Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

VDI and BYOD: Enterprise mobile security solution or security faux pas?

Employees want to use their own mobile devices at work. Enterprises need to ensure the safety of their corporate data. Can VDI solve BYOD security issues? Expert Michael Cobb discusses why VDI may not hold all the answers.

Employees today want to access corporate networks, applications and information at any time, from anywhere, with any device. While this sort of ubiquitous access can be beneficial for the modern workplace, trying to keep information safe to maintain enterprise mobile security in such a borderless environment that it isn't easy.

The biggest risk with this sort of environment involves enterprise data being stored on a wide assortment of employees' personal devices. One mobile security solution gaining popularity to solve this and other bring your own device (BYOD)-related headaches is desktop virtualization, as administrators can deliver desktops and corporate approved applications straight from a central server to a broad range of devices. However, desktop virtualization may not hold all the answers.

In this tip, I will discuss why a virtual desktop infrastructure (VDI) may or may not be an effective security control for BYOD, focusing on how the technology works, the pros and cons of using it, and how it serves to support an enterprise's broader set of technology and policies to secure BYOD.

Top VDI benefits for enterprise mobile security

Even though VDI is secure, users' devices aren't and it's possible for infected phones to expose user login credentials for VDI sessions, leading to a wider compromise.

VDI is sometimes referred to as hosted virtual desktop, desktop as a service, or server-based computing. It makes the type or model of client device largely irrelevant, which can help simplify device management in a BYOD environment. Corporate resources are not stored on the device but instead remain on the premises or in the cloud, effectively removing the operating system and its data from the end user's control. Administrators can centrally manage user sessions to enforce access policy, while all users need is a client on their device to open the connection to the VDI server, which sends them secure, compliant apps and the data they need to work.

VDI and BYOD: Potential drawbacks

Having no enterprise data floating around on users' devices greatly reduces the threat of lost or stolen devices, but unless a device truly has zero storage space, there is always the risk a user will find a way to load corporate data onto the device. Occasionally, there are legitimate reasons why employees will need to download corporate data onto their own devices to work offline instead of having to fire up an online virtual machine (VM) session.

This brings up another problem: user frustration when having to access everything over a VM session. Virtualizing a Windows session on an Android or iOS smartphone or tablet doesn't replicate the native experience, particularly when working with mouse- and keyboard-based desktop software on a small touch-screen device. In-house Windows desktop software may well have to be ported to touch-friendly Windows 8 so that it can be served up in a virtualized environment to smartphone and tablet users. Even then, it's often not practical for heavy-duty productivity.

While VDI is useful for on-demand access to record level data such as a customer's order information, apps that are not user friendly can lead to employees circumventing policies to work the way they want to, opening up security holes elsewhere. Auditors will want to see proof that security policies are being enforced for users accessing data via a virtualization session. Even though VDI is secure, users' devices aren't, and it's possible for infected phones to expose user login credentials for VDI sessions, leading to a wider compromise.

VDI products and services also have a number of infrastructure costs and come with a bewildering variety of licensing options. On top of that, not all devices will meet the requirements needed to run virtual desktops.

BYOD security, virtualization alternatives for enterprise mobile security

While using VDI can free administrators from the burden of supporting multiple BYOD hardware devices and reduce the risk of lost or stolen data, it's important to note that the technology is not a one-stop solution for solving enterprise mobile security challenges.

VDI still forces administrators to heavily rely on acceptable usage agreements, mobile antimalware and some form of mobile application management (MAM) product. Many MAM technologies offer a granular approach at the app and data level, as well as user efficiency and convenience that many virtualization products today just cannot match.

However, VDI isn't something to completely take off an enterprise's security strategy radar. As an additional layer of defense it can be a worthwhile option for certain users and scenarios, especially when IT departments are struggling to cope with BYOD and other security duties. Administrators can install applications, patches and drivers all at once, and every user relying on that image will benefit from the update. Additionally, any software problems that arise can generally be resolved from within the data center, which is great for employees who are out on the road or working from home.

Yet, it's also important to note that VDI requires a big upfront investment in server hardware and possibly in storage, redundant servers and network infrastructure as well. Administrators will also need to learn the VDI software's capabilities and limitations. While using this virtual desktop infrastructure, admins can deliver a desktop to most of the various personal devices that employees choose to use. This provides users with both a sense of freedom and control while administrators are able to put an all-important layer of security around enterprise data.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Security and has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).

Next Steps

Learn more about using VDI to tackle challenges in the BYOD era.

Discover more on MAM in this comprehensive guide.

Read this guide for help managing BYOD endpoint security.

This was last published in September 2014

Dig Deeper on BYOD and mobile device security best practices

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Is VDI part of your enterprise mobile security strategy? What other technologies does your enterprise leverage?