April | 2021
Due to the COVID-19 pandemic, most of the organizations have their employees operating from home. To reduce the impact of the pandemic on business, to improve operational resilience, and to increase productivity of employees while working from home, organizations started adopting Virtual Desktop Infrastructure.
Virtual desktop infrastructure (VDI) and cloud computing are the new generation of end user computing. VDI allows users to remotely access Virtual Machine (VM) hosted with specific operating system through any device and from any location by using VDI agent.
Remote operations will not go away even after this pandemic. Organizations have seen the opportunity to improve Employee Value Proposition and reduce real estate cost in the new operating model. Therefore, VDI and remote operations will continue to grow.
Components of VDI
Main components of VDI are
Figure 1: Virtual Desktop Infrastructure
The key advantages of VDI infrastructure is that the users can access the organization’s data only through virtualized desktop and the VDI is managed through central servers. Centralized image deployment, policy management and patch management, ease of portability, and the flexibility for users to access their desktops from anywhere, are the key differentiators of virtual environment vs physical environment.
Risks in VDI
Though VDI offers different level of security than the traditional physical server, VDI environment is not free from threats and risks. VDI environment exposes different kinds of risks.
Some of the VDI risks are:
To avoid such risks, VDI environment controls should be deployed starting from initial planning phase of the VDI environment.
A phased approach to secure VDI
NIST 800-125 proposes implementation of virtualization controls from Initiation to Disposition phase for secure VDI solutions.
Figure 2: Secure Virtualization Planning and Deployment
Phase 1: Initiation
This phase is a key step in virtualization control framework. The key thing to be developed as part of initiation control is a Security policy that defines what form of virtualization is allowed, which application to be allowed to run in VM, and how data will be accessed in VMs. The task will be to check all other security policies that might impact virtualization policies. Periodic updates to the security policy is vital to keep up with emerging technologies and standards.
Phase 2: Planning and design
This phase includes major considerations like Architecture, Authentication, Cryptography.
Architecture includes selection of virtualization software, storage controls, network topology, bandwidth calculation and availability. Authentication includes separate access controls for each layer of the virtualization environment. Cryptography includes selecting the encryption and integrity protection solutions meeting the compliance requirements. Security incident response plan should be updated to incorporate virtualization incidents.
Phase 3: Implementation
Implementation phase includes testing of prototype. Evaluation of the VM includes VM conversion, authentication, monitoring of events, connectivity, and applications performance in VM. Final decision should be sought after vulnerability assessment is performed. All the components should be updated with latest security patches.
Phase 4: Operations and maintenance
It is a very important step for maintaining virtualization security continuously. Administration access should be reviewed periodically, checking for patches and relevant software upgrades should be done by agreed timelines, time synchronization should be checked to ensure logs are relevant in correlation. Access control review and RBAC (Role base access controls) policies should be updated to keep up with rapid technology changes.
Phase 5: Disposition
Before disposing any VMs, organization should ensure to wipe any sensitive data.
Performing a periodic risk assessment for virtualization environment is necessary to avoid security breaches, revenue loss, business impact etc.
An effective VDI risk assessment process
VDI risk assessment process should cover people, process and technology controls used to support the cybersecurity requirements of an organization’s VDI infrastructure. Risk assessment process will leverage the NIST recommended methodologies and controls (NIST 800-30, NIST 800-53, NIST 800-125) relevant to End User Computing (EUC) Virtual Workspace System (VWS) environment.
The various stages, key inputs, tasks and outputs of the assessment process are given in Figure 3.
Figure 3: Risk assessment process
Table 1 includes the indicative examples of risks and controls in the context of VDI.
Focus Area |
NIST 800-53 Control Family |
Key Risk |
Key Controls |
|---|---|---|---|
Process |
Configuration Management |
Misconfiguration resulting in inadequate capacity causing availability issues |
Configuration management policy and procedures, access control, configuration change control |
Technology |
Configuration Management |
Misconfigured systems could be exploited by malicious players to cause security breaches |
Baseline configuration and configuration change control |
People |
Awareness and Training |
Standards not followed hence allowed insecure application to get provisioned |
Security awareness and training, policy and procedures |
Process |
Maintenance |
Missing some servers on manual check of server reboot will impact business |
System maintenance policy and procedures |
Table 1: Indicative examples of risks and controls in context of VDI
Risk register is a guide used by the organization to understand the risks, likelihood, and impact with risk rating. The risk recommendation is evaluated by the risk owner and the same is updated in the risk register. Sample of VDI related entry in risk register is depicted in Table 2.
Asset |
Asset Criticality Rating |
Threat |
Vulnerability |
Control |
Business Impact |
Likelihood |
Risk Rating |
Risk |
Risk Recommendation |
|---|---|---|---|---|---|---|---|---|---|
VWS |
High |
Hacker introducing malware |
Insecure system configurations |
Standard image guidelines with hardening |
High |
Medium |
High |
Security breach resulting in unavailability of systems |
Baseline configuration and configuration change control |
VWS |
High |
System failure |
Mis-provisioned VMs to critical user |
Training for administrators |
High |
Medium |
High |
Critical user has incorrect VMs resulting in business impact |
Security awareness and training, policy and procedures |
Table 2: Sample of VDI related entry in risk register
Toward a secure environment
Virtual Desktop Infrastructure is not a new environment or a new technology. Since it has become the standard for many organizations’ desktop infrastructure, managing the risks and threats to the VDI landscape is very critical for business continuity. Planning helps to ensure that the virtual environment is as secure as possible and in compliance with all relevant policies and applicable regulations. Periodic risk assessment to the VDI environment, maintaining the controls, and a firm action plan to mitigate or reduce the impact of the risks identified is very important to have a secure VDI environment.
Wipro can enable a secure VDI landscape for you through a comprehensive approach. Our consultants leverage industry-best frameworks and perform in-depth technology assessments. For details, connect with us at cybersecurity.services@wipro.com
Kalpana Ramamurthy
Principle Consultant – Presales, Risk & Compliance, Wipro
Kalpana has over 19 years’ experience in IT and cybersecurity across a wide range of global roles. She is an engineering graduate, holding industry certifications like CISA, PCI-DSS, PIMS, Azure, ColorToken, MCITP, ITIL. She has also contributed to various University forums for discussions on cybersecurity.
