What is Virtual Desktop Infrastructure (VDI)?
Virtual desktop infrastructure is the creation and management of virtual desktops and applications that allow employees to access and work on these applications and services while they are in the office, outside the office, or even from a remote location.
VDIs allow users to interact with the operating system on their own endpoint devices through a network. This setup enables users in multiple locations and multiple devices to run applications from the main server, on their devices, as if they're locally installed. The endpoint devices may be other computers, tablets, laptops, or even mobile phones.
Virtual desktop infrastructures are most commonly based on the Windows operating system but VDIs can also be Linux-based.
Figure 1. What is Virtual Desktop Infrastructure (VDI)?
VDIs can be classified into two types based on Persistence; Persistent VDI and Non-Persistent.
In a Persistent VDI, after the virtual desktop has been logged off in a device, the data and all configurations of the VDI remain intact. This allows for a more personalized experience for the user who can then customize the user interface of the VDI as per his preferences.
In a Non-Persistent VDI, all data and settings are reverted back to their original versions once a device is logged off. A user can still save data on a personal external storage device but not on the virtual desktop itself. The Non-Persistent VDI has a much lower cost since it doesn't require as much storage space to save all individual user data as required in a Persistent VDI.
Why is VDI Important?
Virtual desktop infrastructures are increasingly popular and important in today's changing world. After the breakout of the Covid-19 Virus, more and more companies have started encouraging their employees to work remotely.
VDIs provide the tools and means that allow the employees to work anywhere they want. They can use the VDI's interface in the office, at home, or even on a beach a hundred miles from their office. Virtual desktops have upgraded productivity by enhancing accessibility to company resources for the employees, wherever they may be.
What are the Benefits of VDI?
Virtual Desktop Infrastructures have many benefits that help an organization in various ways. Some of the most prominent advantages of having a VDI setup are as follows:
- Advanced Security: In a Virtual Desktop Infrastructure, all data is maintained in the main server and not in the individual devices themselves. Therefore, if an end device or user computer is ever stolen, corrupted, or hacked, there isn't any data that can be stolen from the local storage of the device. This separation of data adds a significant layer of security because it reduces the risk of losing valuable and confidential company data. Additionally, the virtual desktops on all endpoint user devices are controlled through the central data center. Hence, in case of device theft, the VDI's connection can be terminated remotely.
Better User Experience: The Virtual desktop provides a uniform, standardized and familiar desktop environment to the user who has grown accustomed to his workplace computer. Whether the user uses the VDI on his/her computer, his phone, his/her/her tablet, or any other compatible device, the interface remains consistent. This system of central connectivity also gives the user remote access to all their files, applications, and services, that they usually only have on their office computers, at any remote location of their choosing.
Scalability: Cloud computing has made the concept of virtual desktop infrastructures even more accessible. If an organization plans to expand its team or its operations, VDIs can help expand the company network in mere minutes instead of days or weeks using traditional hardware means. By consolidating all of the VDI's infrastructure data and operating system on the host server, this infrastructure saves a lot of excess hardware and networking purchases and costs.
Mobility: VDIs are mobile and can be remotely accessed from anywhere in the world. This allows the organization to provide workers that work in the field access to all the data and applications they would need on the go on their own devices.
Cost Saving: Since most of the backend work is processed and applications are run on the central server, the hardware requirements for the end-user devices are much lower. This reduces the cost of purchasing new and up-to-date computers for all staff that needs to run specific programs. Instead, they can simply use any old computer, laptop, or tablet that can access the VDI.
Centralized Management: A VDI's centralized server system allows an organization to easily configure or update all the virtual desktops in a system from a single location. Administrators can easily apply security features and protocols for all VDIs across the deployment. Hence, VDIs act as a tool to fine-tune and manage the OS of all devices from a central server, which is less costly and more time-efficient than managing individual laptops running OS locally.
What are VDI Disadvantages?
Like any other technology, VDI has some drawbacks and challenges that the company needs to assess and evaluate before implementing a virtual desktop infrastructure. Some key challenges are:
- Poor Training results in poor user experience: The use of VDIs requires proper training of the potential users. If sufficient training is not provided and VDIs are implemented without first educating the user employees, it may result in various confusion and inefficiencies. The users will have access to two desktops (their local one and the VDI desktop). Hence, they may end up confusing one for the other and have problems navigating between the two desktops. The users may save files in their local PC instead of the VD or they may end up searching for files in the local PC which are actually in the VD (or vice versa).
