Anyone who’s been in enterprise IT long enough has already heard of, tested or deployed virtual desktop infrastructure (VDI) solutions (like VMware and Citrix). And why not? The promises made by VDI vendors have been compelling, if not always accurate: cost savings, enabling bring your own device (BYOD), improving the user experience and business continuity, amongst others. However, there is one promise that is unquestionably false: the guarantee of security. VDI is often misrepresented as a solution that can solve endpoint security for good.
The VDI Blind Spot: End User Devices
Among the top use cases for VDI environments are BYOD programs, remote/branch workers, and contractor/vendor access. In most of these cases, the VDI desktop/apps are running sensitive corporate apps and data, usually touching the enterprise’s “crown jewels,” be they healthcare records, sensitive customer information, proprietary source code, critical infrastructure, or privileged IT assets.
In the pre-VDI age, the only user devices allowed to access sensitive corporate data were corporate-owned machines that would typically be locked down, hardened and located within the enterprise perimeter. When VDI hit the market, it provided enterprises with the illusion of isolation. As a result, enterprises today allow any user device to connect to VDI desktop/apps. With VDI, the user’s physical device could be his personal laptop or a laptop of a third-party (e.g., vendor, contractor, branch worker), which usually does not comply with the enterprise’s security standards.
Enterprises are attracted to the potential cost saving of BYOD programs and would love to get out of the hardware business. However, allowing any device to connect via VDI to the heart of the enterprise is a risky move that makes these enterprises easy prey for determined cybercriminals.
Before VDI, the attacker would need to first land in a highly-protected corporate user device. With VDI, the attacker just needs to land on the user’s personal device, a wild device that is frequently visiting risky websites, where malware is installed by uneducated users and local admin rights are the default. After landing on the user’s personal device, it’s game over. The attacker now has full remote control over the VDI desktop/apps and can easily manipulate them or leak data.