Posts

Desktop Virtualization Journey Can be Safe and Sound

Show me an industry that isn’t increasing its usage of Desktop Virtualization (DV) and I’ll show you an industry that doesn’t exist. While different DV technologies are available, Virtual Desktop Infrastructure and Desktop-as-a-service are the clear choice, DaaS is essentially VDI hosted in the cloud. With VDI one deploys virtual desktops in her own on-premises data centers while DaaS takes the In-house IT bourdon and responsibilities to the cloud.

From Education and Healthcare, to Financial institutions and Governmental agencies, Remote application and DaaS is growing year on year. In fact, industry experts Gartner predict that by 2023 the combined number of on premises VDI users and cloud DaaS will grow by more than 50%.

Organizations are using different types of remote desktop technologies and solutions for a number of key reasons, including operational efficiency, improving their end-point compliance and remote access opportunities, enjoying the centralized management and security backups, as well as the end-user support supplied by market leaders such as Citrix. Newer deployment models provide a popular way to streamline costs, with no need to purchase software licenses, or individual workstations, items that can quickly add up. But what about keeping your data and applications secure? How does security measure up in a VDI environment?

When Shared Infrastructure Raises Risk

Traditional data centers allow for servers to be monitored for signs of threat, and isolated where necessary. However, in a VDI environment, you’ll often find that all servers and applications are on the same infrastructure, even end-user applications and those which need more security and control. Desktops are likely to be shared among a large number of users, perhaps only a step away from critical assets, applications, and data. As all of this takes place inside the data center, you’re not covered by traditional security solutions such as perimeter firewalls that only protect the entrance to your network.

An added element to consider is traffic inspection. Most end-user application traffic is encrypted using SSL or TLS, and compliance mandates require a high level of data privacy. At the same time, for security you need to have insight into traffic and communications.

For many organizations, these risks of VDI are too great. If just one VDI machine is compromised, the attacker can make movements elsewhere within the data center, and may well go undetected because of the complex environment.

User Identity Access Management and Application Segmentation: Two Solutions that Work in Tandem to Mitigate this Risk

Two powerful technologies can be used together to allow enterprise organizations to leverage VDI without worrying about security concerns. First, let’s look at User Identity Access Management.

This solution often comes hand in hand with a Zero Trust model, as the idea is that any user can only access what they need for their role or activity, and no more. Rather than simply rely on initial authentication, smart User Identity Access Management allows you to create policy based on the identity of the user that is logged in, even when multiple users are connected to the same system at the same time.

Identities can be pulled from the Active Directory, and policy will control both new sessions, and ones that are currently active. Even before a user has logged into an application, protection is in place.

active directory app protection

Now Couple Access Management with Application Segmentation

A micro-segmentation solution with granularity can create control over even the most complex environment, helping you to build out your infrastructure in a secure way that gives you peace of mind when using VDI, even defining policy based on a process, label, or other asset information.

For example, using application segmentation, you can ensure that all applications and users within the VDI environment are segmented away from specific business-critical or sensitive applications in the wider data center. You can also ring-fence the VDI environment so that no attackers can achieve lateral movement elsewhere, even in case of a breach.

application segmentation and VDI

Together, you now have a powerful, unbeatable solution. First, your user is limited to only the applications and servers they are allowed to access as mandated by your User Identity Access Management policy. Secondly, each user cannot move outside of their relevant environment, an added layer of defense, without added reliance on any specific network or location.

Reducing Complexity with Visibility

Still in fear of attacker dwell time? Make sure that your security solution comes with real-time visibility into all of your active VDI sessions and their connections. You should be able to see:

    • What specific users are doing, with identification
    • Which processes are currently running and for what purposes
    • How and where the processes are communicating
    • The exact flows that are being generated
    • Which specific applications are being used, and by whom

Another Zero Trust model mandate is to ‘Assume Access’. In this situation, when the assumed breach occurs, your IT team has accurate visibility into the source of the attack, and can see in seconds, (and without any physical or virtual taps) any lateral movement attempts from the original VDI environment to the main data center.

