As working remotely becomes undeniable, organizations have to embrace solutions for their
remote workers.
Virtual Desktop Infrastructure (VDI) can be an ideal solution for remote workforces. Virtual
desktops carry a desktop image of an operating system (OS), such as Microsoft Windows, over a
network to an endpoint device, for example, a laptop, smartphone, or tablet.
VDI uses virtual machines to administer and manage these virtual desktops. Users can connect to
virtual desktops anywhere, anytime, from any device. VDI boosts mobility and remote access to
essential applications.
However, it also raises serious security concerns.
VDI security is comprised of the technologies and best practices used to secure virtual desktops.
Stolen passwords, unlocked smartphones, and exposed user desktop sessions are just some of
the possible cybersecurity threats.
These can make an organization’s data vulnerable to ransomware, malware, insider threats, and
network sniffing, just to name a few.
Let’s take a look at what VDI is, how it works, and what security measures need to be taken for
data protection.
What is VDI and how does it work?
VDI is the framework that facilitates creating, maintaining, and securing a virtual environment
hosted on a central server. It gives you access to your organization’s virtual desktop from any
device they have approved.
You don’t have to be in an office to access the files and applications you need to perform your
work. This isolated environment offers the user the same experience you get working on your
physical desktop.
VDI works by dividing enterprise servers into individual user virtual desktops.
The user can access their virtual desktop through their device of choice, and the virtual desktops
are hosted on Virtual Machines (VM).
Each user has their own dedicated VM that runs a separate operating system, and the
environments are hosted either in the cloud or on dedicated bare metal servers.
Users can log into their VM through their device from anywhere through a secure network using
the hypervisor. The hypervisor is responsible for breaking up the cloud host or bare metal server
into the individual VMs, which in turn, host the virtual desktops.
VDI can be either persistent or non-persistent. With persistent VDI, you receive a personalized
user virtual desktop experience. With non-persistent VDI, the virtual desktops go back to their
initial modes upon logging out.
Elements of a VDI
The basic elements of virtual desktop infrastructure are:
Hypervisor
The software that divides the cloud host or bare metal server into individual VMs. It is also
responsible for the management of shared resources like memory.
Connection Broker
The software that connects users to their virtual desktop images. It provides security by being
responsible for user authentication and tracking active and inactive desktops.
OS Image
A VDI requires an operating system. Microsoft is the most common OS for windows virtual
desktop. Linux has some options for Mac users.
What is VPN vs VDI?
Both Virtual Desktop Infrastructure (VDI) and Virtual Private Networks (VPN) are popular solutions
available for remote access.
A VPN is different from VDI, particularly from a user’s point of view. A VPN expands an
organization’s network. It is a cybersecure and economical way to remotely connect to a
corporate system. It encrypts data traveling across an insecure internet connection.
VDIs also provide cybersecure and cost-effective remote access. In addition, they are built for
user mobility and flexibility.
VPNs excel at tunneling data between the organization’s network and the user’s machine.
However, their connections are restricted to the user’s machine.
If a user needs to share files with other employees, they must install a VPN client on their device.
If your organization is a BYOD workplace, your employees must have devices capable of both
installing and running the VPN client.
On the other hand, VDI is not hardware dependent and does not require software installation.
In terms of security, VPNs run checks, updates, and patches. If you have many employees and
they all connect to your server at the same time for updates, you may have to lower your security
safeguards in order to allow access to so many users.
VDI is a robust solution for managing remote employees. Because data is kept centralized, IT
departments spend less time troubleshooting problems. Updates and patches are done at the
centralized level where the data is, not at the hardware level where the user is.
For updates, IT departments can use a golden image to install the latest OS update on all the
virtual desktops in the same pool so all users in the pool are running the same version of the
software. With a VPN, updates are on each endpoint device.
In terms of cybersecurity, VDI is more secure than a VPN.
With VDI an organization can preconfigure its IT infrastructure according to its security
requirements. The infrastructure is hosted on-premises or in the cloud.
Employees remotely connect to the centralized IT infrastructure. The data stays where it is and is
not saved on the user’s endpoint device.
A VPN does not prevent employees from copying data from the company’s files to their local
endpoint devices. This significantly increases the risk of a data breach.
Is VDI safe?
VDI is safer than both traditional desktops and VPNs. Since VDI is centralized, the configuration,
encryption, and cybersecurity are all managed in one place and protected by the same cyber
defenses.
Enterprise data never leaves the data center. Sensitive data is not spread to individual users that
may or may not manage its governance properly.
That kind of protection is not available to users working remotely on an unsecured network. In
the event of a cyberattack, the IT department only has to go to one place to contain the damage.
When an employee clicks on a link they shouldn’t, the IT department is alerted, and they can
disable that session and create a clean one.
The safety of VDI rather depends on how big your organization is. At the enterprise level, you can
have a fully-staffed, round-the-clock IT department to monitor and secure deployment,
operations, users, and maintenance of VDIs.
But if you are a small to medium-sized business, you may want to consider desktop-as-a-service
(DaaS). Just like other cloud services, with DaaS, your IT department focuses on securing data
and users. The service provider secures the VDI and virtual desktops.
