NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Is VDI More Secure Than Regular Desktops? I Think Not!

December 29, 2011

  • Blog
  • Archive
I've made the argument in the past that VDI has a far greater potential for damage than normal desktops, in fact making them less secure in point of fact. If effective security is defined as (security profile) x (risk profile) = (effective operational risk), then the same exact same security profile applied to a standard desktop and a VDI desktop leaves one term to be scrutinized: risk profile. To illustrate the issue, consider the "context" of a VDI desktop vs. a normal one. A normal desktop sits on the edge of your network, protected by things like network access control, layers of filtering and user access control, potential network intrusion detection, and even firewalls that protect the core of your network from the edge, or the entire outside network from your data center. Now ask, how often are these controls effectively replicated for VDI? It's nearly impossible to do so. VDI desktops effectively live inside your data center. Often right next to (or even in the same rack) as your virtual server cluster. Is there a hardware firewall or IDS/IPS box in between those two clusters? Not likely. So the risk profile of a VDI box is actually MUCH greater than the risk profile of a desktop box, because if security is compromised, the available attack surface is now exponentially greater. Even if you can't escape the "jail" of the VDI cluster (say there is a firewall in place), you can now not only attack "horizontally" machines in the same virtual subnet, but you can also attack "vertically" down against the hypervisor. Compromising a hypervisor means instant and very difficult to detect access to every machine running on that physical box—effectively allowing you to own "swaths" of machines instead of one at a time. How long before someone with privileged access to critical data or server resources logs in on one of those VDI sessions? Now you're really screwed, since breaking out of the VDI jail/cluster is much easier, and when you do you aren't just "somewhere else in the network", you're smack in the middle of the crown jewels, inside the data center. So, in short, even with identical security profiles applied to external or VDI boxes, the effective operational risk of VDI is much higher. Basically, VDI is less secure, inherently, by virtue of context, than that same non-VDI user desktop. So perhaps we can change the conversation in the future to how we can make VDI desktops at least as secure as their traditional brethren, including at a minimum some sort of privilege management solution.
Photograph of Scott Lang

Scott Lang, Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.