All posts
Platform Engineering

Improve your security posture by replacing VDI with Gitpod + Island

@taliamoyal's avatar on GitHub
Talia Moyal / Head of Outbound Product at Gitpod / Apr 25, 2025

For years, enterprises in regulated industries have forced developers onto Virtual Desktop Infrastructure (VDI) in the name of security. VDI keeps source code off local machines, but ask any developer about their experience and you’ll likely hear frustration. VDIs were never tailored to software development, and it shows in daily productivity. The good news: we no longer have to choose between security and developer happiness.

In this article, we’ll explore why legacy VDIs fall short for developers, and how Gitpod + Island provides a better path forward. We’ll cover the high-level architecture, dive into security controls like preventing source code exfiltration and enforcing zero-trust, and highlight why Gitpod offers a superior developer experience – especially when compared to other solutions like Coder. If you’re a technical decision-maker at a security-conscious enterprise, read on to see how you can keep your source code safe and your developers productive.

The trouble with legacy VDI for developers

VDI was originally adopted to solve a security problem: keep corporate data and code on centrally managed servers. In theory, a remote desktop shouldn’t have to interfere with how developers work. In practice, VDIs damage developer experience. They introduce lag, limitations, and daily frustrations that sap productivity and morale. Let’s break down some of the biggest issues developers face with traditional VDI setups:

Laggy, ‘video-stream’ interaction

Most VDIs are essentially streaming an entire desktop over the network, using protocols like RDP, PCoIP, or Citrix HDX. This means every keystroke, mouse move, and screen update has to be passed over the network as high-bandwidth demanding pixels. Even with good bandwidth, there’s an inherent delay. Developers feel this as typing lag: you type a character and wait a moment for it to appear in the code editor. Real-time feedback like autocompletion or inline error checking slows to a crawl. Debugging step-by-step becomes painful when each step takes a moment to reflect. In short, the interactive flow of coding is disrupted by network latency and encoding overhead.

Constantly losing state

Many VDI environments are non-persistent to reduce costs – meaning each time you log in, you might get a fresh image that forgets your previous session’s customizations. Installed a new build tool or VS Code extension yesterday? It could be gone today. Reinstalling tools or reapplying configs becomes a daily tax on developers’ time. Even ‘persistent’ VDIs often revert after updates or suffer from profile corruption, leading to the same problem of lost dev setup.

OS and tooling mismatch

VDIs are often Windows-based, yet many modern development workflows target Linux environments (containers, cloud deployments). Developers end up writing code on Windows in the VDI that will run on Linux in production, which leads to ‘works on my machine’ issues. Workarounds (like running a Linux VM inside your Windows VDI) are clunky and inefficient. It’s a far cry from the native Linux tooling developers prefer.

Limited resources and peripherals

Need multiple monitors or a 4K display for more coding real estate? With VDI, you’re often stuck at whatever resolution and monitor setup the remote session supports. Want to plug in a device, use GPU acceleration? Those things typically aren’t feasible in a locked-down remote desktop. Many of these controls of a VDI are implemented for security reasons—but developers are a specific use-case than general business users. Developers need more granular security controls that general purpose security tools like VDI do not serve without locking down all access. This not only hinders developer productivity but in many cases blocks developers getting anything productive done at all.

Rigid environments and slow updates

Installing or updating software on a VDI usually requires administrative effort and can violate compliance rules. Organizations lock down VDIs to protect data and ensure consistency, but that means developers can’t readily adopt new tools or libraries. Even getting a critical security patch applied might require waiting for the IT team’s maintenance window. Meanwhile, developers either twiddle their thumbs or find risky workarounds.

High costs (operational and financial)

On top of user frustrations, VDIs are expensive and cumbersome for IT and platform teams. They involve hefty Windows licensing, server infrastructure, and constant maintenance to keep images updated. Each developer often ends up with a dedicated VM that might need to run 24/7 to be useful – a lot of compute hours (and dollars) wasted, especially if developers aren’t coding around the clock.

Cloud development environment meet enterprise browser

So how can we keep source code and sensitive data off the endpoint without forcing developers to write code using chopsticks? Enter the combination of cloud development environments (CDEs) like Gitpod and enterprise browsers like Island.

