By Dave Waterson, CEO, SentryBay

As banks, financial services companies and other large enterprises accelerate their digital transformation efforts, many are migrating workloads onto virtual desktop infrastructure. Among the myriad benefits are greater agility and efficiency and, if solutions are deployed in the right way, there are considerable financial savings to be made.

Organisations in the sector regard their core competency to be in the provision of first-class financial solutions and products. This is made easier if their cloud-based desktop solutions meet the needs of users across multiple departments and functions without it being necessary to configure devices if they are working remotely, or on the move, as well as in company offices.

While many of these solutions deliver elements of security and privacy, and even the monitoring of access to virtual resources, they are not risk-free. More importantly, the supposed protection afforded by VDI can render users complacent, and this is making organisations vulnerable to cyberattacks. It is a misconception that an attack can’t be launched on a virtual session without local storage, for example. In fact, VDIs provide multiple entry points to cloud servers, and all that a hacker needs, is one unprotected endpoint or device to make their way in.

VDI vulnerabilities

Virtualisation company VMware issued a security advisory earlier this year after discovering a vulnerability that allowed a bad actor with local non-administrative access to escalate privileges as a root user in a virtual machine. The company patched the issue. Meanwhile, vulnerabilities in Microsoft’s Azure Virtual Desktop (AVD) came to light in 2021 when a cybersecurity company was able to gain complete and unrestricted access to the accounts and databases of several thousand AVD customers. Again, the problem was fixed quickly.

Given the high incidence of data breaches – which according to Statista exposed 15 million data records worldwide in the third quarter of 2022, a rise of 37% over the previous quarter – getting an understanding of the flaws and vulnerabilities in VDI security is crucial.

The threats

One of the main dangers comes from trojans and malware that steal keystrokes or take screen captures to gain the log-in details of users. They do this by looking for vulnerabilities in the devices that are connecting to applications such as Azure or VMWare, or even w365, one of the most commonly used cloud PC subscription platforms available. The dangers are exacerbated by the number of organisations adopting Bring Your Own Device (BYOD) models, allowing employees to use their own laptops, tablets, home PCs and smartphones to access corporate data and applications. If these devices are unsecured, they present not only a threat to the user, but to all others they are working collaboratively with, the data that passes through their device and into the network, and risk non-compliance with the regulations that govern financial services customer security.

Protecting users against spyware can be especially difficult when they are conducting video calls using Zoom or Teams, for example. Now so ubiquitously used, Teams has presented a new attack vector allowing cyber criminals to deploy malicious GIFs to capture user data without even needing to be shared – viewing the GIF is enough.

The solution

The question then, is what can be done to mitigate the risk so financial services companies can fully embrace all the benefits of virtual desktop infrastructure? Of course, companies often opt to manage their devices using anti-malware software and endpoint defence solutions, but these can fall down when it comes to enforcing their usage.  This is important because in a hybrid environment, it is a much greater challenge for security managers to ensure protection is being deployed on remote endpoints.

The other difficulty is to find a security solution that works with all the virtual applications and platforms that the organisation is using, and that they provide a level of protection that ensures regulations such as PCI-DSS, GDPR and HIPAA can be met.

Our advice is to assess enterprise-grade anti-keylogging and screen capture protection for solutions such as Azure Virtual Desktop and w365 at the endpoint. VDI sessions need to be secure from start to finish and include an enforcement agent to facilitate employee onboarding and provide security managers with clear oversight regarding levels of engagement.

Organisations using VDI need security solutions that create a container inside which all data and applications are wrapped so they cannot be infiltrated before they reach the cloud server. This not only provides an unprecedented level of protection to financial services companies and banks but fits well into zero trust environments. And on top of this, the right solution will also preserve the fully enriched VDI-optimised Teams experience, making sure that video collaboration remains a key touchpoint for the workforce.