Virtualization technology and cloud services continue to evolve. As the cloud gains increased acceptance over time...
-- and as it delivers on the promises made about lower cost, better flexibility and reduced operational overhead -- many organizations have started to look to extend the cloud model in order to realize those same benefits in other areas.
One particularly interesting approach is the extension of the cloud model to virtual desktop infrastructure (VDI) -- specifically, "desktop as a service." While the concept is certainly interesting from a business and user experience perspective, it can be a harder call to make from a security standpoint. Some have argued that cloud-managed VDI is challenging, if not impossible, to secure; some (notably those in the vendor community) have rebutted that notion by arguing that security can actually be increased under the model.
If you're wondering "which is it?" you're not alone. This type of contradictory advice can give wrinkles to those actually deciding whether or not to implement. And, like most things, it's not universally one way or the other; there are situations where desktop as a service can be detrimental from a security point of view and situations where it can be advantageous. It's all about how, where and why your organization uses it.
What is desktop as a service?
Before we get into the specifics of the security properties it has, it's useful to take a moment to level-set exactly what the term "desktop as a service" means. Desktop as a service refers specifically to cloud-hosted, multi-tenant, virtual desktops with automation features, such as automated provisioning (for example, at the user or group level), software license management automation, performance monitoring, etc.
As with any cloud, desktop as a service can be implemented and provided by an internal service provider (i.e., using technology that is centrally deployed by an internal group) or by an external service provider supplying the service commercially. Well-known examples of the latter include Amazon WorkSpaces, VMWare Horizon DaaS (formerly Desktone) and the (upcoming) Microsoft Azure RemoteApp.
The concept of desktop as a service involves consuming VDI the same way that your enterprise would consume any other cloud service: It licenses what it intends to use and, in so doing, deliberately cedes some portion of the management of the underlying technology "substrate" to the provider. In the case of this technology specifically, the provider typically maintains some portion of the application base, management of the OS and supporting infrastructure, some aspects of storage (though, depending on the implementation, it can leverage existing storage) and the mechanism required to connect to the virtual desktop.
Security advantages and disadvantages
Just like any other enterprise cloud deployment, desktop as a service can have a positive or negative impact on security.
It almost goes without saying, but there is some level of due diligence required from the customer to ensure that cloud usage is appropriate and that a given cloud service provider is appropriate for your organization's security needs. For example, you should vet the service provider by discussing (and potentially negotiating) under what circumstances would they need access to your enterprise's data, asking questions about security processes (e.g., patching, network security, monitoring and overall security hygiene), evaluating the provider's financials to ensure they stay in business, asking about data/instance ownership to avoid lock-in, etc. But, really, these are things that should be done with any cloud provider and are not necessarily specific to desktop as a service providers.
There are, however, a few ways in which security is different in a desktop as a service context as well as things that you as the customer should do before you sign up. First and foremost, it's important to understand exactly how data and applications will be made available to users of the virtual workspace. Keep in mind that employees are going to want to use the same applications and access the same data as they would on their desktop in the office. How will that access occur? Are internally-hosted business applications equipped to support a virtual desktop on a remotely-hosted infrastructure? How will you grant access to those apps and how will (or, depending on the service provider, "how can") users access enterprise storage? These are all considerations that should be discussed ahead of time and in detail.
Second, it's important that your security team also thinks through authentication and access control scenarios to determine if a given provider will meet its needs; a breach or unauthorized login of the service could impact not just an individual user's system but the entire VDI as well. For example, do you have a requirement for multifactor authentication for certain users, like administrators? If so, keep in mind that not every service provider supports multifactor authentication out of the box. If you have a requirement for multifactor authentication for remote access (for example, in a PCI-regulated environment), will you incur a regulatory risk if you select a service provider that doesn't offer that feature? Are your groups organized in such a way that you're able to cleanly determine which users get which apps? This can be a significant consideration when it comes to software licensing, for example.
All that said, though there are some areas that bear scrutiny, there can also be areas where desktop as a service is advantageous from a security point of view. Consider business continuity, for example. In the case of an outage, the virtual environment might continue to stay operational -- if that environment has all the apps that employees need access to, it can make a very appealing business continuity/disaster recovery tool.
Moreover, for organizations that have very stringent requirements about data access, cloud-hosted VDI might sound scary, but consider the alternative. Instead of users downloading and accessing sensitive information on mobile devices or remote machines, you now have the option to enforce that corporate data live centrally while only the means of access (i.e., the virtual workspace) is exported. In this scenario, desktop as a service can help enforce data protection mechanisms.
Lastly, consider how difficult security hygiene activities can be for most enterprise support teams. Patching, maintaining antimalware software, monitoring ... these tasks can all require a lot of effort and, frankly, some expensive technology investments. Using a virtual desktop environment helps enforce that a robust, hardened, standardized image is used throughout.
Desktop as a service really can change the game from a security point of view. There are certainly advantages -- and certainly areas that bear due consideration -- but what it really comes down to is usage and due diligence. Desktop as a service can be a very powerful tool in your toolbox, but ultimately it's about the planning you put into it that determines the optimal way to deploy desktop as a service in a manner that meets your enterprise's security needs.
About the author:
Ed Moyle is the director of emerging business and technology at ISACA. He previously worked as senior security strategist at Savvis Inc. and as senior manager at Computer Task Group. Prior to that, he served as vice president and information security officer at Merrill Lynch Investment Managers.
Check out our virtual desktop security guide.
View an FAQ on desktop as a service.