Busting the Non-Persistent VDI Security Myth!
- VDI, including non-persistent VDI, does little or nothing to stop today’s malware.
- VDI is just as susceptible to malware as physical desktops.
- Virtualization-based Security (VBS) helps solve the cyber security challenges for both physical and virtual desktops.
Running Bromium’s Federal Professional Services team, I get the opportunity to meet with some of the largest and most sophisticated Federal customers.
Recently, the same topic has come up in some of our customer conversations, “why is additional security needed for non-persistent virtual desktops…aren’t they already more secure than traditional desktops?”
The irony of these conversations, is that I previously spent a large portion of my career helping these same agencies roll-out VDI for many different use cases. To be clear, for many organizations VDI does offer significant business benefits and when properly deployed, it can improve an organization’s security posture. However, VDI, including non-persistent VDI, does very little to protect against malware.
Learn more: Get the Bromium overview.
There are already several good blogs that have been published that discuss the pros and cons of VDI for security purposes and I would encourage you to read them, especially the five-part series from Shawn Bass (currently CTO at VMware):
- You think VDI is more secure than traditional desktops? It’s not. You’re wrong.
- VDI and TS are not more secure than physical desktops, Part 1 of 5: There’s only two types of data!
- Why VDI is more secure than physical desktops
However, these blogs are a few years old and with the continued adoption of VDI over the past 4-5 years, I think it makes sense to re-visit the topic. For the purpose of this blog, we will specifically be talking about non-persistent virtual desktops, as that represents a vast majority of the deployed desktops in the Public Sector and is the type most commonly touted as being more “secure”.
The common explanations given for why non-persistent VDI is more secure boils down to a few simple arguments:
- Since the desktop is non-persistent, once it is rebooted all changes including malware are removed.
- VDI provides higher levels of configuration management to prevent unauthorized changes from being made to the image or applications.
- The data resides in the datacenter so it is harder to steal or lose.
To be fair, non-persistent virtual desktops do provide some of these benefits. However, in many cases these benefits simply help with the symptoms of the problem rather than addressing the problem itself. And in some cases, by solving one problem, it actually creates others. Instead of arguing for or against these specific points, let’s put our “White Hat” on and take a look at how the standard kill chain events in an APT play out in a VDI environment.
- Exploitation. Non-persistent VDI does little to actually prevent the exploitation from occurring. The only “defense” is that the initial exploit has to occur within the life of the VDI session before the desktop is rebooted. The reality is that the typical 8 hour workday window is more than enough time for the virtual desktop to get exploited, which then provides the attacker a foothold to persist or move laterally. Another “gotcha” is that it is not uncommon for VDI desktops to have less up-to-date patches due to the complexity in deploying upgrades without negatively impacting user workflows. As a result, these desktops may actually be MORE vulnerable as they are often running outdated versions of software. Even if malware does not persist for more than a few hours, those few hours are often more than enough to cause catastrophic damage. It only takes a few minutes to steal user credentials, valuable data, or run crypto-locker against all your file and application servers.
- Persistence. By far the number one “security benefit” I have heard about VDI is that malware cannot persist because all desktop changes are wiped at reboot and a pristine new desktop is created. Non-persistence can certainly help with reducing application management and undesired user changes, but it does little to thwart a persistent adversary. We have seen numerous occasions where malware leveraged a user’s roaming profile or a mapped network drive to allow itself to persist across reboots by reloading itself each time a user logs back in to their desktop. This effectively gives the hacker multiple “8 hour windows” thereby eliminating the security benefits of non-persistence altogether.
- Lateral Movement. Once an adversary has compromised a single desktop, they typically try to move laterally. So how does VDI help with that? The reality is that not only does VDI not help, in many customer environments it may even make lateral movement easier! Why is that? It simply comes down to access. Once a desktop is exploited an adversary can then use the credentials from that workstation to move laterally across other VDI workstations, physical workstations, and even servers. In some cases, the same administrator account may even be used for the VDI desktops and infrastructure. The other challenge is that these VDI desktops may have network access to Tier 1 server resources because they have data center IP addresses! Both of these issues can be solved with proper account management and network segmentation, however even if that is done (which in many cases it isn’t), then you’re just back to the physical desktop security model!
- Exfiltration. I frequently hear that “VDI helps stop data from walking out the building.” It is true that VDI may help with some physical access security concerns, but it actually can make matters worse if someone already has a foothold in the internal network. VDI desktops typically have fast (10GB+) access to network resources including internal file shares and databases. This fast access provides a great user experience – for both good guys and bad guys! The other challenge is that because these desktops are non-persistent and randomly assigned at logon it can be harder to track and record the data exfiltration as it can be occurring across multiple desktops, IPs, and user accounts versus a single compromised workstation.
So to recap…
FACT: VDI has helped solve numerous technology challenges and provided great business benefits for those who have adopted it.
MYTH: The reality is that protection against malware is not one of those benefits. If you have deployed non-persistent VDI, you are just as susceptible to malware attacks, perhaps even more susceptible, as you are on physical desktops.
The concept of using hardware-based virtualization for security purposes makes sense; however simply virtualizing the entire desktop OS while still giving it access to internal data does not provide protection against malware. Architecturally, individual applications and the data itself need to be virtualized (isolated) to ensure that a malicious webpage, document, or executable is unable to persist, move laterally, or exfiltrate outside of its disposable micro-VM. The good news is – that’s exactly what Bromium Secure Platform delivers!
Bromium micro-virtualization provides protection for not only physical desktops but for virtual desktops as well, including non-persistent VDI. Combining the business benefits and centralized control of VDI with the Bromium Secure Platform allows an organization to truly have the most secure desktop possible!
Stay tuned for some upcoming articles that show how Bromium and VDI are better together!