Security and compliance are allies, but not the same. Installing a lock is security; choosing a specific three-point model to meet your insurer’s requirements is compliance. Yet too many organizations treat them as interchangeable, assuming that ticking regulatory boxes is enough to keep their systems safe. In doing so, they either lose sight of the real threat or misunderstand its nature entirely.
In the cybersecurity battlefield, confusing security with compliance leaves the door open to sophisticated, well-funded adversaries who don’t follow the rules. Worse, in the rush to achieve compliance, companies may actually expand their attack surface if they ignore the operational realities of their own teams. In this article, we’ll explore multi-desktop as an example of how a compliancy-friendly practice can open the doors to attackers, and the emerging alternatives for secure isolation of environments.
1. Why Businesses Comply
Back at the beginning of the 20th century, journalist Upton Sinclair exposed the horrors of the meatpacking industry in The Jungle, leading to the creation of the FDA. Regulation brought order to chaos and restored trust.
Similarly, the GDPR ended the “wild west” of data handling by introducing strict, enforceable rules that professionalized and standardized privacy practices worldwide. Before GDPR, companies often operated with little accountability or transparency regarding personal data. Today, data is no longer a freely traded commodity. It is now a regulated asset governed by principles of trust, transparency, and individual rights.
A) They don’t have the choice (in the name of data privacy and critical asset protection)
Regulations (NIS2, DORA, GDPR...) impose strict requirements on organizations, leaving little room for negotiation. Non-compliance can lead to severe consequences (fines, legal action, reputational damage, and even operational restrictions). For businesses operating in sensitive sectors such as banking, finance, or critical infrastructure, the stakes are even higher.
The most common IT regulations aim at protecting data– GDPRs set a global benchmark on that matter – or safeguarding essential services and critical infrastructure. Germany’s BSI Act targets operators of critical infrastructure across ten sectors and companies of special public interest, such as defense or IT component manufacturers, with fines reaching €20 million for non-compliance. In the financial sector, the Digital Operational Resilience Act (DORA) mandates measures like isolated recovery environments for resilience testing, forensic analysis, and data restoration, ensuring that critical ICT systems can withstand and recover from disruptions.
These frameworks collectively ensure that organizations handling sensitive data or operating critical systems adopt robust security and resilience measures. Compliance is not optional; it is a prerequisite for trust, continuity, and market access. Yet, for many organizations, compliance is more than just a legal obligation. It’s a strategic opportunity.
B) Because it’s part of their business strategy
For many organizations, compliance becomes a strategic lever to build trust and gain a competitive edge. Businesses often pursue certifications and frameworks to demonstrate their commitment to security and reassure clients, partners, and investors.
A certification is a formal validation by a third party that an organization meets specific standards. A framework, on the other hand, provides structured guidelines to help organizations manage risk and align with regulations. Both serve as powerful signals of reliability and professionalism in an increasingly risk-conscious market.
These tools are not mere checkboxes; they are strategic differentiators. For instance, a cloud provider seeking to operate in France might pursue SecNumCloud certification to address concerns about data sovereignty. Similarly, Germany’s BSZ certification offers true European recognition, as it is acknowledged by both France and Germany—an advantage for providers aiming to serve cross-border clients. Ultimately, these measures position compliance not as a burden, but as foundation for trust and a catalyst for growth.
2. Divide and Conquer: Why Separation Matters in Cybersecurity
The age-old principle of “divide and conquer” applies perfectly to cybersecurity. Isolating environments is a cornerstone of data protection, helping organizations manage risks more effectively—especially against leaks or breaches.
European regulations and national guidelines from agencies like ANSSI emphasize system separation as a key security measure. NIS2, for instance, recommends isolating production systems from development and backup environments, and separating administrative networks from operational ones. Likewise, Germany’s BSI mandates network segmentation and isolation of critical components. ANSSI goes further with its R52 recommendation, advocating two distinct information systems: one for operational activities and another for sensitive tasks. Across the Channel, the UK’s Telecommunications Security Code of Practice provides detailed guidance on network segmentation, isolation of critical components, and secure management of access points.
But while the principle is sound, implementation is usually messy.
A) The Disillusion of Multidesktop: Bending Their Back for Security and Compliancy
Multidesktop setups are often seen as the gold standard for environment separation. Each device is a fortress, aligned with the security policies of a specific organization. This configuration ensures compliance, but at a cost.
