One of the things I heard over and over again at VMworld 2013 a few weeks ago was how "VDI is more secure than traditional desktops." (The main rationale is because with VDI, the data is in the datacenter so a stolen client device doesn't pose a risk.)
I've always argued that improved security with VDI is just a myth, because the real security concerns with desktops have to do with user actions and Day Zero stuff that VDI doesn't address at all, and if your only concern is lost laptops then there are ways to address that with centrally-managed encryption that are far simpler and cheaper to implement than VDI.
I saw Shawn Bass at VMworld and said something like, "I think I need to do an article about why VDI is not more secure than physical desktops," and he looked at me with a puzzled look on his face and said, "Umm?? You don't remember that I did an entire five-part series on that last year?"
Well if I forgot, then you probably did too. So I want to bring this conversation back into the light (again) so people can stop making the same ignorant arguments about it.
So to review, here are the five parts in Shawn's August 2012 series, "VDI and TS/RDSH are not more secure than physical desktops."
Part 1: There's only two types of data. (data at rest versus live data)
Part 2: Centralization helps in other ways (It's not that VDI and RDSH are worthless, it's just that they shouldn't be used to improve security)
Part 3: Mitigation Strategies for Data Security (Now that we've established that datacenter-based desktops don't help with security, what can you do to improve security?)
Part 4: Security by isolation methods (How the concept of isolating your desktops from your client fits into the broader picture)
Part 5: How persistence affects data security (Oh by the way, non-persistent VDI is not automatically safe and/or secure. Another myth.)
If you believe that VDI and RDSH is more "secure" than traditional desktops and laptops and need major convincing otherwise, please read Shawn's five articles. Otherwise I can sum it up in with these few paragraphs.
Why VDI is not more secure than physical desktops and laptops. (The short version.)
If your argument is that VDI means a stolen laptop doesn't equal data loss, that means you're worried about data at rest. For most security professionals, data at rest is not their concern, since that can be handled by disk encryption.
One of the push-backs to that I often hear is something like, "But if I lose a laptop that's encrypted then I never know 100% for sure it was encrypted and I'm still worried. If I lose a client device that's used for VDI with nothing on it then I know for sure that there's no risk."
Statements like that are made out of ignorance to how laptop encryption works these days. If you search for [enterprise laptop encryption] you'll find dozens of products (Symantec, Sophos, Druva, McAfee...) specifically designed for the enterprise with features like centralized management and reporting, the ability for a device to shred itself if it doesn't check in or receives a remote wipe command, the ability to use two-factor authentication for decryption, etc.
And again, all of these products are cheaper and easier to implement than VDI, plus you don't have the other disadvantages of VDI. (No huge server backends, you can work offline and over poor connections, all your apps work, etc.) And laptop-based encryption products can meet the same regulatory compliance requirements as VDI. (HIPAA, Sarbanes-Oxley, FIPS 140, etc.) All new Intel CPUs even have AES encryption capabilities built-in.
So if you're just doing VDI because you want to improve security, that's crazy. (Let me know who your Citrix or VMware sales rep was, because we'd like to hire that person!) And if you went to VDI for other reasons but think that "improved security" is a nice fringe benefit, that's also wrong. (See Shawn's five articles above.)
I think that does it for now. I'll re-post this again next year I'm sure. Remember, VDI is great, but not for anything related to security. It doesn't help or hurt security. It's just not related at all.