juanjo tugores - Fotolia
Companies have a lot at stake when they trust a DaaS provider to ensure that hosted virtual desktops and the infrastructure they run on remain secure, yet weaknesses outside the provider's control can also wreak havoc.
Cybercriminals work diligently to crack open desktop as a service (DaaS) and other cloud services, and they're not just run-of-the-mill crooks. Competitors and insiders associated with the service provider or the subscriber can hack cloud services and sensitive corporate information.
Cyberattacks grow more sophisticated every day, and they can come on a number of fronts. For example, malware can infiltrate the boot process or creep in through the user profile and settings layer. IT pros should not trust the Secure Sockets Layer protocol and Certificate Authority with 100% certainty, and two-factor authentication is not an absolute guarantee against unauthorized account access, either.
Additionally, admins shouldn't trust a single antimalware tool to protect against every possible threat. Malware can work its way through virtual environments just as it can physical networks; the virtualization layer might be able to ward off some attacks or at least slow them down, but no system is immune.
To make matters worse, would-be attackers use the computing power that is available through cloud services to carry out operations such as cracking encryption keys or distributing malware. And there are also threats that we don't know about yet, such as zero-day menaces waiting to pounce on undiscovered vulnerabilities.
Another cloud security concern that applies to DaaS is the hypervisor-multi-tenancy union. If the hypervisor services are compromised and isolation is broken, it puts at risk all the virtual machines (VMs) from all the organizations that subscribe to the service.
The threat of side-channel attacks is a growing concern. A side-channel timing attack, for example, can measure how much time various computations take and use that information to access private encryption keys used by other VMs on the same server. Even without the side-channel advantage, a hacker targeting persistent desktops could gain access to a wide range of secure corporate resources and sensitive information.
There will always be users
No matter how hard solution providers and software vendors work to make their virtual environments safe, the criminal element is working just as hard to undermine those efforts. And it's not just infrastructure vulnerabilities they're aiming for. Whether he's working on a virtual desktop or a physical one, the user remains one of the weakest links in the security chain.
System administrators have many tools to help curtail users' more creative antics, but some employees still put sensitive resources at risk. For example, they use unapproved apps to transfer data, write passwords on slips of paper, open questionable attachments in their email, access social networks over the corporate network and visit websites that aren't business-related.
Such actions are exactly what hackers prey on. Once they get their hands on the account credentials, they can access the DaaS environment, including the secure corporate resources and sensitive data companies may store there. Even desktops serving as thin clients for DaaS access can be infected with a keystroke logger that gathers confidential information.
And it's not just outsiders intent on wielding those cyberweapons of mass destruction. Let's not forget the rogue employee. An insider is just as capable of carrying out an attack as a cybercriminal or competitor.
An employee can become disgruntled for any number of reasons, or he or she might simply see an opportunity to make money. Given that the individual already has access to internal systems and perhaps even a high level of clearance, he or she could steal or destroy data and cause an extraordinary amount of damage before ever being caught.
DaaS has a place
DaaS is not a terrible thing. A cloud service is not a terrible thing. They have their place, but they're not invincible.
When you hear all the hype about the advantages of DaaS, particular with regard to security, take it in stride. There is another side to the story, with three very important players: the service provider, the cybercriminal and the user.
DaaS providers and the vendors developing the underlying technology have a lot at stake in making these systems work. If they're not efficient and cost-effective, they'll be a hard sell. If they're not secure, no one will want them.
DaaS and the cloud have become big businesses, so you can be sure they'll do everything they can to make these systems work. But no technology is without its challenges. Physical desktops have plenty of their own vulnerabilities. Do your homework before diving headlong into the DaaS waters, and make sure you know where the greatest risks lie.
In part one of this series, learn more about the potential weaknesses inside DaaS providers' data centers.