Armoring the VDI to Protect Business Critical Applications and Data

Written by

Demand for Virtual Desktop Infrastructure (VDI) technology has grown. Propelled by the COVID-19 pandemic and the wholesale shift to remote working, the sector is expected to increase at a CAGR of 14.4% from 2019 to 2027 according to the Virtual Desktop Infrastructure Market Forecast.

It has long been the method of choice for delivering granular control over secure remote access to virtual desktops, applications and data from outside the corporate perimeter. This is why the past year has seen such a demand for VDI amongst enterprises.

VDI utilizes a secure gateway (such as Citrix NetScaler, VMware UAG or F5), which provides multi-factor authentication and proxies the session traffic to the backend systems. It sounds secure, but there is an important loophole which puts enterprises at risk of attack. If the endpoint device being used to access the VDI platform is unmanaged, it can be compromised quickly and with significant impact.

The biggest threat? Any hacker using keylogging or screen scraping malware can capture confidential data while Zeus variants using browser attacks can exploit the logon process of remote access systems to gain entry. Additional challenges come from configuration files (such as ICA files) being intercepted either in flight or from the endpoint’s file system and re-used in a timely fashion elsewhere, RDP Double-hop or VNC attacks, and even the Windows printing sub-system can be manipulated.

Remote access environments are not disproportionately vulnerable to risks, but they are more susceptible if accessed by unmanaged endpoints, which themselves result in 70% of breaches according to research.

As we have found over the past year, personal PCs and laptops have been utilized widely, leaving little control as to the security posture, operating system level or application versions being used before accessing VDI platforms. While an employee might be cyber-aware, another family member using the same device may be less security-savvy, making the risk of comprise even greater. The result is that businesses are at risk of losing control over the security of their critical applications and data.

Addressing the Risks

Many companies provide secure corporate laptops to reduce the risks to VDI platforms, but once outside the corporate perimeter, these endpoints are still challenging to manage. Others adopt endpoint compliance checks which enforce the use of an agent delivered and configured by the gateway being connected to by the VDI client. Pre- and post-authentication access policies can be used to check for minimum system or application levels or versions, which provides a level of assurance before granting access. If compliance is vital to an enterprise, however, these do not guarantee an endpoint is secure which means compliance regulation audits will not be satisfied. While endpoint compliance checks generate support overhead and require additional licencing, they can add value.

Another method is to use bootable USB devices with ‘thin’ operating systems that can provide a secure environment to access the VDI. To be effective a physical device must be issued to each user, and they must boot the operating system from the USB on their own PC or laptop, but there is no control over how the BIOS is configured. Logistically there are also issues because the user must remain connected to the VDI platform and cannot use their own device for other purposes unless they disconnect. This can be a problem for enterprises that want to provide third-party remote access.

Finding a Solution

The security of VDI platforms can be successfully reinforced with solutions that have been designed specifically to protect endpoint devices. These not only armour the VDI client against threats including keylogging and screen scraping but also protect the browser and the logon process. Enterprises should identify the best, ideally patented, technology that secures endpoints, regardless of their security status when a VDI session is running. This ensures uncompromising confidentiality, allows the user to have full access to their normal desktop by easily switching, without having to close the VDI session, and gives the organization a high level of control.

Suitable solutions not only solve the security risk, they also deliver constant updates which ensures that browser and VDI client compatibility issues – that principally arise from out-of-date VDI clients – are solved.

The threat of a cyber-attack is ever-present, and so endpoint protection should be viewed as an additional level of security on the endpoint when using VDI for remote access. Anti-virus, firewalls and operating system patching are all important too, but using these protections together creates a shield that makes it much harder for malware to penetrate.   

What’s Hot on Infosecurity Magazine?