To put it simply, the idea is:

  • Move source code storage off of local machines into your private network (just like VDI does) but with a platform that is purpose-built for coding workflows.
  • Automate and standardize and apply policies to everything related to development environment setup and maintenance
  • Grant developers access to that dev environment through a secure, controlled browser on any device rather than a full-blown remote desktop.

Gitpod provides development workstations that automate development environment setup, access controls, dependency management, AI tooling rollout etc., to eliminate ‘works on my machine’ problems by standardizing environment drift. These workstations can run in your private cloud and developers access them via their favorite IDEs. Crucially, Gitpod provides a purpose-built developer experience, without compromising on security. Our workstations provide:

  • Centralized data management: CDEs store data centrally rather than on individual local devices, helping organizations to maintain better control over data security and compliance with regulations
  • Enhanced admin and access controls: organizations can implement robust access control mechanisms, ensuring only authorized personnel can access sensitive data
  • Improved compliance management: CDEs provide a controlled environment where data handling and processing can be monitored and audited more effectively
  • Secure remote access: employees can access sensitive data from any location because CDEs provide a secure, encrypted connection between a remote device and the central data center they are accessing. This becomes attractive to onsite teams who are hot desking at their offices
  • Reduced endpoint security risks: with CDEs, the attack surface is significantly reduced because the actual computing and data storage occurs in secure data centers, not on local devices.

So where does Island come in? Island is a leading example of an Enterprise Browser. It’s a Chromium-based browser that enterprises can manage and secure heavily – controlling everything from copy/paste and downloads to web access policies.

Think of Island as a supercharged, locked-down browser that looks familiar to users but gives security teams fine-grained control over the ‘last mile’ where data could leak. With Island, if a developer is accessing a sensitive web app (like an internal code editor), you can restrict or log virtually any action: prevent copy-pasting source code out, block screenshots, forbid downloads of source files, you name it. It’s like putting a data loss prevention shield around any web application.

Using Gitpod with Island: a modern developer workstation that feels local, but is purpose-built for developer experience and secure. Here’s how the pieces fit together in principle:

  1. Your developer opens the Island browser on their laptop and logs in via SSO to their company’s Gitpod portal (which can be hosted in your cloud).

  2. From the Gitpod interface, the developer launches a development environment.

  3. The developer interacts with the workspace through their browser. Gitpod is integrated with the world’s most popular and versatile editor, VS Code running in the browser. It’s not streaming heavy, expensive and slow pixels from a remote GUI; it’s a web application sending text, code changes, UI events securely.

  4. Because developers are using Island, every action in that browser is governed by enterprise policies. Try to copy text out of the code editor? Island can block it (with a polite “Clipboard disabled” message) This ensures that code stays in your cloud, period. The developer can view and edit it via the secure browser, but they can’t accidentally (or maliciously) take it out. This is even more control than a traditional VDI, which might rely on Windows group policies or network monitoring – Island wraps those controls right at the browser level, which is harder to bypass.

  5. Meanwhile, the developer enjoys a snappier experience than VDI. Editing code via a web IDE feels near-native because it’s using the same (quite literally the same) IDE that developers use, but just running in the browser – the latency is low because we’re not pushing pixels, just text diffs and editor commands.

Improving security posture by replacing VDI

Security architects might wonder: does moving from VDI to Gitpod + Island weaken our security? Quite the opposite. Because of Gitpod’s architecture, this combo is built with a zero-trust philosophy and offers multiple layers of protection to keep source code and sensitive data safe. Here’s how Gitpod + Island fortifies your security posture:

  • Source code never touches the endpoint: Like VDI, all source code and intellectual property remain on centrally managed infrastructure (Gitpod). If a developer’s laptop is lost, stolen, or compromised by malware, there’s no accessible source code on it. Island further ensures that even the view of the code can’t be copied out. It restricts all obvious (and not-so-obvious) exfiltration paths: clipboard, drag-and-drop, file download, printing, screenshots, screen sharing etc.