Additional costs: There are a lot of additional costs associated with VDI hence any company that plans to implement VDIs should deeply plan all financial aspects beforehand. While VDI has a lot of cost benefits in the long term, the additional costs for IT infrastructure hardware expenses, specialized personnel hiring, licensing, and other initializing costs may raise the initial setup costs significantly. The storage of the operating system, applications, data, and settings for every single user must also be stored and maintained in the central data center.
Reliance on internet connectivity: No network means no VDI. VDI's are highly reliant on network connectivity. Users can't access their virtual desktops without an active network connection and a weak internet connection can cause poor performance. VDI virtual desktops must also be deployed near the location of the end user's device for best results. Hence a geographically dispersed workforce may experience challenges with bandwidth and speed that may fluctuate depending on the location of the user.
How does a VDI Work?
VDI provides a virtual workspace where the user can run various apps without downloading or storing them on their own computer. It provides a safe and remote solution to employees to work remotely wherever they need, hence boosting their productivity.
The first thing a VDI needs is a hypervisor and a virtual machine server. A hypervisor is also called a virtual machine monitor or VMM. It is software that constructs, runs virtual machines (VMs). It first segments servers into smaller virtual machines which are then used to host virtual desktops. Users or employees can then access these virtual desktops remotely from any of their devices and all processing is done on the actual host server. The end users can connect the virtual desktop to their devices through a connection broker. A connection broker is software that acts as a gateway between the user and the server.
Now when we talk about the actual VDI characteristics, there can be many versions and models based on the needs of different organizations but some of the common characteristics of any VDI are:
- Virtual Desktops are completely installed, maintained, and stored in the centralized server.
- Each VDI is run using an operating system such as Windows or Linux, which is then projected to the user devices.
- The VDIs are host-based, meaning there can be many users working on the same VDI that lives on a server in the central data center.
- The end-user devices, such as PCs, tablets, or laptops, etc., must be constantly connected to the central server through a network (LAN or online) to maintain access to the virtual desktop they're using.
- The connection broker is software that acts as a gateway between users and virtual resources. It finds and links a virtual desktop within the resources of the server to a user upon access request.
- A hypervisor. As mentioned before, it creates, runs, and manages the host machine virtual desktop infrastructure that then provides individual virtual desktop environments to the users.
As for the working of the VDI, there are two main software components that create the VDI. The hypervisor and the connection broker. When a VDI is created, a hypervisor program creates the infrastructure and enables multiple instances to be created from the main server that is then used by individual end-user devices. Next comes the connection broker that, as the name suggests, is a broker that provides each individual user device with a connection to the individual instances created by the hypervisor. The connection broker also checks and authenticates every user that requests access to the VDI and acts as a security checkpoint.
How to Use VDI?
Using a virtual desktop is actually fairly simple. A user can gain access to a VDI using the following steps:
- A user enters his login username and password and sends the request to the Gateway URL or application to start the connection.
- The user IDs and passwords are validated against the server's directory of authorized users called the Active Directory (AD).
- Then the Gateway, which is the connection broker, forwards these credentials to a StoreFront which validates the users against the AD.
- Then the Virtual Desktop Controller retrieves the data from the centralized SQL database.
- The available resources from the database are then sent to the StoreFront, which is then displayed on the virtualized desktop on the user device.
- Now the end-user can select his desired data or application from the resource pool of Windows or Linux applications and get to work.
Who Uses VDI?
VDI has a diverse portfolio of users. Generally, local and remote employees who perform their work on desktops from a centrally located site can benefit from a VDI.
Some usual VDI use cases are as follows:
- Remote Workers: VDI enables employees and team members to access the same applications, and resources, while being geographically apart from each other.
- Regulatory Compliance: Many regulatory compliances demand strong internal controls over storing confidential information improperly. By centralizing the management with VDI, the threat of data leakage and theft is eliminated.
- Third-party Access: Where a company needs to hire a third party or contract-based employee for a certain period of time, they need to provide them with company purchased systems that contain the applications and data the contractor needs. VDI makes this situation much easier since it can be launched and accessed on the user's own device without the need to purchase new devices and all relevant data and applications can be shared with them through the VDI.
- Bring Your Own Device (BYOD): BYOD is a concept in which an organization does not provide its employees or contracted workers with company-owned equipment. Instead, they are asked to bring their own devices. VDI is an ideal solution for such an environment that will allow access to the information and application needed by the employees on their own devices. Since all data is stored on a centralized server, it also offers better security.
