Cybersecurity Tech Investment Planning: Use annual loss expectancy to build a business case
arrow-white arrow-white Download now

3 Tips for Better Virtual Desktop Infrastructure Security

Posted by Daniel Petrillo on August 12, 2020

Better Virtual Desktop Infrastructure Security TipsThe recent rise in remote working has up-ended the corporate IT landscape. In a matter of days, remote working went from a nice-to-have perk to necessity for millions of companies globally as countries continue to battle the COVID-19 pandemic. . To keep pace with changing business needs, organizations have embraced virtual desktop infrastructure (VDI), which can help keep distributed workforces safe, flexible, and connected.

VDI uptake is happening at a record-breaking pace. According to VMware, a leading provider of VDI services, revenue from new virtual desktop licenses in the quarter ending May 1, 2020, increased to $660 million from $646 million in 2019. This increased VDI uptake isn't likely to go away when the COVID-19 pandemic ends, either.

A recent Gartner report on CFO forward planning has shown that over 70 percent of companies will be permanently transitioning substantial numbers of their employees into full-time remote positions. With remote being the new direction of growth for so many organizations, VDI is fast becoming an essential navigational tool for companies seeking to maintain operational flexibility and mitigate cyber threats.

However, virtual environments are still subject to many of the same cybersecurity threats as physical ones. The security needs of a virtual environment are different from a physical one, though, which is why we’re providing three critical tips for improving the virtual desktop infrastructure security of your virtual environments.

Turn Off Automatic Software Updates

Keeping systems updated is one of the core tenets of good cybersecurity. In fact, the slowness of deploying patches is a persistent problem in security; unpatched, un-updated software is a significant risk. While you should always keep virtual systems up to date in line with best practice, the way you do it needs to change.

If an application tries to automatically fetch an update when a non-persistent desktop is spun up, there’s a very real risk of causing an activity storm (often called a “boot storm”). An activity storm happens when multiple child desktops try to fetch the appropriate update simultaneously and overload the network with traffic trying to update their applications.

By using up system I/O, automatic updates that come from child desktops (often from antivirus programs) can drain the resources of your entire VDI system. For companies with thousands of virtual instances, a sequence of simultaneous updates can lead to network disabling activity storms. Independently updating child desktops can also reduce the performance of your VDI network and create significant lag across the entire virtual desktop infrastructure.

Restricting the likelihood of I/O intensive tasks, like automatic updates, at the management level can help keep your network running smoothly. Instead, admins should run all application updates on the master image prior to child desktops being created. This proactive step ensures that all applications on child desktops are patched, and there is minimal chance of an activity storm.

Give Virtual Endpoints the Same Protection as Physical Endpoints

Companies sometimes look at desktop virtualization as the golden ticket for distributed network security. This is a dangerous attitude to have. Even though they come from a server, virtual desktops share many of the same endpoint security risks as their hardware-based counterparts.

From zero-day threats and ransomware to phishing attacks, many of the same endpoint risks apply to both virtual and physical desktop environments. Protecting against threats in a virtual environment is actually often more complicated due to the limited memory within each virtual desktop. The key to mitigating this increased endpoint risk is to integrate your physical and virtual desktop security processes.

Tie together your administrative procedures for both virtual and physical desktops by managing your security reporting with a standard interface. Also, keep your VDI users up to date on the endpoint threat they are faced with by integrating VDI-awareness into your security training for all likely users. Try and secure the access points to your VDI, as well. Like on physical desktops, insisting on two-factor authentication for user network access can go a long way in protecting your virtualized endpoints.

Pay Close Attention to the Impact of Your Virtual Desktop Protection Agents

While some proponents of VDI systems state cost saving as a benefit of virtual desktops, this is not always the case. To be truly cost-effective, you need to roll out VDI at scale with as many child desktops as possible deployed on each server. Cost-efficient virtual desktop systems often have little room for the extra memory demand that traditional antivirus software, including many virtualization friendly next-generation antivirus systems, place on servers.

The more network resources your security solution uses, the fewer desktops you can run, and the less cost-effective your VDI becomes. To balance safety, cost, and performance, the resource weight of your VDI  security agent needs to be as light as possible. Even with endpoint detection and response tools, weight is still an issue due to the increased network activity that results from adding different agents. Using a lightweight, moving target security solution is key to getting this delicate balance right.


A virtual desktop infrastructure is not a new technology, but as it becomes increasingly ubiquitous, understanding and managing its position in the cyber threat landscape is critical. As companies integrate remote working into their long term operational plans, VDI security needs to become a priority for IT teams. To that end, IT teams need to treat their virtual endpoints with the same caution as physical ones, keep automatic updates turned off, and use security agents that don't overwhelm their networks.