VDI Access Control in the Age of BYOD
By Don MacVittie
Virtual desktop infrastructure (VDI) is a powerful tool to manage operating expenses while minimizing software licenses and offering users access to their desktop from anywhere. Most organizations pursuing VDI to date have not done so to enable tablets and phones as clients to the desktop, and yet users immediately tried to access their applications or desktop via mobile devices. Often those devices are not IT-issued or even necessarily IT-approved.
Although such access can increase productivity, it also requires a secure external authentication, authorization, and accounting (AAA) presence for access to the desktop from outside of the corporate network. Users must be authenticated, and the proper place to authenticate them is at the edge, which keeps potential attackers from reaching the internal network to gather information for future attacks. Anything that keeps information out of the hands of ne'er-do-wells is good for the organization in general and the stability of the VDI architecture in particular.
This edge access must support a wide array of clients, and for the sake of security should include mobile-specific options such as routing users away from core servers if they suddenly attempt to log in geographically removed from their normal location, or if the user reported a device as lost or stolen. If the device can parse the data, incoming connections have a wealth of information (particularly at layer four of the OSI stack) to help make intelligent decisions about traffic that can be utilized for VDI edge protection.
There are several methods of performing edge authentication for VDI access, though working within an overall enterprise architecture means that more issues than just the project at hand should be considered. For example, most organizations keep two vendors available for VDI solutions if for no other reason than contract negotiations. Mergers and acquisitions can leave an enterprise with two VDI solutions and four (or even more) virtualization solutions overall.
Although implementing access control for each of these solutions (and possibly others) more for access to virtualized servers is certainly an option, it creates a redundant architecture -- one that requires operational and maintenance man-hours in addition to licensing --- for the same exact job. Implementing a solution at the edge that can take advantage of an organization's AAA architecture in a virtualization vendor-agnostic manner is necessary to a robust solution with minimal overhead.
The optimal solution to keeping VDI deployments secure and available is to implement a form of authentication at the edge that can validate credentials against existing AAA services such as LDAP or Active Directory, and make decisions about what to do with the client. The decision about what to do with a connection can be more than just "allow/deny" access, utilizing information available in a connection about client type adds another dimension to the authorization system. Being able to say "access to everything for user X from their laptop, access to Web apps only for user X from a tablet, and access to only job-specific apps for user X from a phone" offers increased granularity to the access mechanism and provides a measure of protection against a lost or stolen device. Should a user report a device missing, "access to nothing from mobile devices for user X" can be enabled; if the user stored passwords locally, the device would not be a gateway for attackers.
Setting controls on certain items can also be helpful -- requiring that anti-virus be up to date before access is granted, for example -- and can protect the network from inadvertent infection by well-meaning employees in a bring-your-own-device (BYOD) environment. As anti-virus and cross-platform infections catch up with the mobile wave, this will become increasingly important for the protection of the enterprise network. Even today, the infection of a single home PC logging into the network can cause weeks of headaches within an organization, though in such cases most organizations simply terminate access or redirect users to a remediation subnet to keep them away from production servers.
If the chosen implementation can support geolocation, then another information source is available to make certain that the user is valid. Using geolocation to determine where the user is located can be used to lock out those masquerading as valid users. If user X lives in Cleveland and is logging in from Romania, clearly the connection needs to be quarantined at a minimum, and outright denied if user X is currently sitting at his desk, oblivious to the login attempt. Although geolocation is not a panacea, it is yet another tool that can be used to protect corporate resources.
Most organizations perform a phased rollout of VDI to accommodate the most suitable pool of employees first and then widen the implementation over time. The solution used for access control must be able to scale along with the VDI deployment or the user experience will suffer while users wait at a login prompt. In fact, if the access control point can also perform optimizations on the network traffic, use it. Otherwise, an optimization tool will likely be required as people log on from networks with higher latency and less bandwidth than the corporate internal network offers. If user experience from outside the organization is painful, users will not utilize it, and the benefits of VDI, although not going away, will be diminished.
VDI deployments offer benefits beyond simply managing the software installed base and lowering operations costs. Given the correct architecture, employees will log in during the train ride home, from the beach, or in the middle of the night when they have an inspired idea. Building an architecture that offers maximum device flexibility and performance for authorized users while taking concrete steps to keep unauthorized users from gaining access is essential to success. Building an architecture that works beyond the bounds of one given VDI deployment to protect other VDI implementations -- and even other corporate applications -- brings value beyond a single project.
Don MacVittie is a technical marketing manager at F5 Networks, where he supports outbound marketing, education, and evangelism efforts around development, storage, and IT management topics related to F5 solutions. An industry veteran, MacVittie has extensive experience and expertise in programming, project management, IT management, and systems/network administration.
Prior to joining F5, MacVittie was a senior technology editor at Network Computing, where he conducted product research and evaluated storage and server systems, as well as development and outsourcing solutions. He has authored numerous articles on a variety of topics aimed at IT professionals. MacVittie holds a B.S. in Computer Science from Northern Michigan University, and an M.S. in Computer Science from Nova Southeastern University. You can contact the author at email@example.com.