Virtual desktop integration is the practical use of a hosted operating system instance via browser access. VDI apps and operating system sessions execute on a remote host, often in a data center VDI farm. VDI has benefits but also potential problems as the hosts for VDI sessions migrate to the cloud.
As VDI sessions execute in a farm, sessions can be tightly controlled. Users tend to be highly mobile, and the machines they use can be difficult to keep updated and typically vary in configuration. VDI sessions are often highly homogenized--that is, similar in appearance, patch level, and so on (even generically so). Applications can also be virtualized, in a form called by varying names, but this article covers security with full sessions.
Part of the motivation for migration to the cloud for VDI hosting is based on easing configuration complexity and providing lower latency for many configurations. The homogenizing of sessions, configurations and capabilities ensures a minimum common denominator of accessibility and app mixture, and sessions can be offered with an increasing gradient/mixture of apps where desired. As many cloud hosts for VDI have geographically diffuse access capabilities, it’s possible to domicile data generated internationally into regulatory-complaint country- or region-specific access groupings.
There are now two classes of VDI hosting: high-raster speed and non-optimized raster speeds (once pioneered by VMware but now available in many VDI vendor offerings). VDI sessions are often based on Windows as an operating system, as Apple doesn’t offer macOS virtualization except under tightly controlled circumstances that usually involve buying 1:1 Mac hardware to host the session. Linux sessions are also uncommon, as browser access by remote Linux users more frequently involves web page sessions. For this discussion, I’ll confine VDI to Windows 7 and 10 versions.
VDI logons come from many types of browsers, but the browser vendor is mostly irrelevant. Instead, feature virtualization is important, as is the ability to use collaborative/line-of-business software in a VDI session. Local peripheral use in a session, especially printing, is a given. Sometimes the ability to use local resources such as files, USB drives or USB peripherals is important. Data loss prevention policies may inhibit local storage or file transfers from a machine accessing a VDI session.
But first comes the choice of a persistent session that’s often tied to a specific user or a non-persistent session whose settings (if altered) go away when the user session ceases. Cloud-based sessions may or may not be able to take advantage of an organization’s cloud access security brokerage (CASB) software security controls, depending on the implementation, as well as the cloud hosting organization's ability to tie logons to security software.
A second and increasingly common session uses a combination of large raster/resolution size coupled with the use of enhanced graphics--often with an underlying GPU-enhanced graphics capability. This permits video editing, CAD, simulations work and other calculation-intensive VDI session work, along with the benefits of remote or field accessibility. VDI with heavy graphical content also requires sustained bandwidth with low latencies. A tenable circuit speed between user and session host is necessary for productivity. These sessions are generally persistent and tied to a specific user.
Migration steps to cloud VDI from data center VDI are somewhat simple. Historically, organizations seeking data center-based VDI have used session spin-up constructions from VMware View, Citrix XenApp and even Microsoft’s Terminal Services. Entire operating systems sessions using VMs are set in motion, depending on persistent or non-persistent needs. Configuration and management of these hosting platforms can be expensive and are complex. The need for simplicity and accessibility spawned cloud-based VDI, which comes with some interesting cost savings.
VDI features once found only in data center sessions are now replicated in cloud offereings from major vendors, and so it’s familiar turf for the experienced. VMware, Citrix, Ericom and others now offer an AWS version. Other cloud providers offer similar and evolving VDI partnerships with common VDI vendors. The cost differences that result from moving from data center use to scaling VDI to the cloud are attractive. Savings can be found, among other places, in licensing costs and hardware/energy costs, with the ability to reduce multiple points of failure through geographically distributed vendor hosting locations.
When shifting to the cloud, many of the security issues are the same as in the data center. CASB and multifactor and other authentication mechanisms are strongly suggested. Active Directory extensibility is often commonplace in cloud-hosted VDI offerings, but the entire circuit must be audited and compliant for all intended (and unintended) use cases.
Sophisticated VDI sessions are hosted in the cloud as VDI as a service or desktop as a service. Access may comprise simple virtualized desktops and an optionally added application set and/or Active Directory-linked service. Differing gradients of services available permit Istio and other Windows-specific hosting organizations to replace user-based hardware and OS/app combinations that are controlled on the service through administrative-access apps. Licensing becomes simplified. The admin apps tailor hosted VDI combinations and control authentication, security, CASB links, specialty VDI (such as the aforementioned GPU-based session) and more.
To secure VDI in the cloud, it may be necessary to add measures commonly found in data centers. These include strict DNS resource replication, encrypted circuits, security certificate management, secure VPN access and MFA, in order to meet the same compliance and regulatory requirements found in data center installations.
At the end of the day, every Windows instance needs anti-virus/anti-malware systems, as well as the application of good browser and email practices. Each new instance hopefully will be audited and found virus-free and correctly patched, with all safety/security safeguards intact as defaults. No one can ensure this, of course, until the desired VDI instance has been tested and vetted as safe to use.
