“VDI is not more secure than physical desktops,” is something that we’ve been saying, and proving, since the dawn of VDI. We even made it one of the core takeaways from our book, The VDI Delusion. The premise is this: Moving to VDI does nothing all by itself to make your desktops more secure. It removes data from the endpoint, but if that’s your singular goal you can secure the endpoint data in other ways (like disk encryption).
Any additional security on top of that is just that–on TOP of VDI. The things that keep us up at night like zero-day exploits and viruses are just as easily spread through a VDI environment as they are a physical desktop environment, and combating them involves additional software. You might manage it slightly differently, but VDI isn’t doing much of anything to make it easier on us.
The only concession we’ll make on the inherent security of VDI (or lack thereof) is that by keeping the desktops and applications in the data center, you have more readily available information regarding the behavior of those desktops from a resource consumption and network perspective. That’s it. You can better see how you’re being attacked, but you’re still getting attacked.
That was then, this is now
I think we’re going to have the change our tune when it comes to security inherent to VDI, at least when it comes to VMware Horizon 6.1. With the latest release, VMware added the ability to leverage NSX virtual networks for published applications and desktops. The quick explanation here is that with this combination of technologies, you can have applications run on specific networks dedicated to them, reducing their security footprint and firewalling that traffic from the rest of your environment.
This is done at the VM level, so even if an exploit manages to gain complete control of the VM, the bad guys will only see what’s on the specific corner of the network that the VM is allowed to access. Since the NSX rules are applied to specific VMs and reside on the vSwitch located on each host, they will always be present no matter where that VM is vmotioned.
Needless to say, this is something you can’t do with physical desktops, at least not with this kind of manageability and control. That means we finally have something about VDI that makes it inherently more secure than physical desktops!
There are a few opposing views that I can foresee. First, you could argue that this is above and beyond the “normal” VDI, or that it’s an added layer of complexity that isn’t just “there” out of the box. My take is that it’s built into the Horizon 6.1 platform, and that’s good enough for me. Nevertheless, it's a good point to make. The easier it is to understand, manage, and use, the more people will adopt it. It's probably not in the de facto configuration or skill set for Horizon 6.1 users today, but it could be someday.
Second, you could argue that you still need to have other components to achieve the same level of security, and I would absolutely agree with that. Nothing changes about what you need and how you should manage the security of your desktops, but in the past all we could do with VDI security was make it equal to physical desktops. Today, we can make it more secure than physical desktops.
So congrats, VMware. You've made VDI inherently more secure than physical desktops.* (* When using Horizon 6.1 and NSX.) I haven’t seen a lot of VDI platform things that are really exciting lately, but I like this a lot.