kras99 - stock.adobe.com
Building a virtual desktop security strategy for the enterprise
Virtual desktop security requires strong governance, IAM, monitoring and endpoint controls. CIOs must address risks across VDI and DaaS to protect data and ensure compliance.
Many organizations use virtual desktops to provide flexible workspaces for employees and other users. Some deploy virtual desktop infrastructure (VDI) products, hosted on-premises or in the cloud. Others adopt cloud-based desktop as a service (DaaS) from third-party vendors. Still others use a combination of the two to meet their specific desktop requirements.
Regardless of how an organization plans to deliver its virtual desktops, CIOs and other decision-makers must ensure that virtual desktop environments and their data are fully protected and comply with applicable regulations. For this, they need a carefully planned security strategy that reflects broader governance, risk management, incident response and other considerations.
Virtual desktop security issues
Virtual desktops can help reduce security and compliance risks because most data resides in the data center rather than on individual endpoints. Users access their desktop environments over the internet or corporate network, with little to no data kept on their computers. The desktops are also centrally managed and secured, making it easier to apply granular protections and prevent unauthorized remote access.
Despite these advantages, virtual desktops can still pose security risks, whether delivered via DaaS or VDI. The following are some of the more common virtual desktop security concerns that IT teams can face:
- Identity compromise. User login identities can be compromised through phishing, password spraying, credential stuffing and other forms of credential theft, allowing an attacker to log in to the virtual desktop as a legitimate user and access corporate resources. If the compromised user account has elevated privileges, the attacker might be able to access highly sensitive data or introduce malware into the network.
- Session hijacking. An attacker might take control of an active user session through packet sniffing, an adversary-in-the-middle (AiTM) attack, cross-site scripting or other means. The attacks might exploit vulnerabilities or misconfigurations in exposed gateways, connection brokers or remote desktop protocols, allowing them to bypass authentication requirements and operate within the trusted session.
- Data exfiltration. Although virtual desktops help centralize and protect data, that data can still be transferred out of the secure environment in several ways, including as screen captures, printing, copy-and-paste operations, drive mapping and clipboard redirection. Data exfiltration can be caused by a careless user, a malicious user or an outside attacker. In a cloud environment, such as DaaS, the use of multi-tenant resources can also lead to data leakage due to misconfigured resources.
- Compliance exposure. Centralized desktop services, whether delivered via VDI or DaaS, can make it more difficult to ensure an organization complies with applicable regulatory standards such as HIPAA or GDPR. Misconfigured settings, access controls or infrastructure components, such as desktop pools or shared images, can lead to data exposure and compliance violations. Virtual desktops also increase auditing complexity due to the virtual infrastructure itself and the distributed endpoints, particularly unmanaged and BYOD devices.
Decision-makers must also determine whether to use persistent or nonpersistent desktops. Persistent desktops are much like physical machines. Each user is assigned a dedicated VM that can be personalized and updated. The VM retains the user's configuration settings and data across sessions. When the user logs off the desktop, the settings and data are retained in the same state until the user logs back in.
A nonpersistent desktop does not retain configuration settings and data across sessions. The desktop environment is generated from a golden image or template when the user first logs on. When the user ends the session, the desktop environment, with all its settings and data, is deleted. Nonpersistent desktops simplify management and are generally more secure, but they are much less convenient for regular users.
| Security mechanism | Persistent desktops | Nonpersistent desktops |
| Zero-trust principles
|
Because virtual desktops persist data, attacks can also persist across sessions. Desktops must be managed like physical machines, with continuous monitoring, encryption, advanced threat detection and strict access controls. | Data does not persist across sessions. Users start with a clean desktop image, with policies applied at launch. Monitoring and identity management occur at the session level, with zero-trust enforcing isolation and verification. Session data is discarded at logoff and updates are applied to the golden image. |
| Conditional access | Conditional access policies can be applied at a more granular level with persistent desktops, consistent with how they would be applied to physical desktops. The policies can also support device identity and compliance, as well as restrict operating environments, locations and times to meet specific security and workload requirements. Long-term device identity can help simplify the login process. | Conditional access policies are enforced at the session level only and reapplied at the beginning of each new session. Access tokens are not retained after the user logs out. Nonpersistent desktops often require frequent authentication while relying on continuous real-time monitoring, session validation and dynamic adjustments. Patching and compliance are handled in the golden image. Users are provided with a clean environment each time they log in. |
| Endpoint hardening | The virtual desktop is managed much like a physical endpoint. The operating environment should be regularly patched and updated to minimize vulnerabilities. The virtual desktop should also be continuously monitored for malicious activity, with strong endpoint and data protection put into place. The virtual desktop should also be monitored for drift from configuration baselines. | Most of the hardening effort should focus on the golden image that underpins the virtual desktops. The image should be patched and updated as needed, with base security policies applied. Application delivery should be carefully managed and controlled through application whitelisting. Desktop monitoring should be session-based and focused on real-time behavior, with users granted minimal privileges to minimize risks. |
Organizations are not limited to using only persistent or only nonpersistent desktops. They can use a combination of the two based on their user and workload requirements. For example, an organization might use persistent virtual desktops for its regular employees and nonpersistent desktops for temporary workers.
