The Problem with VDI

By Tal Zamir. March 27, 2019

Anyone who’s been in enterprise IT long enough has already heard of, tested or deployed virtual desktop infrastructure (VDI). And why not? The promises made by VDI vendors have been compelling, if not always accurate: cost savings, enabling bring your own device (BYOD), improving the user experience and business continuity,  amongst others. However, there is one promise that is unquestionably false: the guarantee of security. VDI is often misrepresented as a solution that can solve endpoint security for good.

The VDI Blind Spot: User Devices

Among the top use cases for VDI are BYOD programs, remote/branch workers, and contractor/vendor access. In most of these cases, the VDI desktop/apps are running sensitive corporate apps and data, usually touching the enterprise’s “crown jewels,” be they healthcare records, sensitive customer information, proprietary source code, critical infrastructure, or privileged IT assets.

In the pre-VDI age, the only user devices allowed to access sensitive corporate data were corporate-owned machines that would typically be locked down, hardened and located within the enterprise perimeter. When VDI hit the market, it provided enterprises with the illusion of isolation. As a result, enterprises today allow any user device to connect to VDI desktop/apps. With VDI, the user’s physical device could be his personal laptop or a laptop of a third-party (e.g., vendor, contractor, branch worker), which usually does not comply with the enterprise’s security standards.

Enterprises are attracted to the potential cost saving of BYOD programs and would love to get out of the hardware business. However, allowing any device to connect via VDI to the heart of the enterprise is a risky move that makes these enterprises easy prey for determined cybercriminals.

Before VDI, the attacker would need to first land in a highly-protected corporate user device. With VDI, the attacker just needs to land on the user’s personal device, a wild device that is frequently visiting risky websites, where malware is installed by uneducated users and local admin rights are the default. After landing on the user’s personal device, it’s game over. The attacker now has full remote control over the VDI desktop/apps and can easily manipulate them or leak data.

About the Author

Tal is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works. An entrepreneur at heart, he has pioneered multiple breakthrough cybersecurity and virtualization products. Before founding Hysolate, Tal incubated next-gen end-user computing products in the CTO office at VMware. Earlier, he was part of the leadership team at Wanova, a desktop virtualization startup acquired by VMware. Tal began his career in an elite IDF technology unit, leading mission-critical cybersecurity projects that won the prestigious Israeli Defense Award. He holds multiple US patents as well as an M.Sc. degree in Computer Science, and the honor of valedictorian, from the Technion.

Share this article: