Let’s Talk Virtual Desktop Security

Virtual looking security padlock
Profile picture of the author

Product Marketing Manager

You’ve heard the term DaaS or Desktop-as-a-Service before but didn’t really buy into it. But since the release of Microsoft’s Virtualized Desktop service, it seems to have grown into an actual discussion for many businesses now. You may be starting to understand the benefits businesses can achieve by virtualizing their desktop machines and moving them to the cloud, creating a central management point, with a significant reduction in IT hardware costs on workstations, and delivering high performing desktops to users from any device. Also how it eases IT management burdens and a total cost of ownership (TCO) from servers, storage, and network connectivity to desktop applications.

However, one of the major topics of concern regarding DaaS is security. Since customers’ corporate infrastructure is moved from on-premise into the cloud, there is a tendency to worry about losing control of private data. Let’s demystify these security concerns so that you can rest assured your customers are safe and protected.

In-House IT vs. DaaS Service Provider IT

While a business may have trusted and reliable in-house IT staff for their local infrastructure, it doesn’t compare to the far greater security resources of a cloud service provider. With a DaaS service provider, businesses can leverage their expertise to improve their security policies and compliance. Security is not a one time ‘set it and forget it’ process and requires constant attention with frequent software updates at all entry points to the network. All it takes is one exposed area, such as a security patch not installed on a device, to allow hackers in. Businesses tend to forget all this when things are going well, so making sure there are resources always dedicated to these types of things is a must. And, allowing the DaaS provider to take over enables in-house IT to focus on company strategy and forward thinking.

Remote Working

With the onset of the pandemic, remote working has risen and become of significant importance for IT departments to secure and manage. Users need to be able to access corporate and confidential information while outside the corporate network, from any remote location, which can be complex. Local routers, firewalls, or environmental factors can restrict a remote user’s PC from connecting with services at headquarters. It becomes a balance of flexibility vs. security; the easier you allow users to connect to the corporate network, the more businesses put themselves at risk of threats.

A virtual private network (VPN) connection has been a typical way to address this need, however, it is not the best answer! While connected to VPN, any threats that are exposed to the user’s PC can travel through the connection and infect the entire corporate network, spreading viruses, malware, ransomware, and so on. If a user checks their personal email, for example, and downloads a file, which is unknowingly ransomware, it will now travel to headquarters. Malware and anti-virus protection on each user’s PC can help, but is not perfect and ends up being a burden for IT to manage. Furthermore, the requirement to maintain VPN servers, software updates, and the huge cost associated with intrusion detection and protection (IDS/IPS) services becomes problematic because the cost may go overlooked and creates another hole in the security protocols of the business.

DaaS platforms take care of all this without requiring VPNs or worrying about user PC malware protection and allow users the flexibility to connect to the corporate network over any internet connection, from anywhere.

User Credential Protection

While it is true that businesses are more exposed to hackers being out in the cloud, they are at less risk of credential-based attacks when using a decent DaaS platform, than with in-house infrastructure. DaaS services will typically have one secured entry point for access to all of a business’ tools and applications, with single single on (SSO) from a web portal, whereas on-premise infrastructures have many. So hackers can attempt to steal user credentials for possibly many unsecured areas in a network. A DaaS platform should have at least two-factor authentication, but one with multi-factor authentication (MFA) is best as it makes it impossible for hackers to steal credentials.

BYOD

DaaS enables users to access all their tools and apps from any device, anywhere, using any internet connection, which is one of its major benefits. The security aspect is handled between the users’ connection to their DaaS account, not the hardware they are using. This isolation also prevents users from copy and pasting, downloading, or drag and dropping from, and to, their virtual desktop to the local machine. In other words, what happens in the cloud stays in the cloud. And if a user loses their device, there is no risk since no data is stored on the device and the user’s account can be remotely disabled, immediately.

Malware, Ransomware & Viruses

We hear about these threats happening every day, and growing in scale too. In fact, check out this report of the world’s largest ransomware attack, which includes businesses in the USA. Hackers are taking advantage of infrastructure not properly protected and with out-of-date security policies and procedures. They are skilled in getting into networks via exposed servers with weak credentials and via end user activity.

All it takes is a user to open an email and download an unsuspecting malicious file for a hacker to begin developing a ransomware attack. This can also happen in a DaaS environment that isn’t properly secured. In fact, in a recent event, one particular title company in Grand Rapids, Michigan, which will remain nameless for confidential reasons, was one of many in the area hit with ransomware, being locked out of all their DaaS user accounts, crippling them for days. On a positive note, Star2Star ended up saving this business by migrating them over to our Connected Workspace DaaS platform. This is why checking the built-in protocols for mitigating risk is critical when choosing a DaaS platform; you need to know the work-arounds and restoration procedures in the unfortunate event of a successful attack.


Connected Workspace by Star2Star, A Sangoma Company

Connected Workspace DiagramConnected Workspace is a DaaS service by Star2Star, A Sangoma Company. The service is bundled with voice and video collaboration tools, enabling businesses with the complete ‘office’ experience, wherever they are, from any device.

Security protection is a key aspect of Connected Workspace, from multi-factor authentication (MFA) for our SSO web portal, to our fully dedicated platform engineers taking care of migration, monitoring, and maintaining of your customer’s service.

To help mitigate the risk of malware, such as ransomware and viruses, all files opened on each users’ virtual desktops are scanned and virus definitions are updated and automatically applied if necessary every two hours. Email threat protection is also applied to all Star2Star Managed Office 365 accounts. We have proprietary policies, procedures, and processes in place that alert us upon user access attempts to unauthorized files. Additionally, we do not allow access to the platform outside of the Citrix Workspace connection (part of the Connected Workspace infrastructure) for any third party, as well as no tunnelling, direct connection, etc. allowed to our multi-tenant environment. All of these solutions are in place to ensure that all connections route through a single fabric ensuring that the platform is monitored for any potential anomalies that represent a threat allowing us to respond in kind to mitigate said threat.

In the unfortunate event of a data breach or a ransomware attack, all files in your customer’s Connected Workspace storage, should they become compromised, are isolated in order to remove the threat of further corruption. A restoration to known safe media is performed in an isolated environment. All virtual delivery agents (VDAs) are shut down and forced to restart from Gold Image. The isolation environment is then migrated back, only after file remediation is completed in the isolation environment. We work diligently at all this and can get customers back online quickly, thanks to our dedicated platform engineers. For instance, based on standard data size of 1 terabyte, the mean time to recover is estimated at 4 hours. This is something to consider when customers choose a DaaS provider: is there support available when it’s needed the most? This is one such reason why the previously mentioned title company moved away from their previous DaaS provider to Star2Star’s Connected Workspace.

Can I bundle my security services with Connected Workspace?

You sure can! As a channel partner, you can implement a third party email security solution and for our private cloud offering (single-tenant service for customers looking for a more isolated set up) you can offer your existing ransomware, malware, and/or endpoint monitoring additions.

Now that we’ve secured your understanding, connect with us to learn more about Connected Workspace and how it can help you communicate securely in the cloud!

Stay Informed! Click to Subscribe Now!
Scroll to Top