Lose the Fear of a VDI Environment

First, restrict the access from your VDI environment. Secondly, block access by user identity. In two steps, you’re done.

Guardicore Centra makes it simple to say yes to the benefits of a VDI environment. It integrates with Citrix Virtual Apps and Desktops, and Active Directory to reduce the attack surface and improve visibility, even when considering the complex security reality of Virtual Desktop Infrastructure.

3 Game-Changing Reasons to Deploy User Identity Access Management

Segmenting critical applications is nothing new. We’ve long since established the benefits of isolating sensitive data or essential assets in the enterprise data center, preventing potential breaches from escalating, and stopping lateral movement in its tracks. User Identity Access Management is the next essential layer of control, establishing with fine-grained policy exactly which users can access various applications in the first place, and how.

Here are our top three use cases, all of which are revolutionary for today’s enterprise data center.

Control User Access Anywhere

Many enterprises networks currently have broad permissions to business-critical systems, dangerously coarse controls that can be taken advantage of by attackers, or even manipulated with the help of human error. Not only is this bad practice for any enterprise security posture, but it also makes it increasingly difficult for organizations to remain compliant with the latest regulatory mandates.

In contrast, strong user access management policies allow specific users to be either given access or denied entry, with granular options such as permissions over specific servers, ports and processes.

Even in cases where your organization started out with a network design that allowed all users equal access, user access can be segmented to only the applications, servers and processes to which each individual user or group is entitled. Not only will your organization keep the infrastructure of a single data center, there will be no physical changes, downtime, or additional overhead as there would be with network segmentation projects, and you will be massively simplifying the road to compliance. Take PCI-DSS for example. With strong access management, you can ensure that only those users who are allowed to view cardholder data can physically access your CDE (Cardholder Data Environment).

Just as Guardicore Centra’s segmentation follows the workload rather than any particular underlying infrastructure, our User Identity Access Management follows the individual user, enforcing user governance across any environment, from legacy and bare-metal, physical desktops and laptops, to VDI and hybrid cloud platforms.

follow the user with identity access management

Manage Multiple Users, Even When Logged in at the Same Time to the Same System

Think about users who are connected to the same servers at the same time, but who have different access requirements. Perhaps one employee works for HR, and needs access to sensitive personnel files stored in HR management servers, while another works for the Finance team, and is working on an accounting application. They are both administrators, and are working within the same data center.

Without User Identity Access Management policies, the traditional way to secure their access would be with multiple jumpboxes, setting up one for each, with its own network connectivity. This gets expensive and complicated, fast.

A smart access management tool removes the complexity, and streamlines the route to secure user access, even for simultaneous logins to the same server. Each admin can connect from the same jumpbox, at the same time, and yet only have access to their own application, and be blocked from any applications outside of their purview.

user identity access management ame jumpbox no problem

Handle Third Party or Administrators Access 

It’s more important than ever to manage access for third-party vendors and partners, who may be connected to your network through SaaS, IoT devices, or as contractors working on your own systems. Third-party access management needs to be able to seamlessly handle and define user groups based on these examples and more. Traditional solutions that are based on IP addresses are complex to manage, especially when multiple users are logging on simultaneously to the same server. By using policy creation based on user-identity rather than IP, each user group can have its own policies defined for entry, giving specific access to every group or even individual user, and blocking them from moving any further. 

As there is no centralized firewall needed, and access is controlled at the endpoint, your organization can enforce control of users between workloads, even within the same segmented section on the network. Policies take effect immediately, for both new and active sessions, allowing you to act quickly and incisively in case of a security gap. 

Solving Three Problems with One Tool

In conjunction with the benefits of application segmentation, User Identity Access is an obvious step to enhance your data center security. Not only can you keep critical assets away from an attack, you can now enforce exactly who should be accessing these applications in the first place, wherever they reside. 

Want to read more about how micro-segmentation can enhance your data center security? Download our white paper on how to choose the right segmentation solution.

Read More