VDI

How is security enhanced with VDI solutions?

Have you been tasked with creating infrastructure for remote access and remote workers? There are many solutions out there. You may have implemented a “phase 1” solution to just cover the bases and get remote work up and going, however, now, you may be revisiting the solution your organization is using for remote access. Many organizations may have quickly spun up access to organization resources via terminal servers since these are the age old solution that many are familiar with, have knowledge around, and they may already have Windows Servers that can be purposed for this role. However, from a security perspective, RDP access can be a major hole in your security stance across the board. Many know about VDI and how it works in concept, however, you many wonder how is security enhanced with vdi solutions. In this post, we will take a look at the security benefits of VDI and see how it helps to enhance security for remote access and remote workers in general.

How is security enhanced with VDI solutions?

There are several different ways that security is enhanced with VDI solutions. VDI provides a number of benefits and capabilities when organizations are looking at securing remote access for employees. In the following comparison and benefits analysis, we will be taking a look specifically at VMware Horizon VDI technologies. These include but are not limited to the following five ways:

  1. Data is centralized to the data center
  2. Secure access via edge appliances
  3. Centralized agentless antivirus
  4. Centralized lifecycle management
  5. Micro-segmentation

Data is centralized to the datacenter

When thinking about how security is enhanced with VDI solutions, one of the first observations you make about VDI and its impact on security is where the data lives. With VDI, business-critical and perhaps sensitive data lives inside the data center. This means on the endpoint that is accessing the data inside the data center, there is no data to be compromised on the local device.

Unlike VPN or other technologies where you are essentially storing the data on an end user device and allowing them to connect at a network layer to the corporate network, VDI data never leaves on-premises, so it is always protected by the security measures and defenses of the corporate network. Generally, the defensive mechanisms and cybersecurity measures of the corporate network far surpass what protects the end user device outside. The data at rest inside the datacenter can also be protected by formidable encryption across the board.

In the case of VMware Horizon desktops, the data accessed by the VDI desktops will be located in the data center, and the user profile data will be there as well.

Secure access via edge appliances

VMware Horizon View 7 provides secure architecture in the form of edge appliances that allow securely accessing your VDI infrastructure on the inside. The Unified Access Gateway (UAG) appliance is a hardened Photon OS appliance that you place in the DMZ which provides a secure entry point for accessing the backend Horizon Connection Servers and VDI infrastructure.

VMware-Unified-Access-Gateways-UAGs-created-a-secure-VMware-Horizon-architecture
VMware Unified Access Gateways UAGs created a secure VMware Horizon architecture (Image courtesy of VMware)

The UAG appliance can be secured with multi-factor authentication for end users authenticating to the environment. With this Type of infrastructure, you only need to open up SSL traffic from the outside to your end users which is exponentially more secure than having RDP opened up from the outside on a standalone terminal server.

Centralized agentless antivirus

One of the cool benefits to VDI, especially if you have VMware NSX integrated into your vSphere environment is agentless antivirus. VMware NSX has many third-party endpoint security vendors that have integration with NSX to provide security solutions to the platform, including antivirus.

VMware-VDI-environments-benefit-from-agentless-antivirus-solutions-like-Trend-Micro
VMware VDI environments benefit from agentless antivirus solutions like Trend Micro (Image courtesy of Trend Micro)

Vendors like Trend Micro, McAfee, Eset, Kaspersky and others provide agentless security solutions for the VMware NSX platform. This translates into capabilities your VDI workstations can benefit from with the NSX security integrations. This means your VDI workstation are efficiently protected, without agents, and with always-up-to-date solutions.

Centralized lifecycle management

With VDI solutions such as VMware Horizon, you have total control over the lifecycle management of the VDI desktops. By simply updating a master image, you can update the entire fleet of Horizon VDI clients with the latest patches to the operating system and to client applications using User Environment Manager and application virtualization.

This means that all users can be updated all at once using the latest patches and operating system updates. This helps to centralize the overall lifecycle management and security stance from a patch perspective. Hackers often look for known vulnerabilities in “un-patched” systems or other components that have not been patched. The more current and up-to-date you can keep end user systems the better.

As discussed, VDI makes this much easier than having to manage and patch countless numbers of end user laptops or other devices that are out in the wild accessing business-critical data.

Micro-segmentation

A really great security technology that has helped to take security to the next level in virtualized environments is micro-segmentation. In the VMware world, micro-segmentation is made possible once again by VMware NSX. The great thing about your VMware Horizon infrastructure is that it is able to take advantage of all the security benefits of NSX, including micro-segmentation.

Micro-segmentation helps to enable the “zero trust” stance of organizations today. You can easily make it where all the VDI desktops cannot see or “talk” to one another, and using identity-based firewall, users can only see the network resources they are allowed to see.

Tradiitonal-security-vs-Micro-segmentation
Traditional security vs Micro-segmentation (Image courtesy of VMware)

Easily performing micro-segmentation using some other means with traditional firewalls and such would either not be feasible or outright impossible. VMware NSX makes this easily achievable. The VMware Horizon VDI infrastructure directly benefits from all the security capabilities and features this makes possible.

Wrapping Up

How is security enhanced with VDI solutions? As shown, VDI provides many benefits related to security. These include centralized data, secure edge appliances for access, lifecycle management, agentless antivirus, and micro-segmentation just to name a few.

In the recent events of the COVID-19 pandemic, organizations have been deploying remote access infrastructure and may be revisiting the initial deployment of remote access solutions. Hopefully, this brief explanation of a few of the security benefits of VDI will help place focus on how it can enhance your organization’s remote work strategy.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.