One of the first things I have to do when discussing VDI is manage expectations. In fact, the delta between what...
people expect from VDI and what it can actually deliver is so large that it was the reason Brian Madden and I wrote The VDI Delusion.
In the past, I've written articles about how moving to virtual desktop infrastructure (VDI) doesn't inherently make your desktops easier to manage and how moving to VDI can't possibly save money if you deliver the same experience as a traditional desktop. There's one more myth to dispel -- that VDI is somehow more secure than traditional desktops.
The primary school of thought is that moving to VDI -- or Remote Desktop Session Host -- and replacing your desktops with thin clients makes it so you no longer have to worry about data on the endpoints.
Data on the endpoints is data at rest and protecting it is important. VDI moves the desktop to the datacenter and that's one way of getting it off devices, but it isn't the only way. If increased endpoint security is your only reason for wanting to move to VDI, you could instead consider a disk encryption tool that renders data useless to anyone but the people who are supposed to see it. Sure, there's a cost associated with implementing disk encryption, but it's not nearly as costly and complex as a VDI rollout.
Malware and viruses don't discriminate
The real problem with the perceived security in VDI is that it's somehow more hardened against malware, viruses or exploits. Some implementers believe this so fervently that their VDI desktops live on the same network level as the rest of the datacenter without so much as a firewall separating them. Would you like it if users plugged their traditional PCs into the same physical network as your servers? Probably not and the same should be true for VDI.
In reality, VDI desktops are subject to the same threats as physical desktops. To deal with those threats properly, you need to employ the same kind of technology on virtual desktops as you would on any PC or laptop. You need antivirus. You need anti-malware. You need patches.
The typical argument is that nonpersistent VDI doesn't need the same amount of attention as persistent VDI because you can restore nonpersistent systems to a pristine state with a simple reboot. This is true, but it doesn't consider the fact that until you discover malware or a virus, it's spreading, cataloging, encrypting or whatever else it does. And unless you bounce all the desktops at the same time, that virus could still be out there and it could spread back to the same users after a reboot.
Don't forget zero-day exploits, either. In the Windows world, nothing can make a perfectly good morning turn sour faster than the announcement of an exploit that nobody was aware of and everyone is susceptible to. Imagine if this occurred on one of the sites that your end users frequent -- business-related or otherwise. Rebooting doesn't help because the users will go right back to the site and get exploited again. Sure, the patch might be easier to push out in a nonpersistent setup because you're working with a single image, but in day-to-day use, there's nothing about VDI that adds any security.
And that's the real point: To secure VDI, you have to take the same additional steps that you would with any Windows desktop. Can you secure VDI desktops? Absolutely. Is it more secure simply because you moved to VDI? No.
Security-wise, the only thing I'll give VDI is that having the desktops in the datacenter may give your company more insight into what's actually going on over the network or on the VDI hosts. If you have a comprehensive VDI monitoring tool that can see when a process is using more resources than it normally would, or that the network is displaying unusual behavior, that can be a distinct advantage. Then again, it's not impossible to have a tool like that in non-VDI settings.
There are lots of reasons to use VDI and the number grows every day. But worry-free security isn't one of them.