The COVID-19 pandemic has forced many organisations to shift their business online and their employees to work from home. As a result, businesses have had to quickly adjust and scale up their infrastructure, sometimes with security as an afterthought.
A recent business continuity survey conducted by Gartner revealed that just 12 percent of IT organisations were prepared to deal speedily with an incident like we are experiencing with the Coronavirus.
VDI is easier to manage and keep up-to-date than large pools of physical desktops, and if admins properly patch and maintain their systems, VDI is much more likely to ward off attacks.
Virtual desktop users are no less susceptible to error and poor security practices than users on physical desktops. They can visit infected websites, open questionable email attachments, click embedded links, transfer sensitive data to unapproved devices, use unauthorised applications and services and take numerous other steps that can put the corporate network and sensitive data at risk.
A VDI deployment is also vulnerable to poor management practices and improper settings configurations.
Virtual desktop security is a much more complex process than physical desktop security. VDI security requires specialised tools and the expertise to implement them. Yet, many organisations continue to use traditional tools designed for physical desktops, which are limited in scope and effectiveness.
Common risks impacting data in VDI environments include ransomware, social engineering, drive-by downloads, network sniffing, vulnerability exploits, insider threats, privileges escalation, and malware. Some would claim VDI is a more secure option, mainly because one can terminate the VDI instances once done, but the overall security state is as strong as its weakest link — and VDI deployments tend to be exactly that for several reasons:
To address security, manageability, and performance needs, security software needs to meet the following benchmarks before VDI deployment:
Some VDI scenarios like “non-persistent” terminate each individual session and always start from the base image. Products that rely on updates will create an “AV storm” every time users login because they mandate an update.
In VDI environments, device naming conventions cannot be ensured or standardised. Most VDI vendors allow setting naming conventions, but names often repeat with new sessions. An AV product which manages VDI without retiring closed sessions leads to numerous “phantom devices” rendering a distorted operational view and inability to manage assets effectively at scale.
If you don’t ensure the golden image is flawless, you are taking a considerable risk. Products which solely rely on “seeing” the malware dropped to the disk or simply checking only on file execution are not sufficient for this attack surface, leaving your VDI environment vulnerable.
Some vendors offer dedicated agents for VDI albeit with limited functionality, leaving VDI environments as an exposed attack surface. Look for vendors who do not compromise and can deliver full protection, visibility, and response capabilities. VDI endpoints should also be surfaces where SOC analysts can threat hunt, because if suspicious activity is identified, you need to get to the root of the suspicious activity to find the real infection trail.
There are two common licensing models:
Naturally, look for a concurrent license model as it will reduce your costs.
One advantage of VDI is a reduction in hardware and operational costs. If you end up with an AV solution that requires resource allocation as if it was a physical device, you miss a core value of using VDI. Another aspect that will influence VDI performance is the number of applications you need to install on the base image. Opt for endpoint protection solutions that are lightweight and robust so that computer power and end user experience/productivity aren’t compromised to run AV. Avoid solutions with multiple agents, as it means more resource consumption.
VDI allows for the distribution of virtualised desktops to different nodes within a given network. So, if a certain organisation prefers that its users operate on Windows 7, the system administrator simply has to allocate a baseline image to each node on the network.
Virtualised endpoints provide several different advantages in terms of security. First, it allows the system administrator to control what type of baseline image is allocated to each node from a centralised location. If a certain operating system is suffering from serious vulnerabilities and a patch or update is not available yet, the system administrator simply needs to recall that OS version, and then allocate a different OS version to each user. Alternatively, the system administrator can simply allocate a completely different OS, and all of this can be done without leaving the confines of the system administrator’s cubicle.
VDI also allows for more robust security setups when compared to traditional networks. When malware successfully penetrates a virtualised network, for example, administrators can simply delete each OS instance where the malware is detected without fear that the host OS has been affected. This is a profound advantage in terms of resource conservation and security, though seizing this advantage depends heavily on effective malware-detection capabilities.
The wise system administrator should be cognisant of the fact that undetected malware can propagate through a VDI-based network just as easily as it can through a traditional network. For enterprises concerned about potential malware issues when switching to VDI-based networks, vendors have stepped in with products that could solve such issues. One VDI security concept that has gained in popularity in recent years is known as agentless security. Developed by Trend Micro and since adopted by VMware, McAfee and others, this new concept takes a two-pronged approach. First, Trend Micro developed something known as vShield Endpoint, which allows traditional security functions to be offloaded in a separate appliance, enabling better performance within each VM on a given network. Second, and in conjunction with vShield Endpoint, Trend Micro developed its Deep Security framework, which is basically the virtualised environment that allows the vShield Endpoint appliance to communicate with other VMs.
Endpoint virtualisation is mostly a good thing for enterprise security. Though challenges with malware persist, VDI-based networks offer system administrators the opportunity to more easily secure and manage user desktops. As long as an organisation takes the necessary precautions towards VDI, virtualisation can provide a big boost to security efforts. A virtual desktop is not quite the sandbox many believe, and IT must take special care to protect it. Educating users, ensuring that the necessary expertise is on hand and keeping the systems up-to-date are the best protections, along with security tools that account for the specific requirements of a VDI deployment.
If you are currently deploying a new work-from-home system and would like further insight into VDI technology, please get in touch.