- Shift Workers: Nonpersistent VDI is particularly useful when looking at organizations such as call centers that have a large number of employees who have very limited tasks and use the same software daily. These users don't need customizable user displays or saved local data, making nonpersistent VDIs ideal for them.
What are the VDI System Requirements?
There are a number of different VDIs available in the market and they all have varying system requirements, but the most common and basic requirements for any successful implementation of a VDI are listed below:
A Server rack in a local centralized data center
A Virtualization platform such as Hyper-V or VMWare ESX Server
A Protocol for connecting to the virtual OS. This protocol will handle processes such as device and printer redirection.
A Platform for managing the servers and helping provision virtual machines quickly and efficiently.
A Connection Broker.
An Application virtualization program.
If we want to create a persistent VDI then we also need Profile and data redirection software to enable users to customize their virtual environment and retain the same even after they log out.
An end-user device that acts as an interface for the VDI.
What is VDI Used For?
VDIs have been used in almost all industries that utilize remote working and networks. Some industries that use VDI most commonly are:
- Call Centers: VDI allows call centers to limit and monitor access to the information given to all representatives. Using a VDI makes sure all the relevant tools and information is available to the calling agents so that they can complete their tasks efficiently and without any disruptions.
- Healthcare: Doctors and medical professionals are often on the go and they always want to spend more time treating their patients than struggling to reach hospitals and log into their physical desktop systems. VDI enables them to keep patient data on personal devices to access it anytime and anywhere they may be in case of emergencies.
- Manufacturing: The manufacturing industry often involves contracts with outsourced engineers, expert advisers, designers, builders, etc. Through VDI, companies can offer virtual desktops to these 3rd parties to allow them to work remotely and log in through their personal phones or laptops whenever required.
- Education: Setting a Virtual Desktop Infrastructure in universities makes it easy to give access to school resources to all teachers and faculty. Moreover, students don't need to have expensive computers and laptops to use these virtual desktops. Even low spec devices work fine to access the VDI data and applications.
- Finance: Finance requires a bank-level secure platform to work. Financial data is very sensitive and confidential and is prone to get compromised or stolen. Hence, they are also more vulnerable to cyber attacks. VDIs help the organisation set up different security walls such as, multi-factor authentication, data encryption, etc. Moreover, allowing the accounting and finance heads to work remotely can help pace their work and enable them to work more efficiently wherever they may be.
- Military: Industries that must have a prioritized level of high security, such as the military are one of the most prominent users of VDI. It enables the organization to have close control over the user's authentication and virtual desktops which can prevent unauthorized users from entering the desktop. VDI is used in these industries to maintain a high level of security overall confidential and sensitive data.
How is VDI Different?
The differences between VDI and some of the similar technologies are discussed below:
What are the Differences Between VDI and DaaS?
The main differences between VDI and DaaS are as follows:
Cost: First comes the cost. For a VDI, the organization would need to set up servers or a data center to host and maintain the virtual desktops, which can cost a lot upfront. However, if the number of users is going to be consistent for the foreseeable future, then most costs should be limited to upfront expenses and can lead to long-term savings. While in DaaS, though there are some small setup fees required, the deployment cost is much smaller than that for the VDI. But since DaaS has a pay-per-user model, these costs can accumulate to be greater than VDIs in the long run. DaaS can be useful and cheaper for companies that have temporary users.
Flexibility and Scalability: VDI configuration and deployment are generally tailored to the exact needs and requirements of an organization. This configuration is quite rigid and hard to change and evolve over time. VDI might potentially slow down your organization if your servers can't keep up with the growing volume of your workforce. In contrast, DaaS is very flexible, since it has a pay-per-user model. This means it can easily upgrade with an increasing workforce, however, scaling DaaS will raise subscription costs.
Control and Management: With VDI, The Organisation's IT department has complete control over onsite VDI servers, including everyday maintenance and security and all software and hardware updates. This can put a lot of workload on the IT department. DaaS on the other hand takes away the burden of maintaining and updating the servers. It can also deliver much more advanced security benefits when it comes to data protection. But it provides the organizations with less internal control over the virtual desktops.
Access to Resources: In a VDI all the resources and distributions are dedicated to a single server in the centralized data center of the organization. Hence there is no risk of outsider interference and interruptions to the data and servers. This also means, however, that when your data center is down, all your resources will be unusable. With DaaS, the virtual desktop services are multi-tenant, which means DaaS can host the data and resources dedicated to multiple organizations on its servers at the same time. This does increase the risk of interference with the service should there be a disruption. But since it has multiple servers and backups available, the risk of a data center breakdown in DaaS is much lower.
