Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Is VDI More Secure Than Regular Desktops? I Think Not!

December 29, 2011

  • Blog
  • Archive
I've made the argument in the past that VDI has a far greater potential for damage than normal desktops, in fact making them less secure in point of fact. If effective security is defined as (security profile) x (risk profile) = (effective operational risk), then the same exact same security profile applied to a standard desktop and a VDI desktop leaves one term to be scrutinized: risk profile. To illustrate the issue, consider the "context" of a VDI desktop vs. a normal one. A normal desktop sits on the edge of your network, protected by things like network access control, layers of filtering and user access control, potential network intrusion detection, and even firewalls that protect the core of your network from the edge, or the entire outside network from your data center. Now ask, how often are these controls effectively replicated for VDI? It's nearly impossible to do so. VDI desktops effectively live inside your data center. Often right next to (or even in the same rack) as your virtual server cluster. Is there a hardware firewall or IDS/IPS box in between those two clusters? Not likely. So the risk profile of a VDI box is actually MUCH greater than the risk profile of a desktop box, because if security is compromised, the available attack surface is now exponentially greater. Even if you can't escape the "jail" of the VDI cluster (say there is a firewall in place), you can now not only attack "horizontally" machines in the same virtual subnet, but you can also attack "vertically" down against the hypervisor. Compromising a hypervisor means instant and very difficult to detect access to every machine running on that physical box—effectively allowing you to own "swaths" of machines instead of one at a time. How long before someone with privileged access to critical data or server resources logs in on one of those VDI sessions? Now you're really screwed, since breaking out of the VDI jail/cluster is much easier, and when you do you aren't just "somewhere else in the network", you're smack in the middle of the crown jewels, inside the data center. So, in short, even with identical security profiles applied to external or VDI boxes, the effective operational risk of VDI is much higher. Basically, VDI is less secure, inherently, by virtue of context, than that same non-VDI user desktop. So perhaps we can change the conversation in the future to how we can make VDI desktops at least as secure as their traditional brethren, including at a minimum some sort of privilege management solution.
Photograph of Scott Lang

Scott Lang, Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

A Zero Trust Approach to Windows & Mac Endpoint Security

Whitepapers

Mapping BeyondTrust Solutions to the Qatar National Information Assurance Policy v2.0

Whitepapers

KuppingerCole Executive Review - BeyondTrust Endpoint Privilege Management

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.