Secure VDI desktops the same way you would physical ones

Virtual desktops are just as vulnerable to malware, viruses and exploits as physical desktops are. That means you have to secure VDI the same way you would PCs, and definitely don't make the move to VDI solely in the interest of security.

One of the first things I have to do when discussing VDI is manage expectations. In fact, the delta between what people expect from VDI and what it can actually deliver is so large that it was the reason Brian Madden and I wrote The VDI Delusion.

In the past, I've written articles about how moving to virtual desktop infrastructure (VDI) doesn't inherently make your desktops easier to manage and how moving to VDI can't possibly save money if you deliver the same experience as a traditional desktop. There's one more myth to dispel -- that VDI is somehow more secure than traditional desktops.

The primary school of thought is that moving to VDI -- or Remote Desktop Session Host -- and replacing your desktops with thin clients makes it so you no longer have to worry about data on the endpoints.

Data on the endpoints is data at rest and protecting it is important. VDI moves the desktop to the datacenter and that's one way of getting it off devices, but it isn't the only way. If increased endpoint security is your only reason for wanting to move to VDI, you could instead consider a disk encryption tool that renders data useless to anyone but the people who are supposed to see it. Sure, there's a cost associated with implementing disk encryption, but it's not nearly as costly and complex as a VDI rollout.

Malware and viruses don't discriminate

To secure VDI, you have to take the same additional steps that you would with any Windows desktop.

The real problem with the perceived security in VDI is that it's somehow more hardened against malware, viruses or exploits. Some implementers believe this so fervently that their VDI desktops live on the same network level as the rest of the datacenter without so much as a firewall separating them. Would you like it if users plugged their traditional PCs into the same physical network as your servers? Probably not and the same should be true for VDI.

In reality, VDI desktops are subject to the same threats as physical desktops. To deal with those threats properly, you need to employ the same kind of technology on virtual desktops as you would on any PC or laptop. You need antivirus. You need anti-malware. You need patches.

The typical argument is that nonpersistent VDI doesn't need the same amount of attention as persistent VDI because you can restore nonpersistent systems to a pristine state with a simple reboot. This is true, but it doesn't consider the fact that until you discover malware or a virus, it's spreading, cataloging, encrypting or whatever else it does. And unless you bounce all the desktops at the same time, that virus could still be out there and it could spread back to the same users after a reboot.

More on VDI desktops

Try application virtualization before VDI

VDI is only one kind of desktop virtualization

Don't forget zero-day exploits, either. In the Windows world, nothing can make a perfectly good morning turn sour faster than the announcement of an exploit that nobody was aware of and everyone is susceptible to. Imagine if this occurred on one of the sites that your end users frequent -- business-related or otherwise. Rebooting doesn't help because the users will go right back to the site and get exploited again. Sure, the patch might be easier to push out in a nonpersistent setup because you're working with a single image, but in day-to-day use, there's nothing about VDI that adds any security.

And that's the real point: To secure VDI, you have to take the same additional steps that you would with any Windows desktop. Can you secure VDI desktops? Absolutely. Is it more secure simply because you moved to VDI? No.

Security-wise, the only thing I'll give VDI is that having the desktops in the datacenter may give your company more insight into what's actually going on over the network or on the VDI hosts. If you have a comprehensive VDI monitoring tool that can see when a process is using more resources than it normally would, or that the network is displaying unusual behavior, that can be a distinct advantage. Then again, it's not impossible to have a tool like that in non-VDI settings.

There are lots of reasons to use VDI and the number grows every day. But worry-free security isn't one of them.

This was first published in June 2014

Dig deeper on Virtual desktop management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Related Discussions

Gabe Knuth asks:

How do you secure virtual desktops in your shop?

0  Responses So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchEnterpriseDesktop

SearchServerVirtualization

SearchCloudComputing

SearchConsumerization

SearchVMware

Close