What are the Differences Between VPN and VDI services?
The differences between VPN and VDI services are as follows:
Hardware: VPN is dependent on the user's hardware. Since all the processing is done on an end-user device, older hardware and outdated operating systems can have adverse impacts on its performance. VDI, on the other hand, has minimal hardware requirements from the end-user device. All processing is done on the servers assigned to the virtual machine running the virtual desktop. It is common to use cheap or outdated devices, thin clients, for VDI because they only act as front-end devices for the VDI servers.
Data Storage and Security: VPN protects the data while it is in transit, but it has no security protocols once it is on the client's machine. It can be moved and copied wherever the user wants. Having company files copied locally can increase the risk of a data breach of classified information. When using VDI, all applications and data remain on the virtual desktop running through the VDI servers.
Performance: In terms of performance and speed, VDI is the clear winner. Since all resources are shared through the company's own servers and directed to the user devices, the overall experience is much faster. On the other hand, VPN performance completely depends on the speed of the internet connection and the hardware of the end user device. Moreover, since the data sent through a VPN is encrypted for extra security it is actually even slower to send large files.
Management and Maintenance: In terms of maintenance and management, VPN servers are easier to maintain but managing and using a VPN as an end-user device is much more complicated and complex than a VDI. Any updates and maintenance to the client device require an active connection to the user device itself. In a VDI, the admin or the IT department of the company can update and maintain the VDI themselves. With this centralized server management, the admins can update multiple end-user devices at once and have much broader control over the system.
Cost: The cost of maintaining a VDI is drastically higher than running a VPN. VPN has very minimal hardware requirements and all server maintenance has to be done by the VPN company not the user, hence there is no need for additional server hardware and manganocene cost. VDI is a much more expensive solution because it adds a layer of costs incurred for maintaining the servers, purchasing hardware and hiring dedicated personnel for server maintenance.
What is the Difference Between VDI and Virtual Machines (VMs)?
A virtual machine or VM is a file that acts and performs like an independent physical computer that has its own CPU, memory, storage, etc. VM is like creating a computer within a computer. For example, a Windows PC can have a VM that runs a Linux OS independently. VM is actually the core concept behind a VDI itself. VDI uses the VM to launch and enable the use of different software on the end user devices. VDI uses a server to create instances of small-scale virtual machines on the host devices, hence the two concepts VDI and VM are not different but actually a part of one another.
What are the Differences Between VDI and RDS?
Remote Desktop Services (RDS) and Virtual Desktop infrastructure (VDI) are both tools used to deliver remote access to users' desktops. Some main differentiating points between VDI and RDS are:
Windows Limitation: RDS is a product of Windows and can only be run on a Windows server, Hence, it can only be accessed on a Windows desktop. VDIs however, are not limited to a single OS and can be run on either Windows, Linux, or any other OS.
Compliance and Security: With RDS, all users share a single server, which increases the risks of a potential security breach or data leak. Similarly, a single network outage on a server can affect every user in the organization. VDIs are much more resilient since each user is allocated a separate instance.
Intensive Applications: VDI has a much better performance record for intensive applications that require high-level performance like design and video editing software. It is also better for customized user experiences.
Server: RDS desktops are run on a single server and all employees or "users" access it through a single network. Meanwhile, VDI gives each user's device its own virtual server. Which adds a layer of security between the user devices.
What are Security Risks in VDI?
Even while VDI provides a different degree of security than a standard physical server, the VDI environment is not risk-free. VDI environment exposes several sorts of hazards. A VDI user has the same possibility as a user with a physical desktop to click on a malicious link in an email or on a website. The same holds true for malware downloads, phishing, and several other prevalent kinds of cyber attacks. Businesses should and do take precautions to secure virtual desktops. Obviously, excellent system hygiene, including centralized patch distribution, robust configuration management, and multifactor authentication(MFA), should be in place.
A hacked desktop session, unsecured equipment, or stolen password may readily expose an organization to the following security risks:
- Network eavesdropping
- Malware: VM may be subject to malware attacks if unauthorized programs are installed.
- Insider dangers: Internal threats may result in data loss.
- Imaging performed incorrectly for important users will result in performance issues for the user.
- A misconfigured access control setting may boost the privileges of a user who may install unauthorized software.
- VDI availability difficulties will have an effect on the company.
- If a single VM is hacked, several more VMs on the same virtual LAN become vulnerable to attack.
- Issues with the setting of the standard image may result in a less secure configuration being applied to all VMs.
