Security can be a double-edged sword in VDI environments. In some ways, VDI dramatically improves an organization's security, but it also introduces new vulnerabilities.
VDI can turn into a security nightmare.
Virtual desktop infrastructure (VDI) is not inherently insecure, but neither is it fundamentally secure. The level of security you can expect from a virtual desktop deployment depends on how it's implemented. For instance, are you hosting virtual desktops on PCs or thin clients? Are your desktops centrally managed? How much access does the user have to desktop configurations?
Virtual desktop security advantages
VDI has the potential to offer top-notch desktop security. I witnessed this recently at an organization that had replaced all its desktop computers with thin clients. These devices were diskless terminals that were only capable of connecting to the VDI environment. This makes it physically impossible for users to install unauthorized software from removable media or for malware to infect the user's physical device. Furthermore, if a device is stolen, there is absolutely no usable data stored within the device.
Another way VDI can be beneficial to an organization's overall security is the fact that virtual desktops are centrally created and managed. Most VDI deployments treat the virtual desktops as read-only, which makes them resistant to user tampering.
More on virtual desktop security
Why VDI and TS aren't more secure than physical desktops
Five ways VDI can improve desktop security
Of course, in any Windows deployment users need write access to their profile directories. Even so, most administrators make it possible to reset the user's profile directory to a pristine state when the user logs out. That way, if a user attempts to make any application configuration changes, those changes are undone the moment the user logs out of the virtual desktop session.
Finally, securing virtual desktops is often easier than securing physical desktops. Virtual desktops are centrally stored and maintained, which means that updates can be collectively applied to all the desktops at once. Furthermore, if you find that a gold image contains a security vulnerability, you can create a new gold image and regenerate virtual desktops from that image.
Downsides to VDI security
In a physical desktop environment, users do not typically expect to have remote access to their office computer. There might be specific services that users access remotely (such as email or a SharePoint portal), but they don't assume they'll be able to interact with their office desktop from home. User expectations often change when you implement VDI. These days, users want remote access to their virtual desktops from anywhere, on any device.
This expectation can greatly complicate security. Not only must organizations ensure that remote access portals are secure, but they must also make sure virtual desktops and sensitive data remain secure, even when they are accessed through insecure end-user devices.
Another way VDI can complicate desktop security is by exponentially increasing the number of systems that administrators must manage. In many organizations, desktop PCs are used to access VDI sessions. This means that administrators must secure both physical and virtual desktops, sometimes effectively doubling what must be secured and maintained. One way to beat this challenge is to replace desktop PCs with thin clients, which can host numerous virtual desktops on one physical device.
A VDI environment can be extremely secure, or it can turn into a security nightmare. Take VDI security into account as you design your organization's implementation.
This was first published in September 2012