You think VDI is more secure than traditional desktops? It's not. You're wrong.

Despite what people have liked to say, VDI isn't anymore secure than traditional desktops. Time to put that myth to rest.

One of the things I heard over and over again at VMworld 2013 a few weeks ago was how "VDI is more secure than traditional desktops." (The main rationale is because with VDI, the data is in the datacenter so a stolen client device doesn't pose a risk.)

I've always argued that improved security with VDI is just a myth, because the real security concerns with desktops have to do with user actions and Day Zero stuff that VDI doesn't address at all, and if your only concern is lost laptops then there are ways to address that with centrally-managed encryption that are far simpler and cheaper to implement than VDI.

I saw Shawn Bass at VMworld and said something like, "I think I need to do an article about why VDI is not more secure than physical desktops," and he looked at me with a puzzled look on his face and said, "Umm?? You don't remember that I did an entire five-part series on that last year?"

Oh. Right.

Well if I forgot, then you probably did too. So I want to bring this conversation back into the light (again) so people can stop making the same ignorant arguments about it.

So to review, here are the five parts in Shawn's August 2012 series, "VDI and TS/RDSH are not more secure than physical desktops."

Part 1: There's only two types of data. (data at rest versus live data)

Part 2: Centralization helps in other ways (It's not that VDI and RDSH are worthless, it's just that they shouldn't be used to improve security)

Part 3: Mitigation Strategies for Data Security (Now that we've established that datacenter-based desktops don't help with security, what can you do to improve security?)

Part 4: Security by isolation methods (How the concept of isolating your desktops from your client fits into the broader picture)

Part 5: How persistence affects data security (Oh by the way, non-persistent VDI is not automatically safe and/or secure. Another myth.)

If you believe that VDI and RDSH is more "secure" than traditional desktops and laptops and need major convincing otherwise, please read Shawn's five articles. Otherwise I can sum it up in with these few paragraphs.

Why VDI is not more secure than physical desktops and laptops. (The short version.)

If your argument is that VDI means a stolen laptop doesn't equal data loss, that means you're worried about data at rest. For most security professionals, data at rest is not their concern, since that can be handled by disk encryption.

One of the push-backs to that I often hear is something like, "But if I lose a laptop that's encrypted then I never know 100% for sure it was encrypted and I'm still worried. If I lose a client device that's used for VDI with nothing on it then I know for sure that there's no risk."

Statements like that are made out of ignorance to how laptop encryption works these days. If you search for [enterprise laptop encryption] you'll find dozens of products (Symantec, Sophos, Druva, McAfee...)  specifically designed for the enterprise with features like centralized management and reporting, the ability for a device to shred itself if it doesn't check in or receives a remote wipe command, the ability to use two-factor authentication for decryption, etc.

And again, all of these products are cheaper and easier to implement than VDI, plus you don't have the other disadvantages of VDI. (No huge server backends, you can work offline and over poor connections, all your apps work, etc.) And laptop-based encryption products can meet the same regulatory compliance requirements as VDI. (HIPAA, Sarbanes-Oxley, FIPS 140, etc.) All new Intel CPUs even have AES encryption capabilities built-in

So if you're just doing VDI because you want to improve security, that's crazy. (Let me know who your Citrix or VMware sales rep was, because we'd like to hire that person!) And if you went to VDI for other reasons but think that "improved security" is a nice fringe benefit, that's also wrong. (See Shawn's five articles above.)

I think that does it for now. I'll re-post this again next year I'm sure. Remember, VDI is great, but not for anything related to security. It doesn't help or hurt security. It's just not related at all.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I've got to disagree and say that is a blindly inaccurate generalization that doesn't represent customer truth.

Security is about People, process and technology regardless of the individual architecture you follow. I'd certainly agree that from a technology perspective many of the arguments don't hold water. However from a people and process perspective, many do. For example disaster recovery with VDI is used by many people to improve their compliance posture in terms of recovery and better practices for end users.

I also agree that with better controls and management many of the benefits can be achieved with other approaches. But to make a sweeping generalization that VDI has no security benefits (people/process/technology) is just not true.


While I don't disagree with many of the arguments made in both this article and by Shawn Bass - I do disagree with the premise that VDI has nothing to do with security.  My premise is that that VDI has the potential to be more secure than traditional desktops based on three core things:

1. You mentioned first that the if a security professional is worried about data-at-rest, than whole disk encryption can be easily applied to the traditional desktop.  Of course - I agree with you.  However, just as Shawn Bass argues that PCoIP is not as good as other protocols because the "default" is not to tune the protocol for network conditions, the same is true for data-at-rest.  By default, there is no data on the end point with VDI.  A lost laptop is a lost end point - not lost data - and this is true 100% of the time.  However, while whole disk encryption is easy to deploy, it is not even close to pervasive.  Having worked in the security industry for over a dozen years doing pen tests, forensics, and vulnerability assessments, I can attest to the fact that while decentralized security practices are improving, they are not even close to pervasive.  There is no question that data-at-rest is better secured in VDI at an industry level view.  If you deploy alternative security measures - great. It's not true for you, but it is true for the greater use case of traditional desktops.

