It is a new world, and chances are good that your company has a distributed workforce. Maybe your employees cycle between working in the office and working from home—or maybe you or your service providers have an entirely offshore remote team. You have done your homework, so your remote workers use VDI and DaaS applications to connect to your sensitive data.
But what do you have in place to secure those VDI and DaaS connections? If you are like 90% of organizations that have experienced a breach over the past two years, at least one of your remote users or devices is currently at risk of being compromised—despite strict anti-virus / anti-malware adherence, constant patch updates, EDR systems, and out-of-the-box security from Citrix, VMware, Azure, and other VDI/DaaS providers.
That means your sensitive data, your financial liability, and your company’s public reputation are at risk. At its core, that is why VDI security is so important to unmanaged, BYOD working environments.
Remote users can be particularly vulnerable for their organizations because they often work in a fully unmanaged environment. Users frequently bring their own devices (BYOD), work on comparatively flimsy home-networks, or work in public workspaces.
So how do you secure an unsecured environment? Predict and prevent human errors. Fortify your security posture with VDI security that guarantees your user is who they say they are in real time. Eliminate uncertainty around your user’s identity by providing continuous authentication verification. To understand what that means, let’s examine the concepts in more detail.
What is Virtualization Security?
The InfoSec Institute devotes an entire chapter of Cloud Security to defining and explaining Virtualization Security. In short, the concept encompasses security for virtual environments. In practice, virtualization security applies to a wide variety of applications:
- Kubernetes containers within our data centers
- Virtual servers hosted in a cloud environment
- Virtual hybrid networks combining cloud and local resources
- Virtual endpoints hosted on the cloud and accessed by remote users
Sometimes virtualization security becomes confused with virtualized security. Virtualized security is security that has been converted into a fully-virtual software-based and designed to work exclusively within a virtualized IT environment. While they are intertwined in meaning, virtualized security is a specific subset of the broader category of Virtualization Security, which also encompasses physical security, hardware based security, etc.
What is an Unmanaged Environment?
An unmanaged environment might refer to any environment in which an organization fails to fully protect and secure its data from end to end encompassing: the devices, the workplace, the network, the storage, and the users themselves. For now, we’ll adopt the typical assumption that within the office, an organization has reasonable control and focus on the stereotypical case for an unmanaged environment: the remote worker.
A remote worker’s unmanaged environment may consist of:
- Unmanaged devices - BYOD devices or corporate laptops in which employees may install their own software.
- Unmanaged networks - unsecured home or hotel networks or public wifi networks.
- Unmanaged workplaces - airports, trains, coffee shops, common areas within a home or apartment or hotel.
- Unmanaged users - contractors, vendors, customers, or employees in public settings.
In today’s world, unmanaged environments are inevitable. It’s up to the CIOs, CISOs, directors of cybersecurity and directors of IT to assume this, and take the necessary steps to provide VDI security.
How to Secure Your Unmanaged Environment?
You need a solution for remote workforce security that extends beyond traditional security measures. Years ago, using a Remote Desktop Protocol (RDP), where a user connects through an open port on the firewall and connects to their desktop PC remotely, sufficed. However, as Microsoft notes, attackers seek to target this technology and it can be difficult to secure. RDP connections are no longer considered to be safe and are discouraged.
The next technology, Virtual Private Networks (VPNs), improved the security, but it also has begun to show its age. IT managers often discontinue VPN services because of issues with scalability, bandwidth consumption, and security. With regards to security, VPN connections can allow for data to flow from the data center to the remote device where it can be leaked. Additionally, researchers regularly find security flaws in the various VPN technologies and many VPN login credentials have been leaked over the past few years. Ultimately, VPN technology only really addresses the unmanaged network by providing an encrypted tunnel between the device and the corporate network. But this tunnel is not secure.
To further extend security, many organizations turn to Virtual Desktop Infrastructure (VDI), also known as Desktop-as-a-Service (DaaS). IT managers choose this technology because it creates a walled garden in which the users can see the display of the VDI securely transmitted through an encrypted connection and, as explained by Alfred Pargfrieder of Hewlett Packard, “their data never leaves their data center.”
Why VDI Security is More Critical Than Ever
Implementation of VDI prevents the data from being leaked to an unsecured device or through an unmanaged network, but it still remains somewhat vulnerable to the unmanaged workplace and the unmanaged user. One weakness is that usernames and password credentials tend to be weak or heavily reused.
Surveys reveal that while 92% of users know that using variations of a password introduces risk, 65% of them tend to use the same password or just variations of that password. Even large security companies such as Citrix, suffer credential stuffing breaches from old or reused passwords.
Multi-factor authentication (MFA) attempts to address this issue and put a layer of management on the users. The additional factor will be used in the authentication process such as an SMS text, a generated code (from a device or app), or biometrics. MFA provides assurance to the company that the correct user is on the other end of the secure connection - at least initially.
Unfortunately, even MFA does not fully manage the user and remains fully vulnerable to an unmanaged workplace. For example, an employee working at a coffee shop can use MFA to log into a secure VDI, but if their neighbor spills coffee on their lap, they may run off to the bathroom and leave the laptop in the hands of the neighbor.
Similarly, workers on a train may not notice someone looking over their shoulder (“shoulder surfing”), as they log into the corporate environment and get to work. Research on shoulder surfing tends to categorize incidents as opportunistic or due to human ignorance. Either way, through VDI security, there’s a way to mitigate the threat of shoulder surfing.
The New Standard in VDI/DaaS Security
Traditional VDI and DaaS security has been losing the battle against inside and outside threats, and in this new work-from-anywhere world the stakes have never been higher. Fortunately, there is a way to more completely address uncontrolled users and workplaces. Continuous authentication verification constantly checks to make sure the user is the correct user.
At SessionGuardian, we use facial recognition to implement continuous authentication verification for our customers and constantly check for faces that can see the user’s screen. If the face does not belong to the user, the screen will blur. If a second, unauthorized face can be seen, the screen will blur.
SessionGuardian extends corporate security to cover the full spectrum of the unmanaged environment. By using continuous biometric MFA, we fulfill the zero-trust mandate and extend continuous authentication beyond the virtual devices to the users and their surroundings.
SessionGuardian exists to manage unmanaged users and devices and fully extend corporate security to the last frontiers of the unmanaged environment.
If your organization works with sensitive data, your security perimeter is under constant attack. Schedule a free demo to see how continuous biometric MFA can help you fight back.
