This content is part of the Essential Guide: The ultimate guide to VDI planning

Three security features to look for in DaaS providers

Concerns about cloud-hosted virtual desktop security are mostly overblown. IT should be okay as long as it evaluates DaaS providers by how well they ensure confidentiality, integrity and availability.

Contrary to popular belief, DaaS providers can address security better than some on-premises virtual desktop infrastructure does.

The general concern over desktop as a service (DaaS) is fairly simple: Each organization has a collection of requirements for security and compliance, and any new technology must satisfy those requirements. Luckily, DaaS providers address many of the security concerns that IT shops may have. For example, Multi-tenancy makes for better isolation than IT can provide on premises.

DaaS detractors do have at least one legitimate beef: It can be a challenge to find DaaS providers that fulfill the specific requirements a company may have. Be mindful that not all requirements need to apply to every desktop in the fleet, and there are multiple delivery and provider options.

No matter how desktop as a service ultimately manifests itself in an organization -- and whether it does at all -- IT must outline its security requirements early on, because they will help drive DaaS provider selection. Learning those requirements might also help businesses identify alternative options, such as on-premises VDI or even leaving conventional physical desktops in place for some users.

Cloud vs. on-premises security

Security in the cloud is often better than security in on-premises infrastructure. Many organizations had on-premises infrastructure long before the rise of the Internet, so they had to retrofit protection from all the risks the Internet brings.

Cloud infrastructure is designed from the start to be Internet connected, and providers know their clouds may be exposed to attackers. They take steps to mitigate those threats up front. On-premises infrastructure is usually designed for just one company with no boundaries between different parts of the business, but cloud infrastructure usually contains data from multiple companies, so isolation is critical.

For those shops that still find security is the reason they can't deliver desktops as a cloud service, on-premises VDI might be the answer. VDI allows the ultimate configurability to meet specific combinations of security and compliance requirements. Companies that plan to use DaaS providers must ensure they can deliver on their specific security requirements.

Learn the CIA way

Businesses should use the "CIA" model to assess different aspects of DaaS security: CIA stands for confidentiality, integrity and availability. Of the three, integrity is the one that customers must assume. Companies shouldn't use DaaS providers if they're not trustworthy, and shops can only determine by performing their own assessment of the product.

What happens if law enforcement confiscates the DaaS provider's storage array where desktops live?

For DaaS providers, confidentiality is a core design criteria. Each tenant must be isolated from all other tenants, and every tenant must be isolated from the provider's own infrastructure. For example, each tenant likely has its own independent user directory, usually Microsoft's Active Directory (AD). The directory in the cloud is an extension of the on-premises AD, which contains all the corporate users.

The DaaS provider probably has at least two of its own user directories, one for its staff and a separate one for customer administration staff. If a hacker compromises any of these directories, he does not gain access to every resource, nor does the directory serve as a springboard for that person to reach the other directories.

Contrast that with what would happen if a hacker accessed an on-premises directory: Traditional IT shops have a single unified directory that serves every purpose. When it is compromised, it gives the hacker global administrative access.

There is no reason companies can't replicate this kind of isolation on premises, but for a DaaS provider that isolation is an imperative of basic design. Providers must isolate, and it doesn't stop with user directory isolation. Network isolation is central to keeping tenants separated and isolating parts of the same tenant from each other, such as isolating payroll data from call center users. DaaS providers generally offer more isolation than most on-premises VDI deployments.

User directory and network isolation is a double-edged sword, because tenants have far less visibility into the state of the underlying infrastructure. Tenants cannot see the provider or platform's security or access logs. This could limit visibility into potential security risks and incidents as well.

Hypervisor logs are not exposed to tenants, nor are the advanced settings that are applied to the hosts. Tenants are not permitted to run network monitoring against the DaaS platform, nor are they able to manage the antimalware software installed on the hypervisor hosts. Instead, DaaS customers must have dedicated physical hosts. If those hosts are at a service provider, that isn't DaaS, it's hosted VDI.

One of the possible security challenges for any cloud service is availability. For example, an Internet connection failure between users and the DaaS provider. Risk of an interruption to DaaS service is a bigger problem than it is for on-premises VDI or desktops. If all staff members work in the same office, then the loss of Internet is a big problem for DaaS shops. Without the Internet, the desktops are unavailable. On-premises VDI or physical PCs don't need Internet to work.

On the other hand, if users work from multiple remote locations then their Internet connection might be more reliable than a dedicated WAN. If staff is highly mobile or work from home, the DaaS provider's Internet connection may be more reliable than your data center Internet connection.

Several new availability risks arise from the shared nature of cloud services. One is the noisy neighbor: Other tenants that share the same infrastructure may consume a large amount of resources, which leads to performance issues for some tenants. A very slow desktop is almost as bad as no desktop, but DaaS providers that offer more guaranteed resources also charge more for that luxury. Companies must identify the cost versus the benefit of the higher service levels.

There is also the risk that the behavior of one tenant could affect availability for another. In the extreme case, the shared infrastructure could be subject to search and seizure if one tenant undertakes illegal activities. What happens if law enforcement confiscates the DaaS provider's storage array where desktops live?

For all the concerns administrators must handle, DaaS security exceeds many legacy infrastructures, and by becoming agents of the CIA model, IT can protect a DaaS deployment from danger.

Next Steps

All signs point to a Microsoft DaaS product

Get management to agree to a DaaS project

Risks and rewards of using desktop as a service

Dig Deeper on Cloud-hosted virtual desktop and application strategy