The Bring Your Own Device (BYOD) approach is highly embraced by organizations, connecting users to corporate networks to reduce costs or as an easy solution for remote workers.
The main beneficiaries of the trend are Virtual Desktop Infrastructure (VDI) such as Citrix, VMware and Microsoft, For many organizations and companies, Virtual Desktops provide an interesting option to connect their employees to their network. Administrators can deploy Virtual Desktop instance of client machines and make them available to their employees. These virtual desktops will have all the services and network configurations that their employees need to do their job, but convenience is not the only reason Virtual Desktops are so widely adopted.
Virtual Private Networks (VPN) Vs Virtual Desktop Infrastructure (VDI)
VPN’s are a great way for remote workforce to access a company network, benefiting companies who wish to reduce costs and monitor their network activity but they do not address a few major security concerns.
How do you prevent data leakage? How do you know the endpoint machine is updated and secured? How will I protect against Malware/Ransomware? If an IT issue like machine failure or lost occurred on the endpoint how will you troubleshoot it? How will you deal with backups?
Virtual Desktops solve these issues:
Data leakage – Data can not be saved into the endpoint, the machine and the VD are complete separated.
Updates and security patches – Local applications resources are not used (besides the VD client) giving IT complete control over application, centralizing updates and security patches.
Malware protection – The security measures implemented over the company network and machines remain in place to prevent an endpoint from being attacked.
Machine failure or lost – Virtual desktop are not affected by local hardware or software issues, if a machine is lost or malfunctioning the user only needs to add the VD agent to resume use of the VD on any machine.
Backups – Data is stored at the company servers, backups are assured according to the company policies.
Virtual Desktops bridge the security gap between local network security and the bring your own device (BYOD) approach, to summarize: Instead of using a VPN to enter a non-secured machine into the network, a virtualized environment allows the user access to company resources and applications, giving IT a way to reclaim workstation security, well as long as they know who access the Virtual Desktop Infrastructure (VDI).
The Importance of Identity Assurance in Virtual Desktops
The secured environment created by Virtual Desktops is only as effective as the level of assurance of the authentication process it uses.
If credentials are stolen or guessed you now have a hacker logged into your organization network, passing the DMZ and firewall straight into whichever privileges the breached user account may have.
Traditional security measures such as passwords are not sufficient to protect from today’s threats, Multi-Factor Authentication (MFA) is required to assure identities.
The main issue is that most companies use a single factor to protect their Virtual Desktop’s authentication.
“There is no doubt that over time, people are going to rely less and less on passwords,” adding that passwords “just don’t meet the challenge for anything you really want to secure.” Bill Gates, Microsoft founder
Second Authentication Factor to the Rescue
The need for additional authentication factor has been well establish and widely accepted among industry leaders, and Virtual Desktop vendors all support external authentication vendors, the issue with VD’s is that not all authentication factors fit the purpose of VD’s.
Talking to a few of our customers we found that there are three main concerns when choosing an authentication solution for Virtual Desktops:
Assurance – the importance of identity assurance is vital.
Employee Downtime – virtual desktop do not have an offline option, any authentication hiccup such as a forgotten password or lost Hardware tokens will lead to lost in productivity.
Total Cost of Ownership – as discussed above one of the reasons why VD are popular is cost, adding an authentication solution that has a high TCO might reduce the return of investment (ROI) making VD’s last lucrative to the organization.
Let’s review a few second-factor options for Virtual Desktops:
Hardware Tokens – Smart card and Universal 2nd Factor (U2F) are not an appropriate solution for remote or temporary workers, they initial cost is high and in case of lost or hardware failures the employee will be out of commission until he/she can get a replacement.
One Time Passwords (OTP) – besides the user experience issue of typing a new password each time, OTP device carry the same burdens of hardware tokens, software and hardware OTP’s are in addition to user password and username, memorized credentials when forgotten will lead to employee downtime.
Support BYOD with a BYOD Approach to Authentication
The answer to Virtual Desktop authentication comes from the same approach that made virtual desktops so popular at the first place, easy enrollment, high assurance supported by low TCO and maintenance; Push Notification Authentication.
Turning Virtual Desktop user’s mobile device into mobile authenticators allows an organization to enroll remote users easily, no additional devices (U2F, smart cards) reduce total cost of ownership and maintenance cost and mobile devices are maintained and secured by their operating system providers (Apple, Google).
Mobile devices are an Out of Band (OOB) authentication factor, they make credentials theft redundant even if user credentials are stolen the hacker will not be able to pass the mobile authenticator factor biometric capabilities not to mention that the actual mobile device is needed as well.
So now we solved two-thirds of the issues, high assurance: Checked, lower cost of ownership: Checked.
What remains is employee downtime, as long as passwords are still required the human element may and will lead to downtime.
Passwordless Push Notification Authentication – Best of breed
Removing passwords reduces password related costs and employee downtime while improving the user experience.
Secret Double Octopus has developed an authentication solution that harnesses push authentication and is passwordless, as far as the user is concerned, when they want to sign into their VD, they receive a push notification on their mobile device, a very convenient experience. But under the hood, several out-of-band authentication technologies are at work to prevent the man in the middle attacks or manipulation of the login process making it a perfect fit for Virtual Desktop users.