One of the main selling points of virtual desktop infrastructure is that it increases security. Since VDI desktops
run as virtual machines, no actual data leaves the data center. (Citrix used to call this "eyes-only" security in the 1990s.) A lost or stolen laptop doesn't automatically mean that important data is also lost.
At Citrix iForum 2003, I talked about the different ways that server-based computing (which includes VDI) can increase security. In addition to eyes-only security, I mentioned benefits like the ease of locking down systems, the ease of patching, the absence of real data on the wire to intercept, and that everything can be encrypted.
All this sounds good, right? But how can VDI make your overall environment less secure? The short version is that desktop virtualization moves your unpredictable users from out in the field into your data center. This can harm security in several ways.
- Many organizations allow their desktop users to run with administrative rights, which is bad because users can install whatever they want (secure or not) into their Windows sessions, and many viruses are able to do more damage when users are logged on as admins.
- IT organizations secure their environments by standardizing as much as they can and then looking for anomalies. But to a security system, many desktop users doing many different things are by definition an anomaly. From the security system's standpoint, it's difficult -- if not impossible -- to tell what's the anomaly and what's OK.
- Many people feel that since it's easy to "revert" a VDI instance back to the baseline image, security and antivirus software isn't necessary.
- Since the VDI instance is running in your data center, the user's desktop "playground" is on a trusted network from a trusted connection, even though it's not known what the user could do within his or her own session.
So how do you address these potential vulnerabilities and prevent your VDI environment from affecting the your network security?
First, you should never let your users run with admin rights, regardless of whether they are VDI or traditional desktop users.
Second, it's important to treat virtual desktops just like traditional desktops in terms of security and management tools. If you run antivirus apps on traditional desktops, run it in your VDI environment. If you use policy enforcement and lockdown tools in your traditional environment, use them in your VDI environment. The same also applies to patching, auditing, change control, etc.
Finally, remember that when you use VDI, you bring your users closer than ever to your trusted inner network. If you use virtual LANs or firewalls to segment servers from desktops, make sure that the VDI environment is on the desktop side of that firewall (even if the cabinet is in the same data center as your servers).
The bottom line is that while adding VDI to an enterprise environment could make it more vulnerable to security breaches, it doesn't have to. A few simple steps can ensure that VDI increases the overall security of the desktop environment just like you hoped.
About the author:
Brian Madden is an independent industry analyst and blogger, known throughout the world as an opinionated, supertechnical desktop virtualization expert. He has written several books and more than 1,000 articles about desktop and application virtualization. Madden's blog, BrianMadden.com, receives millions of visitors per year and is a leading source for conversation, debate and discourse about the application and desktop virtualization industry. He is also the creator of BriForum, the premier independent application delivery technical conference.