VDI as a Security Posture: Keeping Your Data in Your Datacenter
Although it is pretty common knowledge that Virtual Desktop Infrastructure (VDI) is not a cost saving measure, one area it can help provide value is in an organization’s security posture. It allows for BYOD and remote workers to connect and use company assets with less concern about the actual endpoint they are connecting from. In a well configured VDI environment users will be working from a very tightly controlled system that limits a users actions to exactly what is needed to complete their job. In an ideal environment, VDI can be used to host Privileged Access Workstations that will help limit administrative users and actions to a tightly controlled environment.
Securing your VDI infrastructure
Keeping Your Applications Updated
One of the biggest benefits of VDI is the ease of keeping applications updated. Administrators knows that once they push out changes to a server or image – all users on that platform will have a uniform experience. Users will be running a specific version of software, making patching easier. By including change control, administrators can ensure that users are not affected by unplanned outages along with ensuring that all changes are planned and documented.
Controlling the Code: Application Whitelisting
Since VDI allows administrators to have a tightly controlled environment, it is easier to enable application whitelisting. For organizations with Enterprise Windows or Microsoft Server licensing, a good option is Microsoft App-Locker. For smaller organizations, Microsoft Software Restrictions Policies work well. Both of these systems are configurable through group policy, and provide high levels of granularity on what is allowed to run. Once properly configured, whitelisting will help prevent some common threats, such as shadow IT, because executables need to be approved.
Limiting Exfiltration Methods
Depending on organizational needs, administrators may want to limit how data can leave the controlled walls of their data center. For example, Administrators should ensure they are not allowing local storage to be passed to a remote machine. This makes infiltration and exfiltration easier. Local storage can be used used to cross the barrier between the local machine and the secure VDI environment. Also, by preventing unapproved USB device usage, it is possible to decrease data exfiltration. This is helpful due to less obvious scenarios, such as leakage via a compromised phone only connected for power/recharging. Another optional layer is preventing remote printers. Users should not have ability to print confidential documentations at unknown locations.
Taking Care Of The Security Basics
Of course before thinking about VDI, make sure your organization is covering the basic ways that many attackers gain entry. VDA is talking about these basics in a series we are calling “Low Hanging Fruit”. We have previously covered password security, MFA, and permissions. It is typically required for compliance such as PCI, SOX, HIPAA, GDPR, NIST, etc – to have a third party test the effectiveness of implemented security measures via active security diagnosis/testing. Contact VDA for a penetration test today!