Anyone who’s been in enterprise IT long enough has already heard of, tested or deployed virtual desktop infrastructure (VDI) solutions (like VMware and Citrix). And why not? The promises made by VDI vendors have been compelling, if not always accurate: cost savings, enabling bring your own device (BYOD), improving the user experience and business continuity, amongst others. However, there is one promise that is unquestionably false: the guarantee of security. VDI is often misrepresented as a solution that can solve endpoint security for good.
The VDI Blind Spot: End User Devices
Among the top use cases for VDI environments are BYOD programs, remote/branch workers, and contractor/vendor access. In most of these cases, the VDI desktop/apps are running sensitive corporate apps and data, usually touching the enterprise’s “crown jewels,” be they healthcare records, sensitive customer information, proprietary source code, critical infrastructure, or privileged IT assets.
In the pre-VDI age, the only user devices allowed to access sensitive corporate data were corporate-owned machines that would typically be locked down, hardened and located within the enterprise perimeter. When VDI hit the market, it provided enterprises with the illusion of isolation. As a result, enterprises today allow any user device to connect to VDI desktop/apps. With VDI, the user’s physical device could be his personal laptop or a laptop of a third-party (e.g., vendor, contractor, branch worker), which usually does not comply with the enterprise’s security standards.
Enterprises are attracted to the potential cost saving of BYOD programs and would love to get out of the hardware business. However, allowing any device to connect via VDI to the heart of the enterprise is a risky move that makes these enterprises easy prey for determined cybercriminals.
Before VDI, the attacker would need to first land in a highly-protected corporate user device. With VDI, the attacker just needs to land on the user’s personal device, a wild device that is frequently visiting risky websites, where malware is installed by uneducated users, and local admin rights are the default. After landing on the user’s personal device, it’s game over. The attacker now has full remote control over the VDI desktop/apps and can easily manipulate them or leak data.
Hysolate- a secure and user friendly alternative to VDI solutions
Hysolate offers a full OS isolation solution that sits on user’s endpoint devices, but is fully managed from the cloud. This means that administrators save on infrastructure costs, and users have a better UX, with less lag and latency issues, even when using heavier communication applications like Slack or Zoom. Most importantly Hysolate provides full security at the endpoint, unlike most VDI solutions.
- A higher level of freedom on employees corporate devices
- Ability to receive 3rd party generated content in an isolated zone
- Access to IT admins, DevOps, developers, and other privileged users in their everyday environment
- Access to employees from personal, unmanaged devices
Request a demo today.
This blog post was written in December 2019, updated in June 2022 for accuracy.