According to the mantra, cybersecurity is about three things: people, processes and technology. All three have to be up to standard for an environment to be secure. It’s no good having impenetrable firewalls and impeccably patched systems if end users aren’t being responsible. Similarly, it’s not enough to have perfectly trained users and robust access policies if you’re running unsupported, vulnerable software. And so on.
While Virtual Desktop Infrastructure (VDI) is a technology, it also encourages certain behaviours that can help an organisation mitigate endpoint security risks.
I’ll explore these in a moment, but first, why do I specify endpoint security risks? Because, according to IDC, 70 percent of security breaches originate with the end user. Most data centres are well protected with advanced perimeter technology, security-conscious staff and good procedures. In contrast, end-user devices are more difficult to keep up-to-date with security patches, can be lost or stolen more easily, and their users often don’t know, care or follow security best practices. And even vigilant users can fall victim to phishing or other manipulation scams.
So let’s examine how VDI can help.
From a purely technological standpoint, desktop virtualization means that all your company’s sensitive data is stored where it’s most secure: the data centre. Nothing resides on endpoints. Adding thin clients further enhances endpoint security, especially with Dell’s ThinOS operating system which does not have a published API making it highly resistant to viruses and malware.
And because the technological architecture means that “virtual desktops” are managed centrally, they can be updated more easily, meaning that security-critical updates can be installed once and are applied to every virtual desktop. Already we’re crossing over from technology into the realms of process. VDI enables such simplified management, but it’s down to processes and people to ensure that the updates are made in the first place.
This ability to regularly update the OS can extend to complete OS rebuilds each time a user logs in and loads their desktop image. Then, if their virtual machine becomes infected, any residual malware will be destroyed as soon as they log out.
Because a user’s desktop and applications are maintained centrally, it is also easier to implement policy based access control. For example, a known device on a known secure network (like your corporate wireless) could be given greater freedom of access than an unknown device (such as an employee’s iPad through which they’re accessing their virtual desktop) on the same network. And access can be fine-tuned for other scenarios, like a known corporate device on an unknown network (like an airport or café), or an unknown device on an unknown network.
In some environments, VDI is the perfect solution to bridge the gap between user authentication and productivity. Imagine a hospital where patient data security is paramount. Doctors and nurses often use two-factor authentication — a password and a swipe card — to log on to their desktops, which are tethered to one place. VDI effectively gives them a desktop that follows them around the hospital. Whichever terminal they securely log on to, their desktop is there, exactly as they left it when they logged off the last terminal, with all data secure.
Although virtual desktops can be easily managed and updated, the Windows operating system will still have the same vulnerabilities as it would if installed on a PC. To reduce the risk of malware infection, you should protect a virtual desktop just as you would any traditional PC. Thin clients running a Windows Embedded or Windows IoT operating system have fewer areas that can be vulnerable to an attack, but still should be protected.
We recommend Dell Threat Defense for Dell Wyse thin clients running Windows Embedded Standard or Windows 10 IoT Enterprise, and Dell Endpoint Security Suite Enterprise – which incorporates more advanced features like data-centric encryption and authentication – for both traditional and virtual desktops.
Both are powered by a technology called Advanced Threat Protection (ATP). It’s a new way to detect malware that uses artificial intelligence to predict whether files are infected or not before they run. ATP also comes with memory protection (as it monitors running processes) and it can block malicious scripts as well. Unlike traditional anti-malware engines, which rely on previously seen patterns and behaviours, ATP can block even brand new malware, also known as zero-day threats. Tests have shown that it can stop 99 percent of executable malware, versus an average of 50 percent for traditional signatures-based antivirus software.
Finally, application virtualisation – which is part of VDI technology – enables software written for older operating systems such as Windows XP to be safely run on current Windows 7 or Windows 10 operating systems. This avoids the need to maintain old, unsupported versions of Windows within your organisation and removes the security risks they bring.