Working with cloud providers
If an organization plans to use DaaS for its virtual desktops, CIOs and other decision-makers should be aware of how virtual desktop security responsibilities are divided between the organization and service provider.
| Security mechanism | Vendor responsibilities | Organization responsibilities |
| Audit logging
|
The vendor logs infrastructure and core services (e.g., servers and hypervisors), ensures that logging operations and protections comply with applicable regulations (e.g., HIPAA or GDPR) and provides tools for log access. | The organization prioritizes logging application, data and user activity to meet regulatory and business requirements (e.g., HIPAA). It also ensures logs are protected and available for audit. |
| Encryption | The vendor ensures that customer data residing on its infrastructure is fully encrypted at rest and in transit, in accordance with industry standards. The data might include storage volumes, VM images and control plane traffic. | The organization provides end-to-end encryption for all data within virtual desktops and its managed data stores, as well as for all data in transit between external stores. The organization might also need to manage encryption keys. |
| Policy enforcement | The vendor implements and enforces policies that protect the core infrastructure and services (e.g., access policies, network segmentation, patching strategies, firewall management and hypervisor security). Vendors often enact policies in accordance with regulations such as GDPR, PCI DSS, HIPAA, CCPA and others. | The organization implements and enforces policies that govern user behavior on virtual desktops and control how users interact with data protected by applicable regulations. It enforces access controls, acceptable use policies, application restrictions and data and configuration management. |
| Session isolation | The vendor ensures that the infrastructure, virtualization layer and related services provide the necessary isolation across tenant and VM environments. It uses strong security policies and real-time monitoring to continuously prevent data leakage across tenants, desktops or sessions. | The organization should restrict virtual desktop access to approved users and enforce authorization controls on data and sharing. It should also apply session policies (e.g., timeouts, lockouts and reauthentication) and implement controls over data storage and flow to prevent data leakage. |
When considering a DaaS vendor, the organization should fully understand how the provider secures data, the protections it provides and the features it offers for managing security and auditing logs. The organization should also ensure that it remains compliant with applicable regulations while users access those virtual desktops.
Developing a virtual desktop security strategy
Organizations planning to deploy virtual desktops should first develop a security strategy that ensures their delivery is secure and they are compliant with applicable regulations. The following are nine recommendations CIOs should consider when implementing their virtual desktops:
- Plan the virtual desktop environment. Before deploying virtual desktops, organizations should determine desktop requirements and the measures needed to protect those desktops and their data. This includes identifying the number and types of users, as well as where and how they will work, taking into account both current and future needs. They should also assess existing infrastructure and software systems to determine whether VDI, DaaS or a combination of both is most appropriate. In addition, organizations should evaluate how workloads will be distributed across on-premises and cloud environments, along with additional infrastructure required to support the deployment.
- Integrate data governance. The organization's data governance framework, whether already implemented or in the planning phase, should incorporate its virtual desktop initiative. The framework should include security and privacy policies that protect data at rest and in transit, using standards-based encryption that complies with applicable regulations. The governance strategy should also define the organization's data identity and access management (IAM) policies for virtual desktops, as well as its data loss prevention policies. It might consider establishing a council or committee to oversee the data governance strategy for implementing virtual desktops.
