By Jim Nelson   /   Apr 14th, 2020

As Cloud-Based Remote Work Surges, Remember Key VDI Security Considerations

As we continue to cope with work solutions from shelter-in-place restrictions, many of us have had to scurry at provisioning an unexpected surge of employees working remotely. Driven by convenience (BYOD provisioning), rapid deployment, and quick scalability, many organizations are utilizing Virtual Desktop Infrastructure (VDI) platforms such as AWS Workspaces to get the job done. In fact, due to the urgency of the situation, many organizations made changes outside of the normal security review and approval process. As a result, chances are good that VDI security considerations are playing second-violin to convenience, access, and functionality for the end user.

However, if there was ever a time for security in general to be the concertmaster, the time is now. According to Google, there has been a 350% increase in phishing websites since the beginning of the year. Hackers are on the prowl during this COVID-19 pandemic, and security should therefore be in the driver’s seat. Whether you have already spun-up new virtual desktop instances or are still in the process, it’s important to go back and confirm your VDI platform settings to ensure that your security is tight. Remember, cloud security is generally a shared risk model, where you and the provider are both responsible for security. You can’t assume that just because you are using AWS, that the AWS Workspaces security setting defaults prioritize cybersecurity and access the same way you would or should.

Since the rush just to get users up and running can easily lead to overlooking key VDI cloud security controls, I’ve identified six of the most important VDI security considerations to preserve the Confidentiality, Integrity, and Availability (CIA) of company systems and data.

The Top Six VDI Security Considerations

  • Multi Factor Authentication (MFA) – Enforce MFA for all VDI Portals and VPN access. Most platforms will integrate with your RADIUS protocol and preferred authentication target.
  • Restrict Cloud Access to Trusted Devices – Most platforms can use certificate-based authentication to determine whether a device is trusted. If the platform client application can’t verify that a device is trusted, it blocks all login and reconnection attempts from the untrusted device. Some platforms can block access by device type as well, and can scale and restrict as needed by using a combination of the two.
  • Encrypt Virtual Desktops – Platform controls vary, but AWS Workspaces security controls allow for encryption of both the root and user volumes (C:\ root and D:\ user for Windows). Employing this encryption ensures your data is secure at rest, in transit and in volume snapshots.
    Key Management Service (KMS) provides either host or customer key management. Ensure that you activate the encryption, as it can easily be overlooked.
  • Implement an AntiVirus (AV) Solution – Most platforms come with a default set of applications at no additional cost. Depending on the OS deployment, certain AV agents are offered at an extra monthly fee. If those offered are not the right AV solution for you, make sure you add the solution of your choice and push it out to all virtual endpoints. Make sure the AV solution can detect zero-day and next-gen malware.
  • Apply Security Group Rules – Security groups provide security at the protocol and port access level, working much the same way as a firewall, governed by a set of rules that filter traffic coming into and out of a cloud instance. Ensure rules are designed with principles of least privilege in mind and avoid overly permissive access to further secure the cloud instance.
  • Implement Account Password Policies with Identity and Access Management (IAM) – Centrally manage password requirements by creating IAM policies to permit IAM users to perform all cloud platform tasks. Specify password complexity, lock-out, and rotation requirements for your IAM users. LMG recommends a minimum length of 16 characters, including upper and lower case, numbers, and special characters.

There are plenty more security hardening features and tools for cloud VDI platforms. However, during a crisis, it’s wise to narrow our scope and focus on what really matters. Now that most people are up and running, this is a great time to go back and check your VDI security settings.

Incorporating these six VDI security considerations will go a long way to give you peace of mind. Knowing that company data is securely accessed by authenticated and authorized users and their devices is a truly rewarding calm in the midst of uncertainty. Let’s all work toward that calm by implementing these essential VDI security considerations that will enable us to quickly, as well as safely, scale and provision more remote employees in 2020.  Stay safe and be well!

If you need help ensuring your remote workforce is secure, we’ve got you covered. We created multiple new services including Remote Security Cleanup, VPN & VDI Security Assessments and more to help you ensure remote worker security during this challenging time. Contact us for more information.

About the Author

Delaney Moore

Delaney is a Senior Security Consultant with LMG Security.  Delaney’s focus is within LMG’s Compliance and Advisory services, where she assesses organizations’ security programs using well-known  frameworks such as the NIST Cybersecurity Framework and ISO 27001, and assesses their compliance with regulatory standards such as the HIPAA Security Rule.  Delaney is experienced in both onsite and remote social engineering, cybersecurity policy and procedure development, vendor risk management, and facilitating security training exercises such as incident response tabletop exercises. She holds her bachelor’s degree from the University of Montana in Management Information Systems, and is a Certified Information Systems Auditor (CISA).