Why virtual desktops are (mostly) more secure than personal computers
Early in the pandemic, consultant Keith Townsend had clients who were so unprepared that they took their corporate desktop computers home. In normal times, this would be the sort of security violation that could get you in some trouble, but many organizations just weren't ready for secure remote access for all.
Mark Wayt, a worldwide client platforms architect at Hewlett Packard Enterprise, recalls an organization that placed "big stickers on peoples' desks that read, 'Don't turn this off because people are using it.'" In other instances, workers initially used consumer virtual private networks to access work applications, simply accessed cloud apps directly, or, whenever possible, sidestepped their sanctioned work applications entirely and worked with their personal applications. All of these workarounds increase security risks considerably.
But organizations that used virtual desktop infrastructure, or VDI, for their desktop access had little trouble getting their people productive from home. Users connected from almost any home device and had access to their full desktop, just as if they were back at the office. Those desktops were just as secure as when the users were accessing them at the office.
VDI access, and the Windows terminal technology on which it is based, has been around since the 1990s, yet it hasn't eaten desktop market in all that time—something Wayt attributes mostly to cost. Yet, even before the pandemic sent most of us home to work, interest in VDI was increasing. A survey by Enterprise Strategy Group found that security and costs are driving the interest behind VDI and that a majority of survey respondents (80 percent) view VDI as more secure than traditional desktops.
So, are VDI desktops more secure than physical desktops? In some ways they are; in some ways they aren't. No serious security issues are unique to VDI, so the net result is a more secure desktop, especially in a managed environment like the typical enterprise.
What is VDI, and what are the security benefits?
Essentially a managed VDI service, VDI and desktop as a service is the software, hardware, and systems in place that deliver a virtualized desktop to an endpoint. The virtual desktop environments run within virtual machines are stored on a server and delivered over a network. The configuration, security, and overall management of the VDI and virtualized desktop environments and the data are managed centrally.
Please read: Why VDI is finally coming of age
The virtual desktop on the server delivers the display the user sees via a client app. The app sends the user's keystrokes and mouse movements to the virtual desktop. This communication uses a protocol that contains only the display elements, keystrokes, and mouse movements, and that is encrypted in all cases. The most widely used protocols for this communication include Citrix's HDX, VMWare's Blast Extreme and PCoIP (PC over IP), and Microsoft's RDP (Remote Desktop Protocol).
There's nothing Windows-specific about the way VDI works, but almost all VDI installations serve Windows clients. There are VDI services for Linux clients (including this one from Microsoft), but Linux users have always had SSH (Secure Shell) and other Unix ways to remote into systems. There are remote access methods for Mac desktops but no real VDI because there is no macOS server.
Because the VDI protocols are all strongly encrypted, there is no need for a VPN on the client. Another network benefit is that the virtual PC is always inside the enterprise and protected by network defenses that are unavailable to the remote worker with a physical PC, either in the home or a cafe, connecting on a potentially hostile network.
Most of the potential security benefits associated with VDI are derived from the centralized nature of VDI itself. This is especially so when it comes to the centralized configuration management, security settings, and applications that are permitted to run in the desktop environment. For instance, when a fast-moving software exploit arises, the software patch (or other mitigations) can be deployed immediately, and all virtual desktops updated simultaneously.
It's the same for configuration changes. Should an attack appear that targets a particular operating system configuration, administrators can centrally change the configuration to mitigate the risk across all virtual workloads. That's true whether managing five virtual desktops or 5,000. Additionally, because the workspace is virtualized, when someone clicks on a link or does something they shouldn't, that session can be discarded and a new and uncompromised virtual desktop spawned.
VDI has other security benefits that derive from its basic nature. "One of the main reasons why an enterprise would choose VDI, from a security perspective, is that their data never leaves their data center. The only thing transmitted out of the business are the pixels and keystrokes," says Alfred Pargfrieder, secure workplace services lead at Hewlett Packard Enterprise.
Please read: Virtual desktops ease management, security
That centrally stored and managed data also streamlines backup and disaster recovery efforts. "The benefit of keeping data from ever having to leave the data center is a big deal," says Scott Crawford, information security research head at 451 Research, a part of S&P Global Market Intelligence. "When you consider the volume of sensitive data that is usually spread all over the place and impossible to manage properly, being able to control that data from ever leaving the data center solves those huge problems around data governance," says Crawford.
Just like cloud services, desktop-as-a-service offerings, such as the recently announced Windows 365, let enterprises focus on securing their data and users. By contrast, the service provider can focus on securing the VDI and virtual desktops. "It resembles the security benefits of an infrastructure-as-a-service or a software-as-a-service cloud offering," explains Crawford. "It's the same advantages one gets with the cloud by having the secure deployment, secure operations, and maintenance handled by a third-party."
VDI security risks
Of course, there are security risks also associated with VDI. The remote access protocols are used to access the data within the data center or cloud service, where vulnerabilities or misconfigurations may exist and could be exploited. Securing VDI is in many ways just like securing a hardware endpoint: All the same protections need to be in place because these systems can be vulnerable to most of the same vulnerabilities.
"There are always concerns around protocol exposures," says Crawford. "And, in fact, if you are going to have people running the desktop environment without a traditional desktop, you have to make these machines widely accessible."
Still, because VDI is centrally managed, it is easier to secure if the right processes can be maintained. While this also means a mistake or misconfiguration created centrally will spread risk throughout the organization, the overall security history of VDI protocols is a good one.
In theory, malware on the client device could capture keystrokes (keylogging) or capture screens (screenscraping) to compromise a session, but modern VDI client programs have ways of combating these. There are effective anti-keylogging techniques that the clients use to block this line of attack. For cases where malware successfully captures screens, some vendors can watermark the screens, which at least creates the possibility of exposing the origin. Both keylogging and screenscraping are old problems that have been used against physical PCs for decades.
Pargfrieder explains that enterprises should, and do, take steps to protect virtual desktops. Of course, good system hygiene, such as the centralized deployment of patches, effective configuration management, and multifactor authentication should all be in place. And the primary images should be hardened and monitored for potential unauthorized changes.
Pargfrieder's concerns, familiar to managers of physical desktop systems, demonstrate that there are many vulnerabilities common to both approaches. A VDI user has just as much opportunity to click a malicious link in an email or on a web page as a user on a physical desktop. The same is largely true for malware downloads, phishing, and many other common forms of attack.
In addition to potential security benefits, there are many management benefits associated with VDI. These include being able to control software licenses and maintain control of the software and applications each worker can access. VDI can also be deployed to different types of endpoints, including common tablets and Chromebooks. There's also improved network performance.
So what's the verdict? Is VDI more secure than traditional desktops? If appropriately managed, VDI can provide several security benefits over traditional desktops, including centralized configuration management, security management, data storage, and endpoints. But poorly managed, it can have all the problems of poorly managed physical desktops.
"It's definitely a balance, but when managed properly, the security benefits to VDI outweigh the risks for many enterprises," says Crawford.
"One of the main reasons why an enterprise would choose VDI, from a security perspective, is that their data never leaves their data center."
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.