Due to the COVID-19 pandemic, most of the organizations have their employees operating from home. To reduce the impact of the pandemic on business, to improve operational resilience, and to increase productivity of employees while working from home, organizations started adopting Virtual Desktop Infrastructure.

Virtual desktop infrastructure (VDI) and cloud computing are the new generation of end user computing. VDI allows users to remotely access Virtual Machine (VM) hosted with specific operating system through any device and from any location by using VDI agent.

 Remote operations will not go away even after this pandemic. Organizations have seen the opportunity to improve Employee Value Proposition and reduce real estate cost in the new operating model. Therefore, VDI and remote operations will continue to grow.

Components of VDI

Main components of VDI are

• Hypervisor: It is a software/ hardware which hosts multiple desktops /servers as a guest OS
• Connection broker:  As the name suggest, it connects the clients with virtual desktops

Figure 1: Virtual Desktop Infrastructure

The key advantages of VDI infrastructure is that the users can access the organization’s data only through virtualized desktop and the VDI is managed through central servers. Centralized image deployment, policy management and patch management, ease of portability, and the flexibility for users to access their desktops from anywhere, are the key differentiators of virtual environment vs physical environment.

Risks in VDI

Though VDI offers different level of security than the traditional physical server, VDI environment is not free from threats and risks. VDI environment exposes different kinds of risks.

Some of the VDI risks are:

• Incorrect imaging done for critical users will result in performance issue for the user.
• Availability issues of VDI will impact business.
• Access control misconfiguration may result in elevated privilege for a user who might install unapproved software.
• Threat exposure increases if one VM is compromised, resulting in many VMs in the same virtual LAN to get affected.
• Standard image configuration issues may result in less secure configuration getting applied to all VMs.
• Unauthorized applications in VM may result in malware attacks to VM.
• Lack of security awareness in users and VM administrators may result in compromised security hardening in VMs.
• Insider threats may result in loss of data.

To avoid such risks, VDI environment controls should be deployed starting from initial planning phase of the VDI environment.

A phased approach to secure VDI

NIST 800-125 proposes implementation of virtualization controls from Initiation to Disposition phase for secure VDI solutions.

Figure 2: Secure Virtualization Planning and Deployment

Phase 1: Initiation

This phase is a key step in virtualization control framework. The key thing to be developed as part of initiation control is a Security policy that defines what form of virtualization is allowed, which application to be allowed to run in VM, and how data will be accessed in VMs. The task will be to check all other security policies that might impact virtualization policies. Periodic updates to the security policy is vital to keep up with emerging technologies and standards.

Phase 2: Planning and design

This phase includes major considerations like Architecture, Authentication, Cryptography.

Architecture includes selection of virtualization software, storage controls, network topology, bandwidth calculation and availability. Authentication includes separate access controls for each layer of the virtualization environment. Cryptography includes selecting the encryption and integrity protection solutions meeting the compliance requirements. Security incident response plan should be updated to incorporate virtualization incidents.

Phase 3: Implementation

Implementation phase includes testing of prototype. Evaluation of the VM includes VM conversion, authentication, monitoring of events, connectivity, and applications performance in VM. Final decision should be sought after vulnerability assessment is performed. All the components should be updated with latest security patches.

Phase 4: Operations and maintenance

It is a very important step for maintaining virtualization security continuously. Administration access should be reviewed periodically, checking for patches and relevant software upgrades should be done by agreed timelines, time synchronization should be checked to ensure logs are relevant in correlation. Access control review and RBAC (Role base access controls) policies should be updated to keep up with rapid technology changes.

Phase 5: Disposition

Before disposing any VMs, organization should ensure to wipe any sensitive data.

Performing a periodic risk assessment for virtualization environment is necessary to avoid security breaches, revenue loss, business impact etc.  

An effective VDI risk assessment process

VDI risk assessment process should cover people, process and technology controls used to support the cybersecurity requirements of an organization’s VDI infrastructure. Risk assessment process will leverage the NIST recommended methodologies and controls (NIST 800-30, NIST 800-53, NIST 800-125) relevant to End User Computing (EUC) Virtual Workspace System (VWS) environment. 

The various stages, key inputs, tasks and outputs of the assessment process are given in Figure 3.

Figure 3: Risk assessment process

Table 1 includes the indicative examples of risks and controls in the context of VDI.

Table 1: Indicative examples of risks and controls in context of VDI

Risk register is a guide used by the organization to understand the risks, likelihood, and impact with risk rating. The risk recommendation is evaluated by the risk owner and the same is updated in the risk register. Sample of VDI related entry in risk register is depicted in Table 2.

Table 2: Sample of VDI related entry in risk register

Toward a secure environment

Virtual Desktop Infrastructure is not a new environment or a new technology. Since it has become the standard for many organizations’ desktop infrastructure, managing the risks and threats to the VDI landscape is very critical for business continuity. Planning helps to ensure that the virtual environment is as secure as possible and in compliance with all relevant policies and applicable regulations. Periodic risk assessment to the VDI environment, maintaining the controls, and a firm action plan to mitigate or reduce the impact of the risks identified is very important to have a secure VDI environment.

Wipro can enable a secure VDI landscape for you through a comprehensive approach. Our consultants leverage industry-best frameworks and perform in-depth technology assessments. For details, connect with us at cybersecurity.services@wipro.com