Security has long been seen as an advantage when it comes to virtual desktop infrastructure (VDI). It is much easier to maintain control over centralized resources than distributed ones. However, some people are taking a harder look at VDI as it stands today and are noticing some potentially serious vulnerabilities, not just to desktop images but to the enterprise in general. Bromium CTO Simon Crosby points out to IT Business Edge’s Arthur Cole some of the more ominous threats and what can be done about them.
Cole: Most VDI developers argue that their platforms are more secure than the traditional desktop because they can be protected and verified using a central repository. Should the enterprise take comfort in that?
Crosby: No, unfortunately the VDI vendors dramatically overstate the security benefits of virtual desktops. Data centralization, namely the removal of PCs in the wild, does result in fewer challenges securing devices, particularly mobile ones, and if the user accesses their desktop from a zero-client device with no USB ports, then client-side issues of data theft are eliminated. As well, users accessing enterprise applications and desktops are securely authenticated in real time, and access can be centrally revoked at any time. For these reasons, regulatory compliance is easier to achieve, but that’s all.
Centralizing the execution of the desktop and its apps doesn’t make it more secure and can lead to situations of lower security than traditional desktops. If the user accesses any untrustworthy content on a hosted virtual desktop, the desktop can be compromised in the same way as a native desktop. However, if the VDI VM is in the data center on a non-segregated LAN, the attacker can then directly penetrate deeper into the infrastructure.
Moreover, the VDI vendor claims that a single patched golden image for all VMs and an ability to assemble the desktop on the fly lead to greater security are not true: Malware remains on persisted VDI user profiles and simply returns on the next reboot.
Cole: What are some of the ways in which VDI can be made more secure?
Crosby: There are a number of ways. First, ensure that all VDI VMs are on a VLAN segment that effectively places them in the DMZ, and outside the data center. Ideally, you want to make sure that VDI VMs on the same host are not visible to each other, because if they are then the attacker can compromise many desktops. As well, ensure that network and endpoint security products are used, and recycle VMs regularly, at least once a week. And be sure to use 2-factor authentication for all VDI logins.
Bromium will offer vSentry for RDS and VDI in the coming quarters. This uses VMCS-Shadowing to extend hardware-based task isolation into each VM or RDS session, effectively making the desktop immune to all malware.
Cole: Is there a danger, though, that too many layers of security will start to hamper the flexibility and cost-effectiveness that VDI is supposed to provide?
Crosby: The cost-effectiveness of VDI remains unproven. It is better to talk about use cases and architectures. VDI is extremely useful for some kinds of workers: for example, offshore developers or support teams, and some help desks. RDS is an alternative for different use cases. Where VDI is warranted, it is mandatory to secure it – and yes, it is critical that the security overhead not conflict with the goals of the project itself. However, this is true for all desktop users – even those on traditional PCs. The mandate for IT is to ‘securely empower users to deliver value to the enterprise.’ Empowerment is frequently the victim of over-zealous, ineffective security tools. Employees can’t access Twitter because compressed URLs have no reputation – but Twitter is a powerful work application. If we can make the desktop infrastructure secure by design, then we can let users use any application – including any web site or dangerous media – without fear of compromise.