engineering technologies. 

Frame allows an engineering group to set up, in the cloud, all the applications it currently uses. In creating this service, Frame didn’t reinvent the wheel, so to speak. Instead it “leverages the best of existing technologies, packaging them up with a focus on performance, stability, flexibility and simplicity,” says Alex Herrera, senior consultant at Jon Peddie Research and primary author of JPR’s Workstation Report. 

Frame can use Amazon, Microsoft, Google or Nutanix AHV as the hosting cloud provider. The service supports single sign-on technology popular in enterprise computing, and supports connections to file-sharing applications including Dropbox, Google Drive and Box. Several authentication services are supported, including Okta, Ping Identity and Auth0. Users connect through any HTML5-capable browser, whether it runs on a mobile workstation or a smartphone, with no special client software required. 

Any Windows or Linux application will work in a Frame session, running on a virtual machine hosted in the cloud. Named customers who use the service include engineering software vendors Siemens and Autodesk. One of the first demonstrations of Frame showed an instance of Dassault Systèmes SolidWorks running in a browser, from a Frame remote session. 

Zscaler Secure Web Gateway

Consulting firm Gartner lists Zscaler as the only company in its Leader category in its 2020 Magic Quadrant report on secure web gateway technology. Zscaler takes various web services to another level, offering a “zero trust” cloud-based platform for remote work. 

Simply put, Zscaler provides a platform that securely connects any user, any device and any application over any network, using its own cloud-based technology. It offers “cloud-scale artificial intelligence,” which allows it to treat SaaS solutions such as SalesForce or Microsoft Office 365 the same as an instance of a CAD or CAE product. It is compatible with a wide range of existing IT providers, including Microsoft, AT&T, Accenture, Okta, Amazon AWS, VMware, Crowdstrike and Silver Peak. Zscaler is designed to be used at enterprise scale, which may not be suitable for smaller engineering groups seeking its own solution within a larger company IT environment. 

Teradici PCoIP Remote Workstation Card 

The services listed already are software solutions. Teradici offers a hardware solution, the PCoIP Remote Workstation Card. PCoIP is short for personal computer over internet protocol. Users connect to a server or workstation with the PCoIP card installed, and then work using their software hosted on the remote workstation. The card converts and encrypts the transmission, sending only pixels. PCoIP uses AES-256 and NSA Suite B cryptography for security. Applications using Teradici’s PCoIP card include most engineering applications, but also broadcasting, digital asset creation and other high-value visual applications. 

Simplifying the IT Overhead 

Using virtualizing solutions, whether hosted in an internal data center or from the cloud, offers IT departments a way to maintain security and keep costs down. Instead of issuing new mobile workstations to all creative staff, IT can deploy less expensive enterprise or consumer-class personal computers. Leach at Lenovo says some of their customers are issuing small form factor desktop units, like their P340 Tiny, and one or more monitors. 

Each P340 Tiny is “configured like a thin client, running Windows and TGX.” Remote users can attach up to four monitors to their P340, matching the home environment with their office setup. In daily use, each remote engineer connects to the office using a live virtual private network (VPN) to use typical enterprise software, but then switches to using TGX to connect to the specified engineering workstation. The remote computer’s screens then become a window to the workstation. CAD drawings can be spread across multiple screens.

“How does productivity change?” asks Leach rhetorically. “An engineer can render on one screen and use CAE on another.” For large engineering teams, each user can connect to their own workstation in the office, or to a designated workstation for each application, like CAD or a simulation program. “All of it stays inside the corporate firewall.”

More Lenovo Coverage

Making the Case for Engineering Workstation Upgrades

In this Making the Case whitepaper, Lenovo outlines how upgrading to the latest generation of professional workstations can provide a return on investment through increased engineering efficiency and greater flexibility.