Desktops in the info Center: Establishing ground guidelines for VDI

Because the earliest days of computing, we’ve endeavored to supply users with efficient, secure usage of the crucial applications which power the ongoing business.

From those early mainframe applications being accessed from hard-wired dumb terminals to the present day cloud-based application architectures of these days, accessible to any user, from anywhere, on any device, we’ve witnessed the changing technologies landscape deliver monumental benefits in user versatility and productivity. With today’s workforce getting increasingly remote, the shipping of secure, remote usage of corporate IT sources and applications is even more important than ever.

Although the remote control access VPN has been offering secure, remote access for several years now, the benefits of centrally administering and securing an individual desktop through Virtual Desktop Infrastructure (VDI) are driving rapid growth in adoption. With choices including web hosting of the digital desktop straight in the info middle as VDI or in the general public cloud as Desktop-as-a-Service (DaaS), companies can easily scale the atmosphere to meet company demand in a quickly changing world.

Allowing users to gain access to a managed desktop computer instance from any private laptop or mobile gadget, with direct access with their applications provides price efficiencies and great versatility with lower bandwidth intake…. and it’s better, right? Well, not fast!

Considering the Risks

Although addressing a few of the key challenges in enabling a remote control workforce, VDI introduces a complete new group of considerations for this security. In the end, we’ve spent yrs keeping users From the data middle…. and with VDI now, the user desktop computer itself resides on a digital machine now, hosted in the data middle or cloud directly, right in the perimeter security that is to protect the business’s most significant assets there. The data!

This raises some important questions around how exactly we can secure these environments and address a few of these new risks.

  • Who is connecting remotely to the virtual desktop computer?
  • Which programs are increasingly being accessed from the virtual desktops?
  • Can virtual desktops talk to each other?
  • What else may the virtual desktop access beyond traditional apps?
  • Can the virtual desktop in virtually any real way open up a reverse tunnel or proxy out to the web?
  • What may be the security position of the remote consumer device?
  • If the remote control device is infected by malware or virus, is any achievable way that may infect the virtual desktop there?
  • If the virtual desktop itself is infected by malware or virus, could an attacker infect or access other desktops, application servers, databases etc. Are you currently sure?

With VDI solutions today which range from traditional on-premises solutions from Citrix and VMware to cloud offered services with Windows Virtual Desktop from Azure and Amazon Workspaces from AWS, you can find differing methods to the delivery of a standard foundation for secure authentication, endpoint and transport control. What’s lacking however, may be the ability to deal with some of the crucial fundamentals for a Zero Confidence method of user and application safety across the multiple conditions and vendors that define most IT landscapes nowadays.

How can Cisco Protected Workload (Tetration) help?

Cisco Secure Workload (Tetration) provides zero confidence segmentation for VDI endpoints AND apps. Created on a least-privilege access design, this enables the administrator to centrally define and enforce a powerful segmentation policy to every single desktop instance and app workload. Needing no infrastructure adjustments and supporting any information center or cloud atmosphere, this allows for a far more flexible, scalable method of address critical security worries, today!

Establishing Control intended for Virtual Desktops

With Secure Workload, administrators can enforce a dynamic allow-list policy that allows users to access a precise group of applications and assets, while restricting any connectivity. Virtual desktops are usually linked to a shared virtual system typically, leaving a wide-open strike surface for lateral motion or malware propagation which means this policy has an immediate advantage in restriction of desktop computer to desktop communication.

This flexible policy allows rules to be defined predicated on context, whether identifying a particular desktop group/pool, application workloads or vulnerable machines, providing simplicity in administration and the flexibleness to adjust to a changing environment without further modification.

  • Perform your VDI instances have to communicate with each other really?

With an individual policy principle, Secure Workload can enforce a desktop isolation plan to restrict communication between desktop instances without impacting critical services and application access. This simple action will instantly block malware propagation and restrict presence and lateral motion between desktops.

Deny plan for virtual desktop computer isolation
Figure 1: Deny plan for virtual desktop computer isolation
Lateral conversation between desktops blocked (inbound and outbound)
Figure 2: Lateral conversation between desktops blocked (inbound and outbound)
  • Need to permit just a specific user team usage of your highly sensitive HR software?

Safe Workload will identify the desktop computer application and situations workloads by context, continuously refreshing the allow-list policy rules allowing this communication as customers sign in and out of these virtual desktops so when the application form workloads evolve.

Context based application access handle
Figure 3: Context based application accessibility control
  • Need full visibility which applications are increasingly being accessed, how so when?

Tetration not merely enforces the allow-list plan to safeguard your assets, but records flow data out of every communication also, ensuring continuous near-real-period compliance tabs on traffic to recognize anomalous or even malicious behaviors.

  • Need to meet up segmentation requirements to get regulatory compliance?

Normal language policy definition predicated on powerful labels and annotations ensures traffic complies with regulatory policy constraints in one well-defined policy intent.

  • Require the opportunity to immediately quarantine vulnerable virtual program or desktops workloads to safeguard against exploit?

Tetration natively detects vulnerable software programs to use automated policy handles which just apply until remediation.

All offered from SaaS, this could be achieved without the noticeable modification to existing infrastructure, with distributed enforcement from level from virtual desktops to app workloads for finish to end protection.

Ready to begin with? Discover more about Cisco Secure Workload

%d bloggers like this: