Virtualization of servers has long been a proven blessing for organizations, allowing them to deploy operating systems in rapid order and to recover these virtual systems from damage or failure using snapshots to easily restore critical applications and services.
SEE: VMworld 2019: Key takeaways for business leaders (free PDF) (TechRepublic)
Desktop virtualization and desktop as a service (DaaS) offer many advantages to end users as well, allowing faster delivery of resources to the user and less IT overhead involved with manual installations and rebuilds of operating systems. Virtual desktops provide a standard interface and set of applications or tools which can be easily protected against threats. However, they do require some work, at least in the initial deployment of this environment.
I spoke with Vadim Vladimirskiy, CEO of Azure cloud provider Nerdio, to learn more about its unique approach to risk management via virtual desktops, which allows the company to bypass many of the tedious manual steps involved with building and managing virtual desktops.
Vadim Vladimirskiy: There are many areas of potential cybersecurity vulnerabilities, but some are more common and likely than others. We’ll take a look at four of these common areas at a high level and explore how virtual desktops hosted in the cloud make it easier to reduce or eliminate these vulnerabilities.
Today, no cybersecurity discussion can overlook phishing attacks or other means of tricking the user into giving away their password that’s used for all types of internet-accessible cloud services containing company data. Multi-factor authentication (MFA) is the obvious first line of defense against phishing attacks and even though it’s not perfect it does protect the organization from the majority of attacks. MFA can be easily enabled for cloud services like Office 365, but making sure the user’s device is also MFA protected is not as simple. As a result, almost no physical laptops or desktops are protected with MFA. Virtual desktops allow the MFA technology used to protect Office 365, to also protect the user’s desktop environment. It makes it easy to implement and easy for the user to comply with basic security requirements.
LEARN MORE: Office 365 Consumer pricing and features
Secondly, users’ local devices, like laptops and desktops, are rarely encrypted and almost always contain company data that cannot be exposed or lost. Unfortunately, because of tools like OneDrive and Dropbox many user devices store such data. If the device gets lost or stolen and it contains sensitive or private information, it can create a significant exposure for the organization whose data is exposed. Desktop virtualization allows the physical devices to become nothing more than internet-connected screens that log into a cloud-hosted desktop over the internet. This ensures that no data is stored on the local device, and if it was ever lost or stolen, no data breach would occur.
When it comes to security, complexity can be the enemy. The more complex an environment is, the more challenging it is to protect. There are no ways to get in and out. Different types of applications and data are stored in different ways. It’s a mess. Desktop virtualization offers the opportunity for the organization to standardize and centralize all of its data and application in a well-controlled “perimeter.” This virtual “perimeter” is easier to protect because there are well-known and a finite number of ways of getting to the data and applications. Reducing complexity makes security easier to implement and maintain.
Finally, protecting data from loss is a basic function of any IT system. Unfortunately, with decentralized computing, where each user is generating and modifying data on local devices, protecting this data from loss or corruption becomes nearly impossible. Virtual desktops help in this regard, too. Centralizing all data in a single cloud environment and allowing access to it via a virtual desktop makes it relatively easy to backup and secure all company’s data.
Scott Matteson: How quickly and easily can virtual desktops be provisioned in your environment?
Vadim Vladimirskiy: With Windows Virtual Desktop, a complete virtual desktop environment can be provisioned with 60 seconds of user input and two to four hours of run time. Once the virtual desktop environment is provisioned, applications can be installed, user accounts imported, and users can start testing and using the system the same day. It is nowhere near as complex as it used to be with legacy, on-premises virtual desktop technologies that took months to deploy.
SEE: Network administrators: A guidebook (free PDF) (TechRepublic)
Scott Matteson: Can you provide a summary of the process?
Vadim Vladimirskiy: We use automation to roll this out which allows us to skip having to manually implement these steps:
Learn Windows Virtual Desktop (WVD) architecture and commands using Microsoft’s documentation
Manually create a complete Azure environment with a network, Active Domain (AD) domain controller, and file server
Configure ADSync synchronization between AD domain controller and Azure AD
Register WVD app in Azure AD
Create WVD host pool and application group
Deploy a Windows VM from Azure library and install WVD agent
Assign Azure AD users to newly created application group
Scott Matteson: How simple is it to wipe out or replace a compromised or failed virtual desktop?
Vadim Vladimirskiy: In our environment, model desktop VMs (session hosts) are non-persistent and are scaled in (destroyed) and scaled out (created) every day. They are all based on a single, pristine golden image template that is configured by the administrator. Destroying or updating a session host with Nerdio is a single click of a button.
Scott Matteson: Can snapshots be used to create “point in time” backups of virtual desktops?
Vadim Vladimirskiy: Each desktop VM (session host) is non-persistent. However, the template that it is based on (image) and the user data (FSLogix profile) that’s stored on the file server are persistent. Azure backup can be automatically enabled to back up the image and the user data. You can restore the image VM to a point-in-time.
Scott Matteson: Is it possible for users to engage in self-service operations (provisioning, restoring snapshots)?
Vadim Vladimirskiy: Yes. Users with “personal” (dedicated VM) desktops can power on and off their own desktop VM. Users can use automatically enabled VSS (volume shadow copy) snapshot (i.e. previous versions) to restore prior versions of their own data files. When using “pooled” (shared VM) desktops, the host pool scales out automatically based on user demand (the more users log in and more VM instances get added) and scale back in after work hours when users have logged off the system.
Scott Matteson: Are standard “gold images” used from which standard types of virtual desktops can be built?
Vadim Vladimirskiy: Yes. There is a master golden image, and there is a template VM associated with each desktop pool. All session hosts in a desktop pool can be automatically refreshed to the latest version of the template VM image with a few buttons.
SEE: Windows Virtual Desktop doesn’t limit enterprises to Microsoft for VDI (TechRepublic)
Scott Matteson: How are these gold images maintained?
Vadim Vladimirskiy: We integrate host pools with Azure’s native VM Scale Sets, and that takes care of all the orchestration to add and remove VM instances to and from the host pool. This enables true, event-based auto-scaling for host pools and results in 75% savings in compute and storage costs. Integration of host pools with Azure VM Scale Sets enables fully automated host management and eliminates configuration drift over time.