The other is two factor authentication, which needs multiple credentials and actions for logging in – such as a password entered in the desktop and a tap on the mobile screen, or logging into a VPN and then into a service delivered by browser. Naturally, this is innately more secure than SSO. It’s up to IT to choose a method that suits their users, based on users’ levels, application requirements, sensitivity of the data, or capabilities of the system and network.
Managing user identities: This is based on the Zero Trust model, which stipulates that users need to be given access to only those resources that they need for their role or tasks assigned to them, and nothing more. Policies specify user and group roles, and monitor and control active sessions individually for all logged in users. This prevents an attacker from infiltrating a user session and accessing sensitive data or getting into the server laterally.
Application segmentation: Applications and workloads can be built in such a way that they are isolated and separated from other business-critical or sensitive applications in the VDI. Granular policies based on processes, resources, or other assets go a long way in cutting vulnerabilities down to size. Ring-fencing segments within the VDI ensures that attackers can’t achieve lateral movement in the event of a breach.
Combined with user identity management, IT can make sure all users can access only those services and parts of the application they need to, and don’t move out of their relevant environment.
Rigorous data protection policies: Modern hackers are more interested in stealing data and intellectual property than breaking into servers or networks and doing damage. VDIs allow for more stringent data control and IT should take advantage of this. To start with, data should never leave the data center or central server, whether on-premises or in the cloud. Data center resources can be used for automatic backup and recovery of desktop data. All data in transit should be encrypted.
Comprehensive visibility: The security solution or VDI management platform should allow admins to monitor in real time (on-demand) the following parameters:
- all the nodes that are online
- whether each desktop or VM is updated and patched or not
- every user that is logged in, along with activity logging
- the processes and services running on each server and node
- which applications and services are being used for what purposes, by which sessions
- all the flows that are being generated
- how processes are communicating
Continuous, automated endpoint security management: It is critical for IT teams to ensure that endpoint software and hardware remain compliant with the security policies and standards of the organization at all times. A secure VDI needs automated checks and approaches to software installation and removal, patches and upgrades, anomaly detection, and support procedures at the endpoints.
Proactive incident response: It’s a myth that virtual desktops are immune to attacks and security breaches. Granted, they have less vulnerabilities than physical desktops, but they are still susceptible to various types of keyloggers, screen scrapers, malicious email links, Remote Access Trojans (RATs), and lateral movement. Non-persistent desktops are even prone to antivirus boot storms (signature and algorithm updates that spike usage), leading VDI vendors to recommend turning the antivirus updates off.
The solution, therefore, is having a pragmatic incident response process that expedites threat mitigation and recovery, while minimizing disruption to operations. As soon as an infected VM is discovered, it needs to be blocked and isolated from the network, or even terminated if necessary, with a focus on salvaging user data.
VDI as a Game Changer in IT Security
The increasing adoption of hybrid, multicloud environments and hyperconvergence is changing virtualization in complex ways, leaving security professionals on the edge. However, virtualization itself has changed the way data centers work, forced the upgradation of legacy infrastructure, and is now pushing organizations towards more scalable and robust infrastructure deployments.
As more everyday transactions become technology-based, and work from home becomes more commonplace, companies will need security solutions that detect and prevent complex malware while consuming less resources and bandwidth. This turns traditional security practices on their head, because of the lack of centralized control or enforceable standards. Therefore, it wouldn’t be surprising if effective solutions in VDI security will set the direction for IT security as a whole.