To enable remote access to highly sensitive research data without compromising data security or legal compliance, I designed and implemented a fully isolated Virtual Desktop Infrastructure (VDI) using VMware Horizon. The core requirement of the project was that no data must ever leave the secure network, while still allowing researchers to work remotely with modern analytical tools.
The infrastructure was built entirely outside the organization’s main network, using a dedicated and physically separated hardware stack:
- 5 ESXi host servers in a VMware cluster,
- 2 standalone storage servers,
- A private SAN, and
- Independent switching, routing, and firewall systems.
To enforce strict data protection policies, the VDI environment was heavily customized, especially in terms of:
- Group Policy Objects (GPOs)
- Hardened Windows Server deployments, including Active Directory, file servers with partial encryption, and audit logging capabilities.
- Controlled access zones using Linux based routers, open source firewalls, and LDAP proxy services to tightly manage identity and traffic flows.
All virtual desktops were designed as non persistent, with no external internet access and strict role based access controls, ensuring that researchers could only work within the virtual environment without ever extracting data from it.
The backup and disaster recovery concept included a Veeam backup server and dedicated storage placed in a separate fire zone, further strengthening resilience against physical or logical failures.
To support controlled and auditable data sharing, a self hosted Nextcloud instance was deployed outside the secure core. Only data that had been manually reviewed and approved for external release was transferred to this platform, enabling researchers to access pre approved datasets beyond the VDI environment—without violating internal data protection rules or network boundaries.
This infrastructure enabled researchers to work with legally protected datasets in compliance with German and EU data protection laws, while providing a performant and scalable platform that upheld maximum security, auditability, and isolation at every layer.