Sometimes the only way to make progress is to leave something behind.
If implemented well, client virtualization has the potential to significantly improve enterprise security. But if implemented poorly, it can weaken a district's overall data security.
The primary criticism of virtual desktop infrastructure (VDI) is that moving desktops into the data center shifts the malware attack target from the edge of the network to the very heart. However, the benefits of centralized control of clients quickly outweigh the risks when the appropriate safeguards are in place.
As always, districts should adopt a multilayered approach to security. With that in mind, heed the following tips to protect virtual clients:
Place all virtual desktops on dedicated subnets. Provide appropriate network segmentation by implementing firewalls to limit desktop communication to required subnets and over well-known ports.
If admin privileges are available on the desktop, this greatly increases the likelihood of a security breach. Instead, consider offering self-service installation from an application catalog that hosts preapproved applications that have been configured to minimize security risks.
In VDI environments where endpoints are insecure, control the redirection and mapping of local host hard drives and disable access to USB flash drives to prevent data from being copied to the endpoint. When necessary, also consider disabling clipboard functionality.
Where data portability is required, ensure local hard drives are encrypted and permit access only to specifically approved USB drives with hardware- or software-based encryption, such as that offered by IronKey. Look to client computing systems that offer highly granular USB device access controls.
Deploying antivirus/antimalware to virtual clients can impede performance, so choose tools designed specifically for VDI whenever possible. These systems are implemented as hardened virtual appliances running on the hypervisor rather than as services running on each individual virtual client. This approach prevents antivirus storms caused by multiple desktops attempting to perform scans at the same time. A centralized model ensures that antivirus signatures can be kept up to date at all times without requiring IT staff to manage individual desktop signatures.
Poorly designed and inadequately specified client computing environments will encourage users to bypass security controls and adopt unauthorized technology to get the job done. A well-designed system should maintain security without impeding productivity.
Above all, when it comes to virtualized client security, it's important to understand that VDI is not a magic bullet. Vendor best practices for managing security on physical desktops should be considered a baseline for virtual desktop environments.