VDI Security – better than physical desktops?

Are virtualised desktops – be they hosted desktops (VDI) or session desktops (RDSH)  more secure than physical?  We’ve questioned before the benefits of a virtual desktop infrastructure with respect to security. Is VDI secure? Is VDI inherently more secure than “traditional desktops”? In our article Virtual Desktop Security? Are They Secure? We considered VDI vendor claims that there are several big virtual desktop security wins:

• Centralized Management
• Centralized Patching
• Improved Availability & Flexibility
• and importantly, data is held in the data center where it can be monitored and audited – not stuck out on end devices.

However, none significantly improves security: and are not solely delivered with VDI . Indeed, core issues that can be attributed to the inconsistencies with VDI security claims are in themselves common security misunderstandings:

• Security is easy: you cannot  replace standard desktops with VDI and be secure. Security is is a complex thing. Securing a Windows OS, and patch management are one part of a range  of measures: not the only part.
  
• Find and patch is sufficient Security should be proactive – security should be by design. Regular testing is necessary to look for and patch flaws, but it doesn’t replace sound security design. Penetration testing is finding holes – a reactive process. True security is making sure the common issues are not there in the first place: all be it with the caveat that no security solution will ever be perfect.
• One tool can defend everything: There is no single technology that will secure your network.  While there are excellent anti-virus, intrusion prevention, network monitoring and forensics tools available, and new tools are developed – none of them does everything. Security tools are specialized, there is no silver bullet. Importantly, VDI inherently contains none of these tools.
• Security is just about Availability: Often over-looked are the concepts of integrity and confidentiality.

Where VDI offers an advantage over physical PCs is in improved availability and flexibility: you can access the service from a range of devices and locations. But, this is not all there is to security. We must consider Availability, as well as Confidentiality and Integrity of the data stored within the network.
When looking to answer the question – are virtualised desktops more (or less) secure than physical consider the following:

VDI’s centralisation offers little additional security over well managed standard desktops

If you have in place a well-managed, locked down desktop environment (be that using desktop management tools from vendors such as Dell, Microsoft, or  Symantec) moving from your distributed environment to VDI will offer little in terms of additional security.
There is an advantage in the fact that – within a VDI environment you have the ability to deliver updates and restore to a last good state faster as well as possibly remediation of Malware faster.  With a VDI environment, with all desktops hosted on a handful of servers in a few well-known locations,  the task of recovering is far easier. Powerdown the desktops or isolate the appropriate subnet and the problem is contained. Revert to previous known good image and with a little luck business operations can resume. Identify the appropriate patches and update the master of image accordingly and that particular threat is addressed. Nowit possible to argue that this has more to do with restoration and recovery than it does security, and that is a valid point. But at the same time, security is not just about preventing data loss. A large part of the security equation is minimizing the opportunity for business disruption, and in that regard the centralized hosting that is provided by VDI does offer worthwhile advantages over a well-managed distributed environment.
However, with a non-VDI solution you can still achieve centralized management and centralised patching with far less infrastructure, and less complexity than VDI.  Also, bear in mind, if you had a poorly managed environment are the staff who are going to be managing the new environment going to be properly trained and prepared to manage a new, more secure environment?
We can all agree that VDI offers much improved Availability.

VDI can expose additional security risks

Introducing VDI means that data does not need to be stored on the end-point. If the end-point is lost or stolen, there will be no data loss. Hurrah! Great for remote offices, for delivering services to  off-shore organisations, for contractors. The corollary; there are functions and features of VDI that are beyond thin clients. You may have to have users access from their own PCs, or re-provisioned PCs. Importantly, VDI requires access via a remoting protocol with access into your datacentre. Now you are allowing access into your datacentre to individuals not necessarily in your buildings or under your control: how are you validating those individuals are who they say they are and accessing only the resources they are  entitled to?
The attacks are now closer to your core environment, they are now within your datacenter, which means that without the appropriate further security controls, attacks against the highly volatile virtual desktop  could go further than ever before. There is still an educational gap between virtualization administrators and security administrators. Each makes assumptions about the others field of expertise. These assumptions lead to mistakes in configuration through which an attack could be successful.
There are confidentiality and integrity risks associated with virtual desktops, actually with any desktop.

VDI – Something to Work Around

In some cases, VDI implementations are something that are often worked around, why? Because the end user may need the data somewhere, where they normally do not have access. Such as on the road. A road warrior in some areas of the country will not be able to access their VDI session to work with the data, so they either ‘check out’ the desktop for use in a remote location, or they use other mechanisms to share their data to their local device.
In this case, once more, data is on the device. Users are more interested in doing their jobs than protecting the data. If the VDI security measures are too draconian, then VDI security will be worked around, in the name of getting the job done.
A VDI implementation could actively encourage data to be exported outside of your network to devices you have no control over, or allow access to your network resources from remote endpoints. Yes, such issues are solvable by introducing additional technologies to monitor and control the environment. However, these are additional technologies: they are not inherent within existing VDI solutions.
Lack of Availability implies possible confidentiality issues and once more reverting to data on unsecured devices.

Can VDI make your environment more secure than standard desktops?

If you have a poorly managed “traditional” desktop environment – and you virtualize it by implementing VDI – your new environment, with its hypervisors, its storage networks, it brokers – will not be more secure than what you had before in relation to the cost of implementing that environment.
To be considered secure, your VDI needs to be complemented with additional security layers: just like a traditional desktop environment. VDI out-of-the-box is in itself not more inherently secure than traditional desktops. More importantly, it is likely that your organisations needs will be met by a range of desktop services
Security is not just about availability but confidentiality and integrity which are achieved by properly segmenting off the non-privileged desktops from the rest of the virtual workloads. Virtual Desktops actually require more security be placed into the mix than most realize. While this security is invisible until needed, it is part and parcel of highly volatile desktop environments. Virtual Desktops do have the potential of offering more security.

VDI Security – is it better than physical desktops?

In a word “no”.
Is it less secure? “No”.
Yes, VDI’s centralised model can be used as a platform to create a more secure environment. But, many organisations already have tools in place to be able to manage environments centrally. As well as traditional desktop tools, client hypervisors can be utilised to offer desktop virtualisation on devices without the back-end infrastructure of VDI.
Yes, VDI has the potential to be more secure, if you implement the proper defense in depth within the virtual and physical components of your virtual environment.
This is not to say that desktop virtualisation market is complacent.  VMware for example, offer the ability to control network access via vShield Edge/App. Such technologies can be used to isolate virtual desktops so if one is compromised,  the attacker is limited to where they can attack next. But this isn’t a feature limited  to VDI – Bromium’s trustworthy security vision looks to enable this feature across the Windows endpoint which could eliminate the need for VDI. Citrix is working on building upon its Flexcast model to allow data and applications access to move seamlessly and securely between devices.
What is key for you to consider is how you need data to delivered across devices and platforms going forward. The question shouldn’t be “which desktop solution is more secure” , but a wider “what do I need to deliver, and what are the risks associated with that? As part of that exercise, check out Edward Haletky’s on-line presentation “Are Virtual Desktops More Secure“