Thanks to Horizon 6.1, VDI finally has some inherent security benefits over physical desktops

"VDI is not more secure than physical desktops," is something that we've been saying, and proving, since the dawn of VDI.

“VDI is not more secure than physical desktops,” is something that we’ve been saying, and proving, since the dawn of VDI. We even made it one of the core takeaways from our book, The VDI Delusion. The premise is this: Moving to VDI does nothing all by itself to make your desktops more secure. It removes data from the endpoint, but if that’s your singular goal you can secure the endpoint data in other ways (like disk encryption).

Any additional security on top of that is just that–on TOP of VDI. The things that keep us up at night like zero-day exploits and viruses are just as easily spread through a VDI environment as they are a physical desktop environment, and combating them involves additional software. You might manage it slightly differently, but VDI isn’t doing much of anything to make it easier on us.

The only concession we’ll make on the inherent security of VDI (or lack thereof) is that by keeping the desktops and applications in the data center, you have more readily available information regarding the behavior of those desktops from a resource consumption and network perspective. That’s it. You can better see how you’re being attacked, but you’re still getting attacked.

That was then, this is now

I think we’re going to have the change our tune when it comes to security inherent to VDI, at least when it comes to VMware Horizon 6.1. With the latest release, VMware added the ability to leverage NSX virtual networks for published applications and desktops. The quick explanation here is that with this combination of technologies, you can have applications run on specific networks dedicated to them, reducing their security footprint and firewalling that traffic from the rest of your environment.

This is done at the VM level, so even if an exploit manages to gain complete control of the VM, the bad guys will only see what’s on the specific corner of the network that the VM is allowed to access. Since the NSX rules are applied to specific VMs and reside on the vSwitch located on each host, they will always be present no matter where that VM is vmotioned.

Needless to say, this is something you can’t do with physical desktops, at least not with this kind of manageability and control. That means we finally have something about VDI that makes it inherently more secure than physical desktops!

There are a few opposing views that I can foresee. First, you could argue that this is above and beyond the “normal” VDI, or that it’s an added layer of complexity that isn’t just “there” out of the box. My take is that it’s built into the Horizon 6.1 platform, and that’s good enough for me. Nevertheless, it's a good point to make. The easier it is to understand, manage, and use, the more people will adopt it. It's probably not in the de facto configuration or skill set for Horizon 6.1 users today, but it could be someday.

Second, you could argue that you still need to have other components to achieve the same level of security, and I would absolutely agree with that. Nothing changes about what you need and how you should manage the security of your desktops, but in the past all we could do with VDI security was make it equal to physical desktops. Today, we can make it more secure than physical desktops.

So congrats, VMware. You've made VDI inherently more secure than physical desktops.* (* When using Horizon 6.1 and NSX.) I haven’t seen a lot of VDI platform things that are really exciting lately, but I like this a lot. 

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Didn't we have this functionality with vshield zones? Sure NSX is more elegant to use and has some additional benefits but this capability has always been there. Furthermore, do we really need that much security?? If yes, why did we not need all these years when we put thousands of users on XA/TS?? After all we were putting manny users on the same server in the data center before virtualization was even born.

I think this is a function of advanced network security that is very welcome but not earth shattering or new, we can easily achieve the same result without this.



vShield zones leveraged VSGs (Virtual Security Gateways) and simply didn't scale effectively with VDI environments. NSX is a kernel-based layer 4 distributed firewall that ties in 3rd party vendor solutions and delivers TRUE layer 7 micro-segmentation. Elegant doesn't even begin to describe the capabilities...

As for whether or not it's really needed? Ask one of the companies that's been breached in the past 18 months whether or not they think micro-segmentation is important...

The simple fact is that VMware is re-inventing networking in the datacenter and is re-inventing the way we address security for virtualized workloads as a result. It's a huge step forward for the entire IT industry. So new, yes.  Earth shattering, definitely.


How many virtual desktops have been hacked into so far? This feature caters to VMware's business integration requirements. From a customer standpoint - so far this appears to be a solution looking for a problem.


It's an interesting question about how vulnerable virtual desktops are in an enterprise data center environment.  In my experience one of the most vulnerable devices in your network is the endpoint or desktop, simply because that device is controlled by the least technically savvy component of the organization......the end user.  If you think about it with the advent of VDI we have relocated the user from a physical desktop at the edge of the network directly into the data center.   What other device in the data center do we allow our end users to control, navigate to potentially malicious websites, access their private email from and plug things like USB sticks into?  On top of that Spear Phishing, Session Hijacking and Man in the Middle attacks are typically targeted at the end user and endpoint as the most vulnerable part of the system.  When we look at the type of attack we are seeing today it usually involves the compromise of a low value target, like a desktop, which give the attack a foothold, from which it spreads laterally compromising adjacent components, like other desktops, until it reaches a high value target that it can compromise and either destroy or ex-filtrate data from.  When you have the perspective that end users are the largest security vulnerability in your organization, and they are directly attached to virtual desktops, that alone defines the need for more secure VDI deployments.  Enhancing Network Security on each VDI instance without having to place that security inside the VM where it can easily be defeated by an attacker seems to be a significant advance in VDI security.  Finally a reason to deploy VDI for enhancing an organization's security posture!!


I'm more or less in agreement with Elias; fire walling VDI and RDSH into separate security zones to minimize attack vectors and data leakage opportunities is anything but new. The difference that NSX makes is centered around ease and speed of implementation and simplified opportunities for orchestration.

By lowering the bar to implementation NSX enables more organizations to implement best practice.