VDI security risks
VDI has inherent and extensive cybersecurity protection, but it is not without security risks. A
substantial cybersecurity architecture must be built around it.
Here are some areas of known weakness:
Hypervisor
Cyber threat actors can take over control of the hypervisor through an attack called hyperjacking.
This is when hackers use malware to get beneath an OS.
Hyperjacking is difficult to detect and gives cyber criminals access to everything connected to
the server.
Network
No network is 100% protected from cyberattacks. A VDI environment is especially vulnerable.
Ironically, their biggest advantage is also the source of their biggest risk: centralization. For
example, if there is a breach in the system, then everything linked to the system, like virtual
desktops, are negatively impacted.
Employees
Depending on your workplace, you may prefer the cloud for your server needs. If you use an
on-premises dedicated bare metal server, an employee can break into the server room and
directly disable it. Or, an untrained employee can unwittingly compromise the server.
Virtual Machines
Every VM has its own operating system and unique configuration. Manually patching, maintaining,
and securing them takes time.
If you have a large enterprise and fall behind, a gap can form, allowing a breach to occur. The
best practice is to automate enterprise-wide maintenance.
Protocols
A user’s remote access protocols could be stolen giving a hacker the opportunity to gain
entrance to the data center or cloud service and exploit existing weaknesses or
misconfigurations which will spread risk throughout the entire system. Common attacks include
malware like keylogging (a hacker captures keystrokes), and screenscraping (a hacker captures
screens) which have been used to compromise physical personal computers for years. These
assaults can contaminate virtual sessions too.
VDI security checklist
Here are some things to think about when securing your organization’s VDI.
- To stay ahead of cybercriminals trolling for new ways around security protocols, set VDI security controls to disable an endpoint device in local mode if it doesn’t synchronize within a time interval your organization dictates.
- Establish rigorous policy-driven access controls. These need to govern both virtual desktops and applications. The policy should apply to both corporate-owned and employee-owned devices. This will help prevent unauthorized access.
- Use micro-segmentation to quarantine cyberattacks to prevent them from infecting the entire system.
- Leverage built-in encryption software, data at rest encryption, and distributed firewall support to protect data.
- Minimize data leakage from lost or stolen endpoint devices by investing in regular workforce training in cybersecurity awareness training.
- Deploy the most current cybersecurity patches to the operating system, immediately update software when it becomes available, and employ endpoint users’ built-in hardware and security capabilities to protect users.
- Maintain good network hygiene. For example, check your configuration management for effectiveness. Harden the primary images and monitor them for unauthorized changes.
To stay ahead of cybercriminals trolling for new ways around security protocols, set VDI
security controls to disable an endpoint device in local mode if it doesn’t synchronize
within a time interval your organization dictates.
- Establish rigorous policy-driven access controls. These need to govern both virtual desktops and applications. The policy should apply to both corporate-owned and employee-owned devices. This will help prevent unauthorized access.
- Use micro-segmentation to quarantine cyberattacks to prevent them from infecting the entire system.
- Leverage built-in encryption software, data at rest encryption, and distributed firewall support to protect data.
- Minimize data leakage from lost or stolen endpoint devices by investing in regular workforce training in cybersecurity awareness training.
- Deploy the most current cybersecurity patches to the operating system, immediately update software when it becomes available, and employ endpoint users’ built-in hardware and security capabilities to protect users.
- Maintain good network hygiene. For example, check your configuration management for effectiveness. Harden the primary images and monitor them for unauthorized changes.
VDI security best practices
Like all systems, VDI has cybersecurity vulnerabilities. Here are some best practices to help
insulate your network.
- Restrict Permissions – Make sure users only have permission to access the files and applications required to do their work.
- Disable Services – If your organization no longer needs a service, don’t let it hang around just in case you may use it again someday.
- Keep a List – Per employee, maintain a whitelist and a blacklist of who is permitted to access what. For example, are certain websites okay for some employees to access and not okay for others? Marketing employees may be permitted to access a graphic design website, but accounting employees may not.
- Use the Right Tools – Basic cybersecurity measures like firewalls and antivirus software should be on every virtual desktop. The measures need to be compatible with the existing VDI and include intrusion detection and systems for prevention. An enterprise-wide monitoring tool gives your IT department visibility into various levels of the organization’s VDI. The tool you choose depends on what metrics you want to track.
- Implement third-party malware and ransomware tools – For example, VMware administrators can use Sophos. Citrix administrators can use Bitdefender.
- Require two-factor authentication – For an extra layer of cybersecurity, there are a few options for multi-factor authentication, and allowing users to choose which they are more comfortable with will encourage them to use it. They could enter a password, receive a text or phone call, or use face ID, or a fingerprint. There are numerous solutions for accommodating the increasing popularity of the remote-workforce culture. As the culture evolves, so will the tools to enable it.
VDI is currently an excellent way to stay cybersecure.
If your organization employs remote and/or hybrid workers, VMs will give you the most control
over your digital assets while giving your workforce access to the files and applications they need
to do their jobs.
VDI security is not the area of the budget to skimp on. It, combined with VDI best practices, is the
most effective way to secure virtual desktops.
If you need assistance setting-up VDI security for your business, we can help. Contact us today!