  • Ephemeral, immutable environments: Gitpod environments are ephemeral – they can be spun up on demand and shut down when not needed. This means every coding session starts from a clean, known-good state (often from a pre-approved docker image and project configuration). If a developer’s workspace gets compromised or misconfigured, they can terminate it and start fresh, rather than carry forward a tainted environment. Ephemerality is a security benefit: there’s no long-lived VM for an attacker to persist on, and no “pet” environment that drifts from the secure baseline. Everything is rebuilt from source and Infrastructure-as-Code each time. This also makes compliance easier, because you can enforce that updates (security patches, etc.) are baked into the workspace image and automatically applied to every new workspace – no more unpatched dev machines. It’s the ‘cattle vs pets’ philosophy, applied to development environments. This becomes especially helpful when you want to experiment with tools like coding assistants – Gitpod will minimize the blast radius of AI experimentation or rogue AI agents.

  • Fine-grained policy enforcement (Gitpod’s zero-trust architecture): Gitpod is built with zero-trust principles in mind. Island, on the client side, treats even the developer’s device and session as untrusted until verified – for example, you can require that the Island browser only runs on devices that meet certain security posture (OS updated, disk encrypted, company MDM profile present, etc.) On the server side, Gitpod attaches identity and authorization checks to every request in the system. No user or process is inherently trusted; every action (starting a workspace, opening a port, etc.) is authenticated with signed tokens. This end-to-end verification means that even if someone somehow found a URL to a workspace, they couldn’t access it without proper credentials. Every access to code or dev resources is gated.

  • Network and data isolation: With Gitpod running in your cloud or data center, you can keep the entire development environment within your private network (for instance, accessible at an address like gitpod.corp.internal). This avoids exposure of dev infrastructure to the public internet. Developers might be working from anywhere, but their connection into Gitpod can be routed through a secure access service. Island offers something called Island Private Access that works akin to a zero-trust network access (ZTNA) solution, letting remote users securely reach internal web resources without a VPN. In practice, you could use Island Private Access or a similar solution so that when the Island browser connects to your Gitpod instance, it’s using a secure tunnel that authenticates the user and device, rather than a wide-open web endpoint. All communications are encrypted. Within Gitpod, each environment runs in with strong isolation – no two workspaces can see each other’s processes or data. And you can enforce network policies on the workspace (for example, only allow it to access certain internal APIs or package registries, but not the open internet, if desired). This granular control simply isn’t possible in a basic VDI where a dev has a full Windows desktop and could attempt to connect to anything.

  • Auditability and monitoring: The enterprise browser approach gives security teams unparalleled visibility into developer sessions. With Island’s admin console, you can monitor and log actions that happen within the development session – down to web navigation events, copy/paste attempts, file accesses, etc. On the Gitpod side, you also have logs and usage metrics: you can see when workspaces were started, what operations were run (via audit logs), and ensure compliance with development policies. All of this builds a robust audit trail. If there ever were an attempted breach or an insider threat, you’d have detailed records at both the application (Gitpod) and interaction (browser) levels – far more insight than a traditional VDI might offer.

  • BYOD with security: One dilemma in regulated industries is whether to allow contractors or third-party developers to use their own devices. Traditionally, the answer was often “no” or “only via VDI on a locked down laptop”. Gitpod + Island opens the door to a safer bring-your-own-device model. Since the dev environment is entirely in the browser and cloud, you could let a contractor use their personal machine without VPN access and without installing any source code locally – they just run the Island browser which you manage. With the right policies, even on an untrusted device, Island can ensure the session is secure (for example, not allowing downloads to the local disk, not allowing copy out). You might still require some basic device posture (like antivirus and no jailbreaking, which Island can check, but you don’t have to issue corporate laptops to short-term contractors. This can accelerate onboarding external developers while maintaining peace of mind that your crown-jewel source code is staying within your walls.

Engineer productivity without security compromise

Security might be king, but developer experience is queen – and in the best case, a secure solution should also make developers’ lives easier. Gitpod + Island delivers that, turning the developer workstation from a clunky remote desktop into a purpose-built developer experience.

Try Gitpod and Island today!

Standardize and automate your development environments today

Contact sales Try now for free

Similar posts