Top VDI security considerations in higher education
In recent years, and even more urgently during the COVID-19 pandemic, there has been a need for higher education organizations to provide access to technology and software both on and off-campus. To meet this demand, Virtual Desktop Infrastructure (VDI) has become a popular choice for these institutions.
This isn’t the first time virtual technology has been set to transform the student experience and, with lessons learned from MOOCs (massive open online courses), and the security issues faced, VDI is now being implemented but security is a key consideration.
Despite the numerous costs and operational benefits of deploying VDI technology, the common risks associated with security still apply.
Desktop virtualization is a technology that separates the desktop operating system and its applications from the actual physical client machine being used. The operating system and applications are hosted on a server infrastructure in a data center and served up on-demand to a user device.
In a higher education organization, this enables each student to have access to their own virtual desktop and access the software and resources they need. However, despite the benefits VDI solutions can offer, this shared resource environment can bring ransomware, malware, vulnerability exploits, and insider threats.
Whilst VDI offers better security than other remote desktop solutions such as RDP or VPN, it can still pose a few challenges that should be considered when implementing a VDI solution. The shared resource environment offered by VDI poses a number of its own security challenges that should be considered and catered for in any deployment and security policy.
On the other hand, organizations with BYOD policies in place have huge numbers of students accessing virtual desktops with very little control over the security of those devices or where and when they are being used to access a VDI environment.
With a drive to provide students with access to applications and software from anywhere on and off-campus, BYOD security protocols are essential to data security. VDI deployment should work alongside BYOD policies, ensuring students and staff can work from their own devices safely, without putting the organization or their own devices at risk. This requires up-to-date and consistent security policies and making students aware of these and implement security best practices when accessing their virtual desktops.
If students are using their own devices to access virtual desktops, they may also be storing data on their own physical desktops which can cause problems if individual machines are hacked or stolen. Any VDI security policy should consider the impact of having users with university data stored on their own devices.
Any security implemented should ensure that data is stored centrally where it can be adequately protected.
There are two ways to access a VDI environment: a persistent desktop and a non-persistent desktop. The type of desktop provided to end-users will carry some security implications.
A persistent desktop allows users to access a virtual session which allows them to save files, customize their desktop and save settings for the next session. However, this type of desktop requires more storage and can make deploying security patches more difficult.
On the other hand, non-persistent VDI does not allow this customization. A single disk image is shared among users. As they log on, a clone of the master desktop is created and customized on-demand with app virtualization software such as VMWare. Although patch management is easier in this configuration, it limits users to a single session and they cannot, for example, save files.
Many organizations choose a hybrid approach where non-persistent disk images are provided to the end-user, while also providing dedicated storage for certain applications.
Impact of security measures on VDI performance
VDI helps IT departments to cut down on hardware and operational costs but, security software or protection used within the environment can have a huge impact on the performance of the solution so the type used should be carefully considered.
Some anti-virus packages require resource allocation in the same way as a physical device and can slow down performance and mean more storage is required, which can cost.
It’s better to employ endpoint solutions that will not compromise on computer power or end-user experience.
In a remote learning environment, a VDI deployment requires a review of privacy policies. These include:
Testing remote connectivity and bandwidth: This should also verify whether your infrastructure and software licences can support increased users and remote learning.
Training the staff and students on remote access and reviewing role-based access: Many may not be familiar with remote working and may need to be educated on security best practices, accessing data from public networks, use of personal devices and approved technologies.
Testing redundancies and backups: Prepare for system failures and overloads.
Antivirus (AV) and Advanced End Point Protection (AEP) are still required
With VDI, the same data security challenges encountered in traditional desktop environments still apply:
- Phishing attacks – users are vulnerable to phishing attacks through emails or other ways of sharing data
- Fileless attacks – the risks from attacks such as credential stealing and keylogging remain present
- Data leaks – virtual desktops are always online so there is less control over the transfer of data
- Malware propagation – VDI solutions have external access storage (on a network drive for example), making it easier to propagate malware through a VDI
- Vulnerability patching – although vulnerability patching is managed centrally in a VDI installation, it is a slower process because the golden image needs to be updated, which is a “wide impact” operation done in a gradual manner.
It is harder to deploy traditional, cloud or signature-based antivirus in VDI environments due to the requirement to update the golden image frequently. This, in turn, requires frequent signature update downloads, meaning a high footprint onto a lightweight machine, somewhat defeating the purpose of VDI.
Performance and user numbers
In a traditional desktop environment, performance issues associated with memory, storage etc. are limited to each individual machine.
In a VDI environment, however, these resources are centralized. The VDI must be able to handle the requirements of individual end-users, who may all try to access the resources at the same time.
There's no doubt a Virtualised Desktop Infrastructure presents many cost and operational benefits to higher education institutions. However, it is essential that organizations understand the security implications of their VDI deployments to avoid costly mistakes.
Ensuring security for VDI solutions is implemented well and the needs of the organization and its staff and students is essential to finding an effective solution. When it comes to remote working solutions, security can be one of the biggest concerns so thinking about these considerations before, during and after implementation will help to keep the solution as secure as possible whilst still offering the best user experience.
To find out more about VDI and security, please contact our expert team today.