If you’re considering deploying Virtual Desktop Infrastructure (VDI) based on security considerations, make sure you understand the complete risk profile. Server-based desktop virtualization keeps corporate assets inside the data center rather than on the client. However, VDI does nothing to prevent exploits on the client. Given that the client is typically the primary source of risk when it comes to corporate data breaches, why should you believe that VDI provides data security?
Using server-based desktop virtualization, or VDI, a centralized host delivers the end-user desktop environments over the network. Application execution and data remain within the data center itself. On the whole, corporate data centers are pretty good at protecting the systems within the corporate network. However, knowledge workers need to be productive on and off the corporate network, in and out of the office. Road warriors, remote workers, employees acquired through mergers and acquisitions, BYOD program participants and contractors all need to access corporate data and apps. They may use computers that are not owned or controlled by the business, and in offline or low bandwidth environments.
Endpoint Security is Your Biggest Risk
Any system is only as secure as its weakest link. In a VDI deployment, that link is the endpoint—whether that’s a corporate desktop, an employee-owned laptop, a tablet or a smartphone. As corporations have tightened their firewalls and security controls within their networks, attackers are focusing on the less-protected endpoints. While data and applications reside in the data center, the endpoint itself can easily become a ‘front door’ into corporate systems.
IT has little control over endpoints in many common business scenarios including:
- Contractors or partners accessing corporate systems and data
- Unauthorized individuals gaining access to corporate devices (from public locations, through stolen devices, or kids at home using parents’ devices)
- Employees using personal devices (mobile and otherwise) for work–the BYOD scenario
An executive, employee or contractor may fall victim to phishing or inadvertently visit a malicious website that downloads malware. Once installed on the user’s device, malware such as screen scrapers and key loggers put corporate data and individual login credentials at risk because the virtual desktop is not isolated from the physical device. Through malicious intent or thoughtlessness, an insider may offload sensitive IP and store it in cloud-based storage such as DropBox or Google drive or on USB drives. In short, IT has no way of enforcing access policies for the device itself through VDI.
The risks affect nearly everyone. The malware industry is targeting all kinds of businesses, including corporations, NGOs and critical infrastructure facilities, with increasingly complex exploits. The victims listed on the Firmex list of the “Top 10 Data Breaches” include federal agencies, law firms, universities, and technology companies.
Once data reaches the endpoint, even through a virtual workspace, VDI alone cannot prevent data leakage.
It’s Hard to Control Human Behavior
Even when employees use corporate devices under IT management, it’s hard to protect against human error. People using weak passwords or clicking on phishing emails can put corporate data at risk.
Putting policies in place and training people will help, but the risk remains. Attackers are learning to create very detailed phishing offers—so-called “spear-phishing” emails—that can fool many people. According to research conducted in 2012 by Trend Micro, 91 percent of Advanced Persistent Threats (APT) starts with spear-phishing emails.
Spear-phishing attacks exploit human psychology by using detailed information to create a convincing email that appears to be from a trusted or authoritative entity. They often target people in roles of responsibility–even in the C-Suite—and may claim to come from the IRS or the FBI. Some spear-phishing emails appear to be subpoenas.
Focus on Protecting the Data
Since you cannot protect the user’s device or control individual behavior, focus on protecting your corporate data. You can achieve the productivity and efficiency benefits of desktop virtualization and minimize the endpoint risk by using a client-based virtualization solution built on the premise that the host device can never be trusted.
Client-based virtualization solutions create a secure container on the user’s device in which the corporate data and applications reside, and put protections and policies around the virtual instance.
A securely contained virtual workspace on the client device completely isolates corporate data and applications from the host machine and any personal data or applications. Even if a user’s device is corrupted, malware cannot reach into the virtual desktop.
With the corporate environment securely contained on the endpoint, a client-side virtualization solution lets you put multiple layers of protections and defenses around your data.
By getting someone to click on a malicious link from a convincing email, an attacker can implant malware that opens a ‘back door’ into the endpoint system. From there, the attacker can install key loggers or screen scrapers, putting the VDI environment and the user’s credentials at risk.
Human behavior is also a major factor in another type of data breach—insider misuse and data leakage. The WikiLeaks and Edward Snowden cases are only the most widely known examples of insider leaks.
Think Local, Work global—Safely
Across the board, a client-side containerized solution is superior to VDI in most use cases that directly affect knowledge worker productivity and data security. In many cases, the client-side solution offers significant management and security controls on the various devices that protect both data and the network infrastructure itself.
- Scanning of the host for errant processes
- Data encryption at rest and in transit
- Tamper-resistance for the desktop container
- Authentication controls for virtual desktop access, including two-factor authentication
- Remote access revocation and data deletion from a centralized console (in case of device theft or loss)
- Automated disabling of the use of peripherals (such as USB and CD drives)
- Blocking of network traffic from unauthorized devices
- Enforcement of mobile-specific policies (keycodes or passwords, timeouts, etc.)
A client-based virtualization solution can help your employees be productive and effective. Because data and applications reside on the client, people can get work done even when they’re not online. And they have a consistent desktop experience even as they work across different devices.
Stick with Client–Based Desktop Virtualization
Server-based desktop virtualization has an essential security weakness: although data remains on the server, the business has no control over what happens to the virtualized desktop on the endpoint. As a result, attackers have many avenues to exploit in accessing corporate systems and data.
A client-based desktop virtualization solution focuses on managing and securing the data and applications that people need, rather than their devices. It delivers all the benefits of a unified management structure while protecting corporate data on endpoints outside your control. In today’s world of BYOD, mobile workforces and escalating malware, client-based desktop virtualization is an intelligent way to optimize workforce productivity while protecting corporate data.
John Whaley is Moka5’s founder and CTO.