A VDI desktop is no More Secure than a Standard Desktop

Our very own Texiwill hosts a weekly Virtualization Security Round Table podcast. This round table provides an open forum to discuss all things related to Virtualization, Virtual Environment and cloud computing security.  We’ve questioned before the benefits of a virtual desktop infrastructure with respect to security. Is VDI secure? Is VDI inherently more secure than “traditional desktops”? The article Virtual Desktop Security? Are They Secure? considered the VDI vendor claims that there are several big virtual desktop security wins such as

• Centralized Management
• Centralized Patching
• Improved Availability
• and importantly, data never leaves the data center

The article and the associated Bright talk presentation generated a good deal of interweb discussion, which in turn led to #73 in the Virtualization Security Round Table VDI desktops – are they really secure? The regular podcast team were joined by Simon Crosby (CTO @ Bromium), Tal Klein (Director Technical Marketing @ Citrix ) and Andrew Wood (Analyst @ TVP).
The discussion meandered in a lively fashion to answer the question – can VDI make your environment more secure than standard desktops?

While this was a security focused podcast – there was healthy debate on whether VDI was a good solution in itself.  For purpose of this summary we’re only going to consider “VDI” i.e. hosted desktop sessions running on a hypervisor – be they persistent or non-persistent.
However, in moving from a distributed end-point environment (like with traditional PCs/laptops) to a centralised one (with access via VDI desktops), rather than “solve” security issues, the new architecture poses additional security issues. For example:

• Are your virtual desktops designed with segregation in mind? or is everything a flat network? Do you treat virtual desktops as a new trust zone?
• These are juicy targets that were moved into your data centre, can your data centre survive an attack that happens to be within your virtual environment?
• Is your virtual environment following best practices with the use of virtual desktops?

Core issues that can be attributed to the inconsistencies with VDI security claims are in themselves common security misunderstandings:

• Security is easy: implement VDI rather than standard desktops and you will be secure. No. Security is not easy and is a complex thing to deliver and you are not magically more secure than before.
  
• Find and patch is sufficient While regular testing is necessary to look for and patch flaws, it’s not a replacement for having security by design. All penetration testing is doing is finding holes to harden a broken product, which forces the organization to always be reactive. True security is making sure the common issues are not there in the first place. However, with the caveat that no security solution will ever be perfect.
• One tool can defend everything: There is no single technology that will secure your network. It doesn’t exist. While there are excellent anti-virus, intrusion prevention, network monitoring and forensics tools available, none of them can do everything. Security tools are specialized, there is no silver bullet. Importantly, VDI inherently contains none of these tools.
  

In this light, the round table discussion arrived at the following considerations:
VDI’s centralisation offers little additional security over well managed standard desktops
If you have in place a well managed, locked down desktop environment (be that using desktop management tools from vendors such as Dell, Microsoft or  Symantec) moving from your distributed environment to VDI will offer little in terms of additional security.
There is an advantage in the fact that – within a VDI environment the ability to deliver updates can be faster. However, with a non-VDI solution you can still achieve centralized management and centralised patching with far less infrastructure, and less complexity.
VDI can expose additional security risks
VDI is meant to be more secure: how can this be? There was a valid point made that introducing a VDI means that data does not need to be stored on the end-point. If the end-point is lost or stolen, there will be no data loss. Indeed, given the processing power is transferred from the end-point to the centre, having a VDI means  that end points can be replaced with simple thin client devices which are easier to manage, require no local data storage, reduce peripheral functionality and are less likely to be lost due to theft.
The corollary; this is of the benefit if you can, and only, deploy thin-client devices. There are functions and features of VDI that are beyond thin clients, you may have decided not to use thin clients, but have users access from their own PCs, or re-provisioned PCs. Most importantly, VDI requires access via a remoting protocol. If the user’s experience of using the VDI service is degraded from what they had before, it is very likely that those users will attempt to circumvent processes in order to get on with their job. For example, if your laptop builds are replaced with a BYOC/BYOD service using VDI and it is slow and cumbersome, users will look to email/download the data to work locally. A poor VDI implementation can actively encouraging data to be exported outside of your network to devices you have no control over.
Yes, such issues are solvable by introducing additional technologies to monitor and control the environment. However, these are additional technologies: they are not inherent within existing VDI solutions.
Can VDI make your environment more secure than standard desktops?
If you have a poorly managed “traditional” desktop environment – and you virtualize it by implementing VDI – you new environment, with its hypervisors, its storage networks, it brokers – will not be more secure than what you had before in relation to the cost of implementing that environment.
To be considered secure, your VDI needs to be complemented with additional security layers: just like a traditional desktop environment. VDI out-of-the-box is in itself not more inherently secure than traditional desktops.
So, will VDI die as a desktop technology?
This question was raised for sure, but it’s not a security question and this is was a security focused podcast. There was a good deal of discussion on whether VDI was the most appropriate technology to deliver a good user experience, the most appropriate technology to deliver to users in a mixed on-line/off-line environment. These are important considerations when you are designing a secure environment. There is definitely scope for further discussion on topics such as ‘is presentation virtualisation more secure than VDI”, and “layering additional technologies to secure virtual desktops”

VDI is not a useless technology: however, to consider it as a technology that will solve security issues on its own, to consider it as a technology to make a poorly managed environment more secure – is misguided.
By all means listen to the podcast to hear more and feel free to feedback your own thoughts.
* The travelogue video was produced by Lars Troen