- Establish a risk assessment framework. Risk assessment, as it pertains to the organization's DaaS or VDI environment, should be an ongoing, formalized effort that identifies potential security vulnerabilities. The assessment strategy should consider how technologies are implemented, how data flows, where it is stored, how desktop images are hosted and managed, and how users interact with their desktops and data. IT and security teams must fully understand the threat landscape and potential vulnerabilities, while maintaining a full inventory of all assets and their ownership.
- Plan the monitoring and auditing strategy. The organization's virtual desktop environment should be continuously monitored and audited. This includes implementing automated monitoring to detect anomalous behavior and potential threats in real-time, with alerts sent to key stakeholders. The strategy should also incorporate regular audits of the environment. Organizations might benefit from tools such as EDR, centralized security information and event management and user and entity behavior analytics.
- Implement an incident response plan. An effective incident response strategy is essential to minimizing the effect of a security event and ensuring a quick recovery. The response plan should clearly define roles and responsibilities and provide step-by-step instructions (playbooks) for responding to specific incident types. The instructions should account for issues such as isolation, log collection, forensic and root-cause analyses, and incident documentation requirements. The security team should also regularly review and test the response plan and conduct drills to ensure its effectiveness.
- Implement an infrastructure and platform management strategy. Before deploying virtual desktops, organizations should develop a plan that outlines how the infrastructure and virtualization platform will be managed. This approach will vary depending on whether the organization is using VDI, DaaS or a combination of both. Organizations should evaluate existing management tools and identify any additional tools needed going forward. They should also enforce the appropriate administrative access controls, following the principles of least privilege. In addition, network security planning should address factors such as segmentation, transport protocols and connection brokers, as well as patching, updating, auditing and logging.
- Deploy a virtual desktop management strategy. Virtual desktops must also be properly managed and secured. The approach will depend on whether the desktops are based on VDI or DaaS, and whether they are persistent, nonpersistent, or a combination of both. In VDI environments, IT teams should patch, update and harden golden images, ensuring they are properly protected. For persistent desktops, IT should also maintain those VMs just like physical desktops. In addition, organizations should implement the necessary remote access controls and manage desktop lifecycles and disposition.
- Implement an endpoint management strategy. Virtual desktops offer users flexibility, allowing them to work across devices and locations. However, endpoints introduce security risks that must be addressed. Where possible, endpoints should be fully managed by IT, hardened, patched and aligned with compliance baselines. They should run antimalware, and all virtual desktop connections should be continuously monitored. If BYOD devices are supported, organizations should apply the most restrictive conditional access controls on them.
- Establish effective communications. All virtual desktop users should receive the education and training they need to understand the security risks that come with virtual desktops. They should also understand the steps they can take to mitigate risks and respond to suspected security incidents. Leadership should supply users with the documentation, standards, policies and procedures they need to proactively minimize risks. Leadership should also establish a reporting channel and feedback loop that encourages open communication with key stakeholders.
CIOs and their teams should take the necessary steps to protect their virtual desktops and associated data, as well as the platforms that support them. These recommendations can provide a good starting point, but IT teams should also consider other factors that could affect security and privacy in the long term.
Virtual desktop security checklist for CIOs
CIOs can use the following checklist as a starting point when implementing virtual desktop security strategies:
- Unified IAM. Centralized identity and access management across networks, infrastructure, virtualization platforms, virtual desktops and data, including managed endpoints, with zero-trust and role-based access controls.
- Data protection. Encryption, compliance checks, data monitoring, anomaly detection, access logging, business continuity, data loss prevention and disaster recovery.
- Infrastructure and network security. Patching, monitoring, logging, firewalls, secure tunneling, and network segmentation across infrastructure and virtualization platforms.
- Virtual desktop security. Image hardening, antimalware, automated patching, OS-level security and image management.
- Endpoint security. Patching, monitoring, EDR, antimalware, compliance verification, conditional access and application control.
- Monitoring and alerting. Comprehensive monitoring, logging and alerting to support threat detection and incident response.
- Risk and incident management. Ongoing risk assessments and incident response plans to identify vulnerabilities and reduce impact and recovery time.
- User awareness. Training and resources to help employees safeguard their virtual desktops.
Robert Sheldon is a freelance technology writer. He has written numerous books, articles and training materials on a wide range of topics, including big data, generative AI, 5D memory crystals, the dark web and the 11th dimension.
