There are no two ways about it: remote work is now just ‘work.’ That means organizations required by law to protect customers’ information —like banks, law firms, healthcare and insurance companies — must find ways to strike a balance between making remote workers more productive and making sure data stays secure.
Read on to see how using virtual desktop infrastructure (VDI) solutions facilitates remote access but requires targeted strategies such as passwordless authentication to strengthen security. We’ll explain how VDI works — and how it adds unexpected risk — and show how one leading mortgage company used passwordless MFA to bridge gaps in VDI security without having to rebuild remote work infrastructures from the ground up.
What is VDI?
A virtual desktop environment uses software to create desktop environments for remote workers that look and work the same way they would if workers were using company PCs in the office. Virtual desktops can run on company-managed machines or ‘bring your own device’ (BYOD) laptops which can cut down on hardware, shipping, and configuration costs while allowing IT to manage software—and remote access to company servers – from a central location. Instead of software programs and files residing on individual user PCs, hybrid workers launch a remote desktop (RDP) client or open a web browser to access company resources on servers at centralized sites or hosted in the cloud.
The pros and cons of VDI for secure remote access
Virtual desktops look just like physical desktops but users never actually enter the company’s IT environment. That prevents malware running on a user’s PC from entering and infiltrating the company network — a definite plus for supporting work-from-home employees, contractors, partners, and other third parties.
On the other hand, VDI can create or increase cyber risk associated with remote work. All threat actors need to do is obtain working user credentials to log in and download VDI desktop environments connected to company assets and data. This is where implementing Zero Trust cybersecurity strategies and best practices that start with high-assurance passwordless multifactor authentication (MFA) comes in.
Zero Trust Identity and passwordless authentication make VDI more secure
Many enterprises in heavily regulated industries face three types of risk: falling victim to cyberattacks like ransomware that lead to data breaches, loss of brand reputation from having been breached, and failure to demonstrate compliance during regulatory audits. Any and all of these can lead to devastating consequences for your business, like having to pay fines, do damage control, and in extreme cases, temporarily shut down.
To avoid these worst-case scenarios, many federal, state, and industry regulations now require companies to implement MFA for users logging into any system that contains customer data. Some only require MFA to be used for Internet applications while more aggressive rules, like a mandate from the New York Department of Financial Services (NYDFS), say MFA should be used with all users’ desktops, include VDI instances used by hybrid workers on unmanaged BYOD computers.
These requirements may be open to some interpretation and how you implement MFA matters.
What is MFA?
MFA uses multiple factors to confirm the identity of workers before granting them access to company resources. The multiple factors traditionally begin with passwords and progress to include one or several other steps users must complete to verify identity, like plugging in a hardware token or smart card (something users have) or supplying a unique thumbprint, facial scan, or voice command.
MFA of any kind vastly improves security versus passwords alone but for cases such as remote work and the use of VDI:
Traditional MFA doesn’t go far enough
MFA solutions that rely on passwords as the initial layer of authentication do not deliver sufficient protection against threat actors trying to impersonate legitimate workers or trusted third parties. MFA that starts with passwords also proves less effective against ransomware, supply chain attacks, and other breaches.
Last but certainly not least, traditional MFA isn’t phishing resistant. Would-be tricksters have created numerous workarounds, including ‘man in the middle’ (MITM) attacks to dupe even well-educated users into entering credentials into bogus sites and login pages.
A passwordless approach stops 80% of attacks that involve user credentials
Passwordless MFA eliminates the risk of credentials being lost, leaked, shared, stolen, or purchased —and then abused by hackers to gain and traverse your network — because there are no more credential pairs. Getting rid of user passwords simply removes the bait.
Most cybersecurity experts – and many best-practice guidelines — wholeheartedly agree that a phishing resistant approach to authenticating users and verifying their identity is a must. Secret Double Octopus (SDO) believes, and most thought leaders agree, that phishing resistance starts with using passwordless login.
But, as one iconic mortgage provider discovered during due diligence, even all passwordless solutions are not created equal when it comes to securing VDI.
Iconic financial firm chooses Octopus to secure privileged admins
Like other modern MFA solutions, the Secret Double Octopus passwordless authentication platform makes the process of logging in remotely more secure by removing passwords and taking people out of the business of managing secrets. SDO replaces passwords on the front end with a secure authenticator app, mobile push notifications, and the use of biometrics (facial, voice, fingerprint scanning).
Unlike other solutions, we replaces the passwords that Active Directory and other identity infrastructures expect to see on the back end with ephemeral, machine-generated tokens. Decoupling the user login workflow from backend authentication makes it possible to extend a passwordless login to any application quickly.
That includes Windows, Macs, legacy, and custom apps that workers access on-prem or in hosted cloud/SaaS applications directly or through a VPN or VDI.
Octopus tokens enable passwordless VDI login down to the VM level
With other passwordless MFA and SSO solutions, users access a VDI environment by logging into a signle sign-on (SSO) portal first. Competing solutions use X509 passwordless authentication methods; meaning, static certificates get assigned to individual users’ virtual machine identifier tied to the certificate. This approach proves limited in VDI environments where, after logging into the SSO portal, the next step would be to authenticate passwordlessly down to the level of virtual machines (VMs) used to create virtual desktops.
The certificate-based approach doesn’t work because a new VM instance gets spun up (and destroyed) from a golden image every time any user logs in via VDI. Comparing certificates becomes impossible because there’s no one master certificate to verify every identity against.
Instead of comparing certificates, the Octopus installs an agent directly onto the VDI master image that gets deployed as a VM whenever remote workers login. Any user identity recognized by Octopus in the directory can authenticate to the VM instance.
SDO agents can be installed within master profiles used by various business groups so all users experience the same simple, secure login process, including hybrid workers and contractors leveraging BYOD.
Octopus delivers higher scale faster and with lower cost and risk
With static approaches that use certificates, the financial service company’s IT team would have had to convert their entire VDI infrastructure to public key infrastructure (PKI) before they could install a passwordless MFA agent within the virtual desktop. Octopus requires no change to the VDI environment or ecosystem to achieve high-assurance authentication. And, where other solutions would require individual licenses for individual users’ computers, one SDO license scales to support and secure hundreds or thousands of users as the rollout of passwordless MFA progresses.
Firm completes VDI POC in days
The financial service company’s IT team put the Octopus to the test on its own by conducting a proof of concept (PoC) demonstration in just two days. The PoC proved SDO’s passwordless MFA solution would deliver the benefits needed and that the rollout would go quickly.
More importantly, the demonstration showed the team that the rollout could move forward with no fundamental changes to the network infrastructure. A team of Active Directory, security, and applications experts worked together to pull off the initial rollout of passwordless MFA to privileged IT admins within a month. Everything worked as expected out of the gate without the team having to redesign apps or convert directory infrastructures to PKI – a massive savings of time and money versus competing solutions that prove less secure.
The provider plans to continue rolling out MFA to thousands of users enterprise-wide to secure VDI access and critical business applications and data.