rvlsoft - Fotolia


Virtual desktop security isn't all it's cracked up to be

It may seem like VDI is more secure than a physical deployment, but its deep connection to back-end systems actually makes it more risky in many ways.

Perhaps the biggest threat to a VDI deployment is the belief by many decision-makers that virtual desktops are inherently more secure than physical desktops.

VDI is not the knight in shining armor who can vanquish malicious threats that many IT professionals hope it to be. The reality is that virtual deployments can be just as vulnerable to attack as physical ones. Admins who believe otherwise about virtual desktop security put their systems at significant risk, and in this age of cyber-mayhem, VDI is no excuse for complacency.

In fact, virtual desktop security breaches can cause even greater damage, especially when it comes to ransomware, because virtual desktops are intricately connected to the servers, hypervisors, golden images, applications, other desktops and physical data stores. One infected desktop can conceivably affect the entire infrastructure and all the business processes it supports.

Where does the virtual desktop security fallacy come from?

VDI is easier to manage and keep up-to-date than large pools of physical desktops, and if admins properly patch and maintain their systems, VDI is much more likely to ward off attacks.

Plus, nonpersistent desktops can help mitigate the effect of some attacks because the desktops return to a pristine state at the end of each session. That said, nonpersistent desktops can actually exacerbate a ransomware attack because the lack of persistence can make it impossible to decrypt locked user data after an organization pays the ransom.

What is the reality?

Virtual desktop users are no less susceptible to error and poor security practices than users on physical desktops. They can visit infected websites, open questionable email attachments, click embedded links, transfer sensitive data to unapproved devices, use unauthorized applications and services and take numerous other steps that can put the corporate network and sensitive data at risk.

A VDI deployment is also vulnerable to poor management practices and improper settings configurations. Issues related to authentication, privileges, input validation and user credentials are a few of the factors that can contribute to VDI's downfall. Many of these issues are the same as ones admins run into with a physical deployment, but VDI's inherent integration with various components and the complexities that come with the technology can make matters worse.

A virtual desktop is not quite the sandbox many believe, and IT must take special care to protect it.

In addition, virtual desktop security is a much more complex process than physical desktop security. VDI security requires specialized tools and the expertise to implement them. Yet, many organizations continue to use traditional tools designed for physical desktops, which are limited in scope and effectiveness.

Even organizations using specialized software can miss important virtual desktop security holes because of VDI's complex nature. Worse still, many organizations continue to believe in VDI's sainted security claims and do not prioritize security to the degree it needs.

Mounting threats to virtual desktop security

As with a physical system, threats to a VDI deployment can come from many directions, including from governments, corporations, cybercriminals or inside employees.

Most attacks start with the virtual desktop itself. From there, the intruder might attempt to infiltrate the network to gain access to the hypervisor, servers, hardware and data center. For example, an attacker who gains desktop access could conceivably upload rogue firmware to servers in the data center to carry out an assortment of nefarious acts.

In addition, malware comes in many forms. It can alter files, incapacitate systems or access sensitive data. Malware takes advantage of system exploits to carry out disruptive acts, such as locking data, wiping disks or injecting malicious code into specific processes. To make matters worse, IT administrators might be unable to react to threats in a timely manner because intruders can access the network through resources that are not readily apparent because cybercriminals don't always carry out their threats through direct attacks. They might also use social engineering, spoofing, wiretapping, identity fraud or other approaches to acquire the credentials they need to gain unencumbered access to the target systems.

No excuse for complacency

A virtual desktop is not quite the sandbox many believe, and IT must take special care to protect it. Educating users, ensuring that the necessary expertise is on hand and keeping the systems up-to-date are the best protections, along with security tools that account for the specific requirements of a VDI deployment.

So far, most VDI deployments have survived the onslaught of attacks, in part because of good management practices and nonpersistent desktops, but also because cybercriminals have yet to turn their full attention to VDI. But times are changing, and as virtual desktops become more widespread, hackers will likely take more of an interest, targeting their attacks accordingly.

Next Steps

Complete guide to virtual desktop security

How to stay secure and keep users happy with VDI

A closer look at security with nonpersistent desktops

Dig Deeper on Virtual desktop management