Why VDI is more Secure than Physical Desktops
There has been some interesting conversations recently at both BriForum and in the blogosphere about VDI and Security, the premise being that VDI is not more secure than other ways of running Microsoft Windows. I want to address that comment head on and unequivocally state that VDI has quite a few security benefits. Now, let me state up front that VDI does not make the Windows OS more secure, nor is it a panacea for every possible security threat in today’s world of interconnected systems. However, it is well known that security is best addressed with multiple layers of protection with multiple defenses and VDI is one such technology. In particular it improves security by enabling better isolation and controls over the environment in which the Windows system exists. The View VDI environment running centrally in the data center on vSphere, in concert with technologies like vShield, has significant security benefits over physical endpoints, particularly mobile laptops running natively. These benefits accrue even when both are “well-managed”.
Let’s start by discussing a few scenarios, beginning with so-called “Data at Rest.” Keeping data behind the firewall in the data center rather than on an endpoint is a key security benefit of VDI. In a recent blog post, Shawn Bass makes a case that the availability of disk encryption mitigates this problem and use case and also points out that live data compromises triggered from a web browser can occur with both models. On the latter point, I agree. Neither VDI or data encryption prevents live data exploits per se. And VDI is not a cure all for every security threat. However, on the data at rest aspect, physical theft is not the only threat and any historian of VDI will tell you that developer outsourcing was perhaps the key driver that launched VDI commercially in the 2005-2008 period. The main reason was the ability to eliminate access to source code at rest on the endpoint out of the country. This in fact can be a very major benefit where geo-political and outsourcing arrangements impact the use-case. Can that data still be stolen even with VDI? Yes, but you don’t leave your house unlocked because certain burglary tools can compromise it. Also, disk encryption is not used in many instances for a number of valid reasons including performance overhead, complexity, and incremental costs. Also, unless the encryption is deployed with centralized access controls, terminating access to the data can be a challenge when compared to VDI. As far as copies stored on Cloud data services, these can be blocked and have some security controls in place, while laptop and PC loss or theft yields immediate access to the disk. “Data in Transit” shouldn’t be ignored either. It can be spoofed and sniffed and encryption technologies are a must when going on the public Internet. This is another area where the attack surface is much larger than when contained in the datacenter. As a side note, even with a well secured VDI environment today, high fidelity smartphone cameras and apps that include OCR of images, it is becoming much easier than ever to steal source. So while nothing is foolproof, VDI can be useful in reducing the chance of data loss and greatly increasing the effort involved in certain kinds of data theft. And with VDI, datacenter targeted solutions such as RSA Archer created to manage risks, demonstrate compliance, secure and alert can also be applied.
Another prevalent use case for VDI is Mobile Secure Desktops, the ability to safely and securely access your corporate desktop environment from outside the enterprise, in particular from home or from WiFi access points such as internet cafes. Accessing your corporate desktop over a secure dedicated channel via a remoting protocol from a desktop or tablet is far more secure than putting that same device on the corporate LAN via VPN technology. With VPN technology, if the end point becomes infected, such as via home web surfing on a shared computer or over a public WiFi, you are exposing the corporate LAN to whatever is executing on the client device. Some newer VPN deployments provide port-level restrictions, limiting access to specific individual resources, but customer feedback has shown this to be complex to manage in practice. With VDI and View in particular connected with PCoIP over the View Security Server, the risk and attack surface is far less, since access is limited to a remote graphics protocol over a dedicated, signed and secured channel. Careful controls are automatically applied to ensure that users can only access central resources if they are strongly authenticated and can only access the specific desktop(s) they are authorized to access based on their identity and entitlements.
Another aspect of a View environment with demonstrable security benefits is its centralized system image administration and network controls coupled with rapid remediation techniques. A well-managed View environment reduces the number of threats in these domains. Some specific examples:
- Windows OS is only exposed to a managed vs. unmanaged network with central auditing.
- Less opportunity for “Man In the Middle” attacks, Port Scan/Exploits, Worms, DNS hijacking
- Controlled network access via vShield Edge/App to and between Windows environments. One key thing that cannot be effectively done in a scalable manner with physical desktops is the prevention of pivot attacks. Note that a particular physical desktop may not be the initial target. It may be that the attacker just wants a way into the network and they will take whatever method they can. If that initial target is compromised and you use vShield App to prevent the virtual desktops from “talking” to each other, the attacker is going to be limited where they can pivot to get to the next target. If added controls are put in place to limit access only to needed resources, then they are even that much more secure. So by using vShield App along with View, you can greatly increase your security over physical desktops and personal firewalls.
- Centralized, agentless AntiVirus to deter in-guest tampering offers additional benefits in a VDI environment. This includes zero footprint in the VM, management (including updates) outside of the guest OS, and the ability to scan even for desktops that are powered off. An example is Trend Deep Security.
- VDI is a unique enabler for bringing Datacenter caliber governance, risk and compliance solutions to desktop workloads. The ability to deploy a fresh security scanned desktop each time the user logs in and to perform forensic analysis are key. Mike Foley from RSA writes about these capabilities here.
- Patch management via linked-clones/templates and enable faster response in the event of compromise. As an added precaution, VDI enables refresh on logoff, ensuring users always connect to a brand-new and clean desktop, however that (currently) comes with a trade-off, such as inability to persist user-installed applications.
- Central AD policy configuration & compliance enforcement
- By reducing the attack surface and client access methods to Windows
- Whereby which physical access to the Windows device is never granted.
- Whereby a secure display protocol method is the sole method of console access
- Also, by only executing the image within the data center, VDI can dramatically reduce threats stemming from physical access/possession of an endpoint. Some specific examples:
- Theft or compromise from the client device of unstructured user data at rest (My Documents, Offline Address Book).
- Compromising locally stored encryption keys, caches, host name tables, etc.
- And last, but not least, by combining security best practices in a centralized environment, we reduce the complexity of distributed endpoint management.
Hopefully I’ve now shown you a myriad of ways that a well-managed View VDI environment in the data center is a more secure place to run Windows than a physical client environment. Even so, I do want to reiterate that View and VDI is not a comprehensive security solution. VDI can and should be one of the tools for securing the corporate environment, but it is certainly not the only one. And I want to reiterate that VDI does nothing to directly improve the security of the Windows Operating System, nor a web browser running on it. Also, we recognize that some security benefits of VDI are shared with other forms of Desktop Virtualization, such as RDSH (Terminal Server).
In conclusion, while View and VDI is not a security panacea, it can significantly improve protection against some common exploits and can provide a more secure environment for your Windows desktops.