2. Centralization of user computing services means that desktops are never beyond the view and control of the IT admin.  Never!  They can't disconnect from my network and log into a comprised Wi-Fi network in at a restaurant in NYC which is actively probing for vulnerable components, zero days and MITM type attacks.  Every inbound transaction can be effectively analyzed and graded based on signatures/heuristics to determine risk level.  In a traditional desktop environment, this is not the case.  If risk levels are graded using the age-old DREAD (damage, reproduceability, exploitability, affected users and discoverability), than the risk factors associated with exploitability and discoverability are absolutely increased in the decentralized traditional desktop world.

3. Security also has the potential to be improved in the user behavior space.  Just as every inbound packet can be analyzed, it is equally valuable to monitor user behavior and where they are going "to".  Don't want your users going to the Pirate Bay, torrent sites, Dropbox or even Facebook?  One of the benefits associated with VDI is that user behaviour can be fully under the scrutiny and policy control of the central IT team.  While there may be arguments as to whether this should be considered as part of "desktop security", it is true that the security posture of the organization has the inherent potential to be improved.

Note that in arguments 2 and 3, it is not necessarily true that security is improved by default, but it does remain a fact that "should" security controls and policies be implemented, having a centralized model means that this is easier to implement.  Going one step further, if you are leveraging this in a DaaS model (full disclosure - I work for a DaaS platform provider), it is easier still to leverage additional services without the complexity of implementation.  An analogy?  I never bothered with logging when I spin up a temp server internally to test something out.  However, if I go to Amazon to grab a server for some period of time, not only do I choose my server, but I enable logging and other controls that give me better control and visibility.  My $0.02 on this is that in the future, items 2 and 3 will be simple add on services to the user service that are dead simple to enable and the absolutely raise the security bar.

Security is incremental, and the rising tide is the ease of deployment of the control.  Just like PCI DSS does not "secure" an application for credit card transactions, the framework enables some baseline security improvements, with the inherent potential for many more.  VDI is no different and absolutely does bring inherent security benefits.


Another on the disagree side

If the endpoint machine will have data on it, then that machine, it's network and every other application on that machine are now "in scope" for the security evaluation (e.g. PCI), greatly increasing the cost of the certification and complicating ongoing maintenance.

Security sensitive data should be cordoned off in a controlled space, where the access to the data and maintenance of the execution environment can be carefully controlled by an administrator who has the mission of securing that data processing system.

And the disclaimer: Yes, my badge says "Citrix".  I'm still right...


Oh sure, VDI has the "potential" to be more secure, just like a Dell has the potential to be more secure than an HP. But the opposite is also true. VDI also has the potential to be less secure and it has the potential to not affect security.

Calling the security benefits after going to VDI as "free" is like saying that having more closet space is a "free" benefit of adding a second story to your house. Sure, it's "free" if you don't count all the money, pain, and effort you spent to get there. My flight to NYC was also free if you don't count the money I spent on it.

"By default there is not security on an endpoint?" True fact! That's why I say you have to put some on there. By default there is no VDI either unless you implement it. Again it seems like all these comparisons are in some magical future land where everyone is already using VDI, and you're comparing that world to a world where you have to, oh my gosh, actually implement some laptop security. But I could flip it and do the same thing. Actually I'd rather secure my laptops than build VDI.


@Brian, And your assertion is that Dell will never be more secure than the HP which is not correct.

You then assert than this is all about cost of VDI and then argue it's all about client security anyway and that is your preference. That's not what customers who are doing it think. They look at the value of staying stuck in a legacy distributed PC architecture which is unlikely to get support for much investment for a security/management refresh unless tied to enabling a business need, which most successful VDI/RDS implementations do.

Your argument is a technology centric view of what security is. This is out of touch with modern security functions who don't look at a single component in isolation

Specifically, can you tell me how fat, legacy managed, crappy inflexible, slow to update distributed PC infrastructure; that nobody has any clue what anybody runs is being used in disaster recovery mode? It is very hard to fix that problem with better tools and that means less compliance and more risk with next to zero will to do anything about it. That's part of the security picture also. These are requirements today not met for many in the mythical world of distributed PCs solve world hunger. They don't.

So in summary, my main disagreement is not that people may think client security can only be solved with VDI. My beef is with the incorrect assertion that it's never more secure to do VDI in the broad sense of an enterprise correctly looking at security as people/process/tech in combination with enabling business needs. That's customer reality and truth, vs. binary debates of secure vs. non-secure that don't reflect the broader considerations that customers take into account.



Again. VDI is made for Desktop Management, not for Security. This does not mean that it cannot be applied to make your environment more secure, but that the sole purpose of the technology is to allow you to MANAGE your environment better.

If you don't need to manage your environment better then don't bother reading forward, but this is not the majority of us.

