Despite desktop virtualization's BYOD security benefits, it isn't always the best way to prevent data leakage....
To really hit a security homerun, you need strong data access control methods.
Implementing virtual desktop infrastructure (VDI) can solve some BYOD security issues, because when users access applications from personal devices, those apps are actually hosted in the secure corporate data center. That helps prevent incoming attacks, such as those spawned by viruses, but it won't do the trick when it comes to confidential data leaving the data center.
Turning to VDI for BYOD security
End users, disgruntled with sometimes-archaic IT policies and rules, have started bringing to work the devices they cherish most: iPads, iPhones, mobile hotspots, MacBooks, Android devices and so on. But when they access corporate data (Microsoft Excel spreadsheets, Adobe PDF files, etc.) from these devices, IT is no longer in control. Even if a user simply sends an email from a secure corporate environment to his or her personal device, that transaction can create bring your own device (BYOD) security issues.
To lessen those risks, some organizations turn to virtualization -- usually session virtualization, where users run their applications and access corporate data from servers inside the corporate data center. Many companies try VDI or traditional server-based computing (think Microsoft Remote Desktop Services and Citrix XenApp).
VDI can improve BYOD security by letting users access all their applications that are hosted in a centralized location under your company's control. When connected to the corporate network, users are sent to a separate network segment that only allows them to get to their hosted applications. Plus, by virtualizing the presentation layer using a remote display protocol, the only connection to your data center is simple as that: a remote display one. Sounds great, right?
Why VDI can't do it all
External threats aren't the only problems surrounding BYOD. Data leakage is another major issue, and no matter how well-architected your VDI deployment is, you're at risk if data can be manipulated outside your data center.
When it comes to BYOD, your definition of security will probably have to change. If the purpose of BYOD security is to guarantee that devices can't disrupt data center operations by introducing viruses or malware, a hosted solution such as VDI will help immensely. But BYOD security must also address the possibility of information leaking from the data center, and in that respect, desktop virtualization may not help at all.
More on BYOD security:
BYOD security: How application streaming and VDI can help
IT pros mix VDI with BYOD to simplify device management
VMware shops using View 5 for BYOD realize VDI challenges
When using VDI to facilitate BYOD, admins often forget the controls to prevent data from leaving the data center. If users can connect and open or save files on their local, personal devices, there's potential for unknown parties to access confidential data. For instance, just check internally if you can create a rule in your Microsoft Outlook to forward all your received emails to an external account. You probably can, and that means sending confidential information out of the secure network.
The damage this can cause for a company may be more significant than a virus hitting a bunch of servers in a certain network segment. What you need is some solid data access control methods.
Data access control methods
Data can also be infected or compromised externally and sent right back into the data center. In this case, you are still vulnerable to zero-day attacks. To combat these kinds of BYOD security issues, you can use data access control methods such as port knocking, white lists and intrusion prevention systems.
To further improve data access control, you should also centralize application execution. The next step is to protect data leakage by controlling when and where users can actually access data and how data is sent to the outside world through your corporate network. To do so, you can use email gateways that control how attachments are handled (WebSense Email Gateway, for instance) and implement file securing/access control tools such as Seclore and others.
A good BYOD initiative starts with a solid foundation for protecting your most important asset: your data. Data access control methods are king, so make sure you understand that aspect of BYOD security before jumping onto the VDI bandwagon.
About the author:
Cláudio Rodrigues is a consultant and CEO of WTSLabs Inc. based in Ottawa, Canada. He has been deploying server-based computing solutions since the Citrix WinView days and was the first person to ever receive the Microsoft MVP award for Terminal Services. He was the CEO of Terminal-Services.NET, the company that developed tools such as WTSGateway Pro and WTSPortal. Rodrigues is also a frequent BriForum presenter and has helped clients around the world implement server based computing technologies.