In practice, this means some users juggle multiple machines: one for their employer, another for a client, and sometimes a third for personal use. For those managing several clients simultaneously, the number of devices can escalate quickly. Some operate with up to seven workstations at once. This setup clashes with modern work environments and introduces new burdens.
Business travel becomes a logistical challenge. Devices are stacked into oversized backpacks, hauled from the airport to the office. At the workplace, desks vanish under layers of hardware. Each machine representing a different perimeter of trust.
Physical separation often drives this proliferation, especially for admins, developers, and consultants.
To address these limitations, many organizations are turning to virtualization. They bet on Virtual Desktop Infrastructure (VDI), hoping for centralized control and simplified access. But its promise came with trade-offs.
B) Virtualization’s Broken Promise
In the early 2000s, virtualization sparked high hopes. Collaborators saw it as a way to gain flexibility without compromising security, while companies viewed it as a cost-cutting solution. Many structures bet on VDI, expecting centralized control and reduced hardware dependency.
But reality fell short.
Hidden costs—licensing, maintenance, support—quickly piled up. Performance was inconsistent, often limited by bandwidth and network reliability. VDI deployments proved complex, and the user experience was frequently frustrating. Instead of empowering users, virtualization introduced new constraints.
Solutions like DaaS, hosted in the client’s cloud tenant, further reduced autonomy. RDS brought their own limitations: latency, compatibility issues, and poor responsiveness.
Virtualization, too, failed end-users.
At the heart of the problem lies the technology itself. The virtualization stack powering VDI is nearly 50 years old, originally designed for data centres not for end-user workstations. Despite backing from major tech players, it suffers critical flaws, especially in cybersecurity and performance.
Instead of bridging the gap between usability and security, VDI often widens it. VDI doesn’t solve these problems. It amplifies them.
3)The Business Trade-Offs of compliance
The pursuit of compliance, while essential, usually comes at the expense of comfort, efficiency, and security - when the strategy is not framed properly. But compliance-first strategies can introduce fragility.
A) Why traditional approaches fail
More systems mean more blind spots, and operational overhead. Yet, the most recommended solution – multidesktop – multiplies hardware and, in doing so, expands the attack surface. Its more popular alternative, VDI, often suffers from poor performance due to its reliance on network connectivity. This frustration pushes users to bypass controls with workarounds or forces IT teams to grant developers elevated privileges, creating blind spots across the ecosystem.
European frameworks like ANSSI’s guidelines and Germany’s IT Security Act (IT SiG) enshrine one principle above all: sensitive assets must live in isolated environments. Traditional approaches – while financially significant– shift budgets away from innovation, and overlook user experience. In doing so, multidesktop and VDI may tick compliance boxes, but they introduce weaknesses (complex maintenance, and less control over environments) and hinder business growth by diverting resources from innovation.
B) The Missing Link: Logical Separation
A new solution is redefining the way organizations think about secure environments: logical hardware separation.
Unlike virtualization, which only mimics isolation, logical separation achieves true segregation at the operating system level. It enables multiple environments to run on the same physical device without sharing memory, data, or system resources. The result? Native performance and uncompromised security, with no need to modify existing environments.
This approach is no longer theoretical. Thanks to recent hardware standardization finalized over the past three years, it’s now practical at scale. It enables secure, high-performance workspaces on a single device. Picture an employee accessing a personal space on their corporate laptop without risking sensitive business data.
Logical separation is not an incremental improvement over virtualization. It’s a fundamental shift. It offers near-native speed, built-in security, and seamless compliance alignment.
In short, it’s the missing link between flexibility, usability, and security finally delivering what traditional virtualization solutions promised but never fulfilled.
Beyond Multidesktop: Time to move on to Secure, Usable IT
Cybersecurity has long been shaped by a binary mindset: isolate to protect, multiply to comply. But as the landscape evolves, so organizations’ strategies. Multidesktop was born out of a security necessity. It now stands as a symbol of a system that failed to protect without tradeoffs for the users.
At KERYS Software, we think true progress lies not in adding more machines or layers, but in rethinking the foundations of how we separate and secure digital environments.
Logical separation offers a new path: one that doesn’t compromise performance, usability, or compliance. It’s not just a technical innovation; it’s a shift in philosophy. And we believe in it, so does ANSSI. In 2021, the French agency considered this new paradigm in its Recommendations for the architecture of sensitive or Restricted Distribution information systems (52-). We transformed what was then a theorical concept into a practical solution. Even better, it finally reconciles the long-standing tension between security and user experience while delivering high performance.
Does it sound too good to be true? Let us show you how we do it.
