Banks, investments, and other financial services providers go to great lengths to secure customer data, and to verify trust and identity for those who come in contact with it. Many firms rely on virtual desktop infrastructures (VDI) and multifactor authentication (MFA) to strengthen security for remote workers but struggle with gaps between the two solutions.
Read on to see how passwordless MFA can bridge the gaps to secure VDI environments—quickly and affordably—without requiring IT teams to reconfigure infrastructures from the ground up.
What you’ll learn:
- The benefits and risks of using VDI in financial services infrastructures
- How passwordless MFA helps overcome these risks
- How Octopus MFA and single sign-on (SSO) helped one leading mortgage company secure VDI to protect customer data
Let’s begin at the beginning.
What is VDI?
A virtual desktop environment uses software to create desktop instances, usually for remote workers, on servers hosted at a centralized location or in the cloud. Instead of applications and files residing on users’ individual PCs, workers log in and access company resources by launching a remote desktop (RDP) client, or in some cases, via a web browser.
The virtual desktop looks just like a physical desktop, but the user never actually enters the company’s IT environment. In this way, VDI prevents any malware that might reside or get deposited onto a user’s PC from infiltrating the company network — a definite plus for supporting work-from-home employees, contractors, partners, and other third parties.
That is, provided it can be done safely, which is where MFA comes in.
How does VDI pose risk to financial corporations?
Financial services organizations face constant risk from two types of breaches: cybersecurity attacks and failing regulatory compliance audits. Due to the nature of the business, these institutions face some of the world’s most stringent industry, state, and federal mandates for protecting customer data.
Some regulators require companies to implement MFA for logging into any system that contains customer data. While some regulations only require MFA to be used for Internet applications, others, including the New York Department of Financial Services (NYDFS), specify a requirement for MFA to be used with all privileged users’ desktops.
That requirement led one iconic financial services provider to evaluate MFA solutions that would secure workers using VDI. The team quickly concluded:
Traditional MFA doesn’t go far enough
MFA that relies on passwords for the initial layer of authentication does not offer sufficient protection against impersonation and is not phishing resistant. It is also less effective against ransomware, supply chain attacks, and other breaches. A passwordless approach prevents 80% of breaches caused by compromised credentials by eliminating the credentials that threat actors often acquire through phishing, social engineering, or on the black market.
Industry experts resoundingly agree that passwordless is a must but, as the mortgage provider discovered during due diligence, not all passwordless solutions can effectively secure VDI without significant identity infrastructure redesign.
Iconic provider first chooses Octopus to secure privileged admins
Like other modern MFA solutions, the Octopus passwordless authentication platform makes the process of logging in remotely more secure by removing passwords – and the people-related risk that goes with managing secrets – from the authentication process. Also like other approaches, Octopus replaces passwords on the front end with a secure authenticator app, mobile push notifications, and the use of biometrics (facial, voice, fingerprint scanning).
The difference – and the reason Octopus uniquely secures VDI environments – occurs on the back end of authentication. Here, Octopus replaces the passwords that Active Directory and other identity infrastructures expect to see with ephemeral, machine-generated tokens. Decoupling the user login workflow from backend authentication makes it possible to extend a passwordless login to any application quickly. That includes Windows, Macs, legacy, and custom apps that workers access on-prem or in hosted cloud/SaaS applications directly or through a VPN or VDI.
Octopus tokens enable passwordless down to the VM level
With other passwordless MFA and SSO solutions, users access a VDI environment by first logging into an SSO portal. Competing solutions use X509 passwordless authentication methods; meaning, static certificates get assigned to individual users’ virtual machine identifier tied to the certificate.
This approach proves limited in VDI environments where, after logging into the SSO portal, the next step would be to authenticate passwordlessly down to the VM level. The certificate-based approach doesn’t work here because with VDI a new virtual machine (VM) instance gets spun up (and destroyed) every time a user logs in from a golden image for every user.
SSO’s approach goes beyond the SSO portal level to extend coverage all the way down to the VM level. Instead of comparing certificates, an Octopus agent gets installed directly onto the VDI master image that gets deployed as a VM when someone initiates a login. Any user managed and recognized by Octopus in the directory can authenticate to the VM instance.
SDO agents can be installed within master profiles used by various business groups so all users experience the same simple, secure login process, including remote workers and contractors following a “bring your own device” (BYOD) model.
Octopus delivers higher scale faster and with lower cost and risk
With static approaches that use certificates, the financial service company’s IT team would have had to convert their entire VDI infrastructure to public key infrastructure (PKI) before they could install a passwordless MFA agent within the virtual desktop. Octopus requires no change to the VDI environment or ecosystem to achieve high-assurance authentication.
And, where other solutions would require individual licenses for individual users’ computers, one SDO license scale to support and secure hundreds or thousands of users as the rollout of passwordless MFA progresses. For the firm in question, that means one license to start with versus 500 initially, and another four to six thousand over time.
Customer completes VDI POC in two days, moves to enterprise-wide production within a month
The financial services company decided to put the Octopus approach to the test on their own and conducted a proof of concept (PoC) demonstration on its own within two days. The PoC convinced the team that the SDO passwordless MFA solution would deliver the benefits needed and that the rollout would go quickly with no fundamental changes to the infrastructure.
A team of Active Directory, security, and applications experts worked together to complete the initial rollout of Octopus passwordless MFA to privileged IT admins within a month. Everything worked as expected out of the gate without the team having to redesign apps or convert directory infrastructures to PKI – a massive savings of time and money versus competing solutions that prove less secure.
What’s next?
The financial services provider plans to continue rolling out MFA to thousands of users to secure VDI and critical business applications enterprise-wide.