ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > VDI Q&A: weighing risk and reward

VDI Q&A: weighing risk and reward

| Posted at 2:21 PM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (0)

Nikolaos ZacharopoulosToday’s mobile device users are demanding to access data from anywhere at any time. In fact, according to an annual ISACA survey on BYOD security, the use of mobile applications has nearly tripled since last year’s survey, and two-thirds of employees aged 18 to 34 have a personal device they use for work purposes. Meanwhile, businesses are trying to reduce costs and simplify desktop management.

Virtualized desktop infrastructure (VDI) allows users to access applications and data securely from remote locations with minimal risk of data loss, while simplifying desktop management within the traditional boundaries of the enterprise.

To help enterprises realize the benefits of VDI adoption and understand the security concerns associated with it, ISACA today issued a white paper–Virtualized Desktop Infrastructure–available as a free download. The paper provides strategies to manage VDI threats and actions that can help with its adoption.

“A new, virtual way of working is shaping the world and affecting IT environments,” said Nikolaos Zacharopoulos, CISA, CISSP, IT auditor for Geniki Bank, Greece, and chair of ISACA’s project-development team for the white paper. “VDI can help increase productivity and reduce costs, but enterprises need to carefully consider the risk involved with it and plan accordingly. This white paper is a road map for that.”

Here Nikolaos addresses a few topics related to the white paper:

What are the benefits from VDI?
VDI reduces downtime, speeds the resolution of problems, improves manageability and control, and helps IT maintain security and data protection.

Are there any threats associated with the introduction of VDI?
There are a number of threats: 

Visibility—Fast provisioning is both a benefit and a risk. Faster desktop deployment may cause the enterprise to lose visibility of every asset that must be protected.

IT governance complexity—Effective governance requires the establishment of new policies and procedures to account for all virtual assets and ensure their compliance with security practices.

Single point of failure—Having one server host multiple virtual desktops represents a single point of failure for the user community that is depending on that server.

Shielding critical desktops—Critical virtual desktops must be segregated from the regular pool to prevent unauthorized access and exposure to malicious software.

How can the risks be controlled?
Although use of VDI simplifies desktop management, it also introduces new risk. Assurance professionals should ensure that there are at least the same security controls in place for virtualized operating systems as there are for those same operating systems when they run directly on hardware.

The assurance professional should ensure that the virtual environment is secure and in compliance with all relevant regulation. Furthermore, the assurance professional should ensure that appropriate controls and infrastructure are in place to ensure continuity of service as the desktops are centralized and move away from the end users. Centralization, along with dependence on the connection to the data center/cloud, creates the risk of a single point of failure.

Nikolaos Zacharopoulos, CISA, CISSP
IT auditor for Geniki Bank, Greece

We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post.
To view all blog posts, please click on the ISACA Now link in the blue box on the left.


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.