Virtual PCs still need real security

Getting virtual desktops means a security re-think

If my CIO had his way, he would move the entire company to a virtual desktop environment. In his mind, it would be a cure-all for the costs of supporting thousands of PCs and the headaches caused by software distribution, security patching and configuration management. Our VDI deployment would involve installing a small software plug-in on each PC. When such a PC is connected to our internal network, a virtual desktop environment will run on top of the PC -- a Windows desktop displayed within Windows. My conclusion was that our security posture should be unaffected, and possibly enhanced, but only if VDI is properly implemented. My first and most important requirement is that data can't be allowed to move in either direction between the virtual desktop and the host PC or any external devices. Next is the question of the integrity of the host PCs. No one should think that VDI will free us from the headaches associated with configuration management, patch distribution and anti-malware software updates. That's because in our deployment, VDI is simply an application that runs on a PC. Security patches and antivirus updates will still have to be applied to the host PCs. The virtual desktop environment of a general employee shouldn't be the same as the virtual desktop environment set up for a contractor, partner, supplier, vendor or other affiliate. Some high-level order will need to be in place to satisfy my "rule of least privilege" requirement so that we don't expose critical applications and data to unauthorised people. Another consideration for me involves the log-on banners that users must read before clicking "accept" and logging in. We can't lose this feature, since we have a legal requirement to let users know about their responsibilities and our practice of monitoring activity. We also can't compromise our remote access policy, which calls for two-factor authentication and the use of a VPN. The same goes for application and screen timeouts. Mathias Thurman is the pseudonym of an IT security professional

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityvirtual desktopsSecurity ID

Show Comments