Virtual Desktop Security: Simply Complex

A virtual desktop infrastructure eliminates some security risks, but it introduces new complexities that can wreak havoc on a company's security stance if you don't prepare for them in advance.

By Eric Hanselman

Virtual desktops offer organizations a great deal of value, especially when it comes to improving desktop security. A virtual desktop infrastructure (VDI), for example, essentially eliminates the risk posed by confidential data sitting on the "edges" of the network that can be compromised through the theft or loss of a laptop. It also enables easier compliance with data access and loss prevention mandates. Because a VDI centralizes control and management of desktops, it limits the data that is shipped to end users to a screen representation: No data is stored on the end-users' machines. So, in this sense, VDI makes security simpler.

As it centralizes the management of desktops, however, VDI also introduces new complexities into desktop security that can wreak havoc on a company's security stance if IT does not prepare for them prior to the VDI deployment. In a VDI, for instance, IT administrators still need to deal with all of the security issues that ordinarily encompass the desktop environment, such as anti-virus protection.

ADDITIONAL COMPLEXITIES
But managing a VDI also creates additional connection management requirements because IT is dealing with a disconnected user community. What's more, it requires the centralization of authentication. In a VDI, users don't have physical access to their desktops, so access and authentication are pushed to the IT infrastructure, where user identity management is centralized.

No longer can an administrator set up local accounts for individuals on specific machines. In a VDI, users must be authenticated against the organization's authentication infrastructure, because users can log in to their desktops from anywhere. The idea of setting up a local account for a user on a physical machine disappears altogether.

While this change hardens security--after all, a central authentication system keeps track of every log-in by every user and eliminates the kinds of insecure kludges and work-arounds that IT administrators could get away with on a single machine--users now depend even more heavily on the network and connection management system for all their computing needs.

As a result, both the identity management and access portions of the infrastructure must be robust, reliable, and available. Potential problems often do not show up in small trial deployments. Administrators should ensure that proper due diligence has been conducted to determine whether the connection management system is truly up to the task.

Page 1 2 Next »