- Insufficient security knowledge among users and VM managers may jeopardize the security hardening of virtual machines.
Here are some major places that may have a weakness:
The personnel: Employees may purposefully or inadvertently break into a server room and directly compromise a server, a vulnerability that is often neglected.
Hypervisor: Malware may be used by malicious actors to infiltrate an operating system and seize control of the hypervisor. This difficult-to-detect exploit, known as hyperjacking, provides hackers access to anything related to the server, from access rights to storage resources.
Unpatched VMs: Patching, maintaining, and securing virtual machines, each with its own operating system and configuration, takes time. Without automating this process, IT managers risk falling behind on enterprise-wide patch management, hence increasing their organization's susceptibility to security attacks.
Network: Although all networks are susceptible to assault, virtual network environments are more vulnerable due to their shared usage of physical resources. For instance, if a network suffers a security breach, all routers and linkages from other virtual networks are immediately compromised.
What are the Best Practices in VDI security?
Following the next VDI security best practices assist enterprises in protecting user identities, data, and VDI access:
- Preparing for the worst: Desktops and other endpoint devices in the VDI will inevitably be compromised. With unsecured Wi-Fi networks, unhardened software, and plain-text email susceptible to scanners everywhere, attackers have a target that is far simpler to penetrate than a protected corporate desktop and is likely already hacked or riddled with security weaknesses. Even if a desktop security breach is found, determining how it occurred and the amount of harm might be time-consuming. Depending on the size and complexity of the infrastructure, the functionality may be recovered and restored.
Managing user identities: Managing user identities is based on the Zero Trust paradigm, which says that users should have access to just the resources they need for their assigned roles or responsibilities, and nothing else. Policies define user and group roles, as well as monitor and govern each user's current session individually. This prevents an attacker from penetrating a user session and gaining access to sensitive information or lateral access to the server.
Using a secure login method: Users have two choices for logging in to the VDI. One is Single Sign-On (SSO), which allows a single login to access all resources. While this may seem unsafe at first glance (if a hacker obtains the password, they may access all of the user's capabilities), the benefit is that the user has just one password to remember, and so is less inclined to write it down. SSO is optimal when users must access services or applications that reside outside of their workstations, such as SaaS. Two-factor authentication requires additional credentials and activities for login. This is inherently more secure than Single Sign-On. It is the responsibility of IT to choose a technique that is appropriate for their users, taking into account user skill level, application needs, data sensitivity, and system and network capabilities.
Proactive incident response: It is a fallacy to believe that virtual desktops are immune to assaults and security breaches. Although they have fewer vulnerabilities than physical PCs, they are nevertheless vulnerable to keyloggers, malicious email links, Trojan Horses, and lateral movement. Even non-persistent desktops are susceptible to antivirus boot storms (signature and algorithm upgrades that cause utilization spikes), prompting VDI suppliers to propose disabling antivirus updates. Therefore, the answer is a pragmatic incident response procedure that expedites threat mitigation and recovery while reducing operational disturbance. Once an infected VM is identified, it must be disabled and isolated from the network or even killed if required, with the goal of recovering user data.
Application segmentation: Applications and workloads may be constructed in a manner that isolates and separates them from other business-critical or sensitive applications in the VDI. Granular regulations based on processes, resources, or other assets are very effective in minimizing vulnerabilities. Ring-fencing VDI segments prevent attackers from doing lateral movement in the case of a breach. In conjunction with user identity management, IT may ensure that all users have access to just the services and portions of the application they need and do not leave their appropriate environment.
Continuous, automated management of endpoint security: IT teams must guarantee that endpoint software and hardware stay compatible with the organization's security rules and requirements at all times. A secure VDI requires automated processes and inspections for software installation and removal, patches and updates, anomaly detection, and endpoint support.
Comprehensive data protection procedures: Modern hackers are more interested in stealing data and intellectual property than in causing harm by breaking into servers or networks. The IT team should take advantage of the fact that VDIs allow for more strict data management by using VDI technology. Initially, data should never leave the data center or central server, regardless of whether it is located on-premises or in the cloud. Desktop data may be backed up and recovered using data center resources. All sent data should be encrypted.
Full visibility: The security solution or VDI management platform should enable administrators to monitor the following metrics in real-time:
- how processes are interacting
- whether or not each desktop or VM is updated and patched,
- all the online nodes,
- processes and services running on each server and node,
- every user who is logged in, as well as activity logging
- all the flows that are being generated, and
- which applications and services are being used for what purposes, by which sessions.