This is a guest blog post by Sharon Besser, VP of Business Development, Guardicore.
The growth of virtual desktop infrastructure (VDI), whether deployed on prem or in the cloud, continues across verticals from finance and healthcare to education and government.
According to the 2019 VDI like a Pro State of the Union Report, “Remote application and desktop as a service provided by a service provider using Citrix [and other] solutions are being considered by 23.36 percent of participants, which is an increase of 7.36 percent compared to 2018. Citrix Cloud will be introduced or is being used by 15.99 percent.”
The Cost/Benefit Equation of VDI
With VDI, the benefits are huge. Companies get centralized management and backups, seamless end-user support, improved endpoint compliance, and remote access across geographies, which enhances collaboration capabilities. They also see a measurable financial impact on their bottom line thanks to a reduction in the overall spend on software licenses and individual workstations and PCs.
In traditional data centers, servers can be monitored, managed, and isolated when necessary. When used for VDI, servers that host end-user apps and virtual desktops are installed in proximity and, sometimes, on the same infrastructure as critical apps that require higher levels of security.
When end users and critical servers share the same infrastructure, security must be carefully managed. Most desktops will be shared among many users, close to critical assets, bypassing security controls like traditional firewalls installed at the data center’s entrance. And because most end-user app traffic is encrypted, traffic inspection is complicated; the communications are SSL or TLS encrypted (and that’s not to mention the need for privacy).
Humans are typically the weakest link in this digital chain, and it only takes one compromised VDI machine to give attackers an entry point. From there, they can move within the data center network, targeting any server, including critical assets or sensitive data.
A Strong Security Solution Leverages User Identity Access Management
In a VDI environment, your security solution should ensure that employees, partners, and remote users — in other words, all your users — can access only what they need and no more. It should establish the right level of access when the user makes the initial connection. However, Relying only on initial authentication is a recipe for disaster. Going beyond initial authentication aligns with the principle of least privilege, a zero-trust model mandate. For this to work without gaps, policy control must be enforced, even when multiple users are connected to the same system concurrently.
Organizations also need real-time visibility into these connections and active sessions that show what users are doing, which processes are running, how and where those processes are communicating, which flows are being generated, and which applications are being used. In case of a breach, your IT team needs accurate insights into the source of the problem and any lateral movement attempts from the VDI environment to the network at large, without needing additional physical or virtual taps.
Introducing Application Segmentation
When implemented along with strong micro-segmentation, user identity access management is taken to the next level. The smartest micro-segmentation technology can apply a policy at the virtual machine, application, and even the process level. This ensures that applications and users in the VDI environment are isolated from business-critical systems and that your infrastructure is protected from any attempts at lateral movement. Not only is each user limited to the applications they can access, they are also unable to move outside the relevant environments.
By adding another layer of defense that can be deployed on any infrastructure that is decoupled from networking and location constraints, you can dramatically reduce the risks to your VDI environment, demonstrate compliance, and enhance governance.
Guardicore Centra: An Overview
Guardicore Centra uses the overlay approach to enforce network and application security policies. There’s no need to change any topology or mandate downtime. It uses a lightweight agent installed on a VM or integrated into the VDI’s golden image to provide protection as soon as a new virtual desktop is spun up.
Centra creates policy rules based on the identity of the user who is logged in. Identities are pulled from the organizational Active Directory, and the policies are seamlessly created and take effect in real time, enabling control of new and active sessions. This provides a layer of protection before a user can even log in to an application. Security admins can also define policy action based on a process, label, or other asset information.
Citrix and Guardicore Centra
In a VDI environment, Guardicore Centra provides micro-segmentation, breach detection and advanced monitoring, as well as visibility. It integrates with Citrix Virtual Apps and Desktops and Active Directory to help reduce the attack surface wherever the user is by restricting access from your VDI environment to unnecessary apps and blocking unauthorized access based on user identity.
Guardicore Centra is successfully validated with latest versions of Citrix Virtual Apps and Desktops. Learn about Guardicore Centra in the Citrix Ready Marketplace to find compatible versions.