Better security comes inherently with better management. So tell me, can you have a better CIA (Confidentiality, Integrity, Availability) with Traditional Desktop Management or VDI Desktop Management?

I can tell you right now that recovery in VDI beats Traditional Desktop management hands down due to a hardware agnostic workspace. DR is so much easier when faced with hardware failure.

Better integrity comes with a Non-Persistent OS, and yes you can have that in Traditional PC environments but management is far from easy and you also lose the availability aspect somewhat. DR so much easier in nonP virtual environments when faced with software OS failure.

Unfortunately there is little substance in this article and I am just as disappointed with this as with the Persistent vs. Non-Persistent VDI debate.

Yes, lets encrypt 1000 laptops and have a sound sleep because we know we are safe... Regardless of what solution you pick you will never be safe, but when I make our footprint as smallest as possible I personally find it easier to cope.


I'm not sure why people keep mixing continuity and availability warranty benefits for VDI, when the discussion should be on pure security.


While VDI isn't inherently more secure, I would argue that in many cases a hosted VDI/SBC solution is far more secure than a typical SMB in-house IT system.

For the majority of SMBs, moving to a Cloud Provider for Desktops introduces good IT management practices like GP lockdown, AppLocker-like restrictions, removal of unnecessary permissions, multi-level firewall and malware protection, data encryption, well managed OS instances that are regularly patched, consolidated data, etc.

In other words, Hosted Desktops in the Cloud provides an opportunity for SMBs to benefit from a well managed and up to date IT environment that they couldn't otherwise afford, while providing other benefits like mobility, BYOD, business continuity, 24x7 access from anywhere, etc.

For an SMB audience, telling them that their in-house IT systems are just as secure as VDI and that they should stick to the status quo isn't doing them any favors. A well managed corporate environment is a different story, but it's SMBs who are leading the charge towards cloud services - not big enterprises...



re: “I've always argued that improved security with VDI is just a myth”

I’d argue you have argued that in the past ;-)


How VDI can make your desktop security worse (TechTarget Article)

"The bottom line is that while adding VDI to an enterprise environment could make it more vulnerable to security breaches, it doesn't have to. A few simple steps can ensure that VDI increases the overall security of the desktop environment just like you hoped" [Brian Madden]


Security at any cost (the VDI Delusion)

"Many people using VDI and RDSH today do so simply because they need the high security that exists only when the entire desktop is running in the data center. This means that there’s nothing running, stored, or cached on the endpoint, which is great for a few reasons.

For companies that are concerned about intellectual property, it means they can outsource work without worrying that the people they’re outsourcing it to are going to copy all their files or steal all their code" [Brian Madden]

…. even later on in the comments to this article:

"Oh sure, VDI has the "potential" to be more secure"

I “think” the points you’re trying to make are:

- Don’t do VDI “just” for Security reasons” (IMHO very few people do VDI “just” for one reason – normally other factors apply such as increased agility / device independence etc etc)

- Think carefully about “Endpoint” security

- Consider Disk Encryption if Security is the only driver (a possible “side” discussion might be some of the more recent press that subject)



"pure" security takes into account the CIA of the system in question.

Since VDI is a Desktop Management technology, when you look at it from a security perspective you will understand that the Confidentiality, Integrity, and Availability of the Desktop, Applications, and Data is at the center of the discussion.

These articles have completely simplified the conversation on Desktop Security to the point where Security has lost a lot of meaning.

I am just interested in shining the light on this inaccurate analysis and don't exactly have the time to go into details about specific examples. Needless to say there is a lot of info on the internet already debating all of this and it is up to you to come up with your own opinions.

This is coming from a previous IT Security Administrator. I currently work in the Federal Government with Secret clearance and I have my CISSP and soon to be CSSLP. I have experience in the Certification and Accreditation process and collaborated in Threat Risk Assessments.


It's not that VDI is more secure than physical.  However it does provide a better opportunity to be more secure than you can with physical.

Think about it, if you had someone's laptop set to revert to a standard, with hard enforced rules on accessing localized resources you would have a riot on your hands.  But the ability to have that level of content in a VDI always on scenario is common place.

It is far easier to restrict and protect your data in a VDI environment than it is on an offline unit.  Offline units can have username and passwords taped to the physical device for access.  VDI having no physical removes that level.  Plus integration with 2 factor authentication is far easier with VDI scenarios, than with physical machines in the field that can run offline.

Yes, if you buy vdi for security it is like buying a school bus to take your 1 child to preschool.  But if instead you look of it as buying VDI for other reasons, and throwing security on top as well, it's like sprinkles on your donut.  It just makes the donut that much better.


Thanks for the further clarity Icelus


Not sure why my comment got deleted, mistake I assume. It was basically.

The sum of the parts >1 people

In other words I agree with the point of view that security can't be looked at from single dimension. I.e saying endpoints don't matter, it's only about the data, etc. is not how security works in the enterprise.


VDI often are configured for pass through auth and easily defeated when someone leaves their PC unattended or click on malware and did not reboot their provisioned VDI.