Virtual desktop infrastructure is supposed to be more secure than a physical desktop environment because all the...
applications and data live in the data center. But real-life experience shows that securing VDI against malware is at least as complicated -- and just as critical -- as it is in traditional desktop environments.
VDI offers a number of advantages and disadvantages that companies should weigh against their project requirements well before they implement it. That process should include learning VDI's vulnerabilities and the security methods for protecting virtual desktops. One of the original upsides of VDI was based on the assumption that running real-time malware protection at the server level helps organizations protect all the virtual desktops connected to that infrastructure. But in practice, that is not always the case.
Virtual desktops are still vulnerable to client-side malware through rogue websites, emails that contain malware, and the introduction of malware via local USB or optical drives. Whether or not this client malware is persistent and pernicious enough to infect the servers depends on the specific malware. As VDI grows in popularity, expect malware to adapt and take advantage of the tight integration between the VDI client and server.
Safeguarding virtual desktops
Installing comprehensive antivirus protection on VDI servers is the first step in securing your infrastructure. Server-side malware protection should include automatic daily malware signature updates and regular updates to malware detection applications. Hacks, bugs and viruses constitute an ever-changing threat for your infrastructure. Now that VDI technology is maturing and companies of all sizes use it, software vendors offer malware protection that is specifically designed to protect VDI servers.
In general, protecting virtual desktops from malware is no different than it is with traditional desktop computers. Organizations need a real-time scanning tool to prevent malware infections while the desktop runs user applications. Companies that run a VDI client app on a standard desktop computer need a full-function desktop malware protection suite to keep those desktops free from infection, just as before transitioning to VDI.
Organizations that use a thin client with external drives disabled may realize some security benefits from VDI because the client does not transfer any data to the server. Be aware of the resource requirements of your malware protection suite, however. Some VDI thin clients are configured with a minimal amount of RAM, and clients that are low on CPU or memory may not be able to run malware protection at the same time as user applications. For this reason, organizations should test the performance of any proposed malware protection suites on their own VDI desktop hardware and software before they buy it.
BYOD malware protection
Smartphones and tablets are welcome on many corporate networks, but you must be sure that any malware detection software you use also includes mobile app versions for all the mobile devices allowed on the network. Malware protection vendors understand the potential for a data breach or other security exposures that come with BYOD programs, but that doesn't necessarily mean they all include apps to protect every mobile device that attaches to your network.
If a malware protection suite doesn't support a specific mobile device, you can place MAC address filters on Wi-Fi access points to prevent those devices from attaching to the company network. Unprotected mobile devices should never be allowed on a corporate network.
Other VDI security considerations
In addition to protecting and scanning infrastructure and client desktops for malware in real time, you must also secure VDI desktop images and user profiles. One common attack point is the disk images that are served to VDI clients. Make sure images are stored securely within the infrastructure, and if possible, use nonpersistent desktops.
With nonpersistent desktops, user profiles and customizations are stored separately from the desktop image. When the user logs off at the end of the day, any changes he has made are either stored with his application data and profile customizations, or they are destroyed. Either way, this leaves you with a clean OS image that is less likely to be infected with malware. To stop malware from corrupting user profiles, store them in a highly secure area of the network and restore them from backup after suspected malware infections.
The inherent security of VDI is neither better nor worse than traditional standalone desktops in a client-server environment -- it's simply different. The capabilities and architecture of VDI are distinct and different than traditional desktop environments; the malware protection must also be tailored to the specific requirements and exposures of VDI.
When you select VDI malware protection, make sure it includes each of the computing platforms that your company allows and supports on the corporate network. Any devices that do not have comprehensive malware protection should be barred from joining the corporate network.
Take a deeper dive into VDI security
Why virtual and physical desktop security are similar
Podcast: Overview of VDI security options
Think VDI is more secure than traditional desktops? Think again
Improve virtual desktop security with VDI malware analysis tool