alphaspirit - Fotolia
Nonpersistent virtual desktops wipe clean after each session, and that provides a security boost over persistent virtual desktops and physical PCs, but it also makes it harder to assess any attacks.
The biggest VDI security threat to any endpoint device is that attackers will exploit a weakness within the device and then use it as a platform to gain access to other resources. Administrators still have to worry about endpoints as part of their nonpersistent VDI security strategy, because it's entirely possible for a nonpersistent desktop to contain an exploitable security vulnerability.
However, nonpersistent VDI environments are inherently easier to secure for a few different reasons. For starters, nonpersistent virtual desktops reset to a pristine state after each session. This means the old technique of planting malware on an endpoint and using that malware as a mechanism to gain access to the network is not as effective. It is still theoretically possible for a hacker to plant malware on nonpersistent virtual desktops, but they usually contain hardened operating systems, so any malware that makes it onto the system may not even work. Furthermore, the virtual desktop will automatically remove malware at the end of the session when it resets.
The biggest security drawback to nonpersistent desktops is that they make it easier for a hacker to cover his tracks. Any audit logs that exist within the virtual desktop erase the moment the session ends, so the same feature that makes nonpersistent desktops more secure can also work against them. IT staff won't be able to rely on endpoint-level forensics, so organizations using nonpersistent desktops should implement strong monitoring tools at other levels of the IT infrastructure.
Patching, which can address VDI security flaws and other bugs, is also different across persistent and nonpersistent desktops. Persistent desktops retain users' profiles and data, so admins can treat them similar to physical desktops, usually centrally downloading patches and then distributing them individually. Often in nonpersistent VDI, users all share the same disk image, so admins have to patch the master image and deploy a new one.
When should you use persistent VDI?
Why nonpersistent VDI is now a viable option
Compare the options for VDI endpoints
Dig Deeper on Virtual desktop management
Related Q&A from Brien Posey
Although several newer tools are available, Microsoft roaming profiles is a simple and time-tested way to manage a user's profile across physical and... Continue Reading
SaaS application backup is increasingly prevalent, and for good reason -- it's critical for ensuring data protection. These five guidelines will help... Continue Reading
Admins may need to open the BIOS or UEFI interface to change BIOS passwords on Windows 10. This process isn't too complex, but IT pros should follow ... Continue Reading