
by Ian MacRae
President and CEO, E-N Computers
25+ years experience solving business IT problems in Virginia and Washington, D.C.
Azure Virtual Desktop enclaves — secure, isolated computing environments in the cloud — have become a popular option for meeting compliance requirements, but they’re far from a silver bullet. While Azure VDI has good security features, it falls short of fulfilling compliance standards on its own. There are other elements of compliance, like policies and training, that you need to consider.
QUICK ANSWER:
Why aren’t Azure Virtual Desktop enclaves a simple solution for compliance?
While Azure Virtual Desktops provide enhanced security features and centralized management, they do not address all compliance requirements. You still need to implement access controls, audit trails, and policies—including for mobile device use—and consider your overall data security to meet compliance standards.
Isn’t Azure Virtual Desktop secure and self-contained?
Azure Virtual Desktop is popular for a reason: it provides a modern desktop solution that is centrally managed, enhances your security posture, and improves device security.
- Centralized Management: It provides a centralized platform for managing and securing virtual desktops and applications, simplifying administration and reducing the burden on IT teams.
- Enhanced Security Posture: It incorporates security features like multi-factor authentication, micro-segmentation, and threat detection to protect sensitive data.
- Improved Device Security: When everything important is contained inside the virtual desktop, the impact of malware and other security threats on the user’s device is minimized, improving the overall security of the endpoint devices.
There are clear benefits to using Azure Virtual Desktop, but it can provide a false sense of security to people. You cannot spin up a bunch of virtual desktops and have everyone start using them and expect to be secure or compliant. There are a few reasons why.
Limitations of Azure Virtual Desktop
Even though Azure Virtual desktop provides a solid security foundation, there are some limitations to consider. Here are just a few.
- High performance applications: Virtual desktops are not ideal for software with higher-than-normal system requirements, such as computer-aided drafting (CAD) or computer-aided manufacturing (CAM) programs.
- Sensitive information: Whether you are in healthcare, law, accounting, or manufacturing, your compliance requirements include access control, encryption, and an audit trail.
- Use of mobile devices: If you allow employees to access email or virtual desktops from mobile devices, you’ll need to plan on how to secure those, too. More on this below.
Generally, we find that these limitations don’t make it very practical to rely solely on a virtual desktop enclave. There’s still a lot of work that needs to be done, both in developing policy and technical implementation, to meet most compliance standards.
Whether you use a virtual desktop enclave or not, you will need to implement access controls, audit trails, and likely a mobile device policy.
Access control and audit trails
Granular access controls are an essential part of security and compliance. Administrators must control who can access resources, applications, and data even in a virtual desktop enclave.
Integrated identity and access management (IAM) enables consistent enforcement of policies across your organization. It allows for centralized management of user identities, roles, and permissions, streamlining the administration of access controls and reducing the risk of unauthorized access.
System logs can be used for security analysis, incident response, compliance reporting, and investigations. Audit trails are records that show who has accessed a system and what actions they performed. Auditors want to see that you can pull up information about specific events on your systems as well as overall trends, so it’s important to establish procedures that address the collection, storage, and analysis of logs.
Audit trails support security and compliance by maintaining a record of:
- Login events: Tracking when users log in and out of the VDI environment provides visibility into user activity and can be used to detect suspicious behavior, such as multiple failed login attempts or logins from unusual locations.
- File access: Monitoring which files users access and the actions they perform (e.g., read, write, delete) helps to identify unauthorized access or data exfiltration attempts.
- App usage: Logging which applications users launch and how they interact with them can be used to detect suspicious activity, such as the use of unauthorized applications or the attempted exploitation of vulnerabilities.
- Resource usage: Tracking the resources that users consume (e.g., CPU, memory, storage) can help reveal unusual activity, such as resource exhaustion attacks or the unauthorized use of resources.
- Admin actions: Logging administrative actions, such as changes to user permissions or system configurations, provides accountability and can be used to track down the source of problems or security incidents.
Mobile devices
If you plan to allow access to email or other company data from mobile devices, you will need policies and a mobile device management solution in place. Factors you may need to consider include:
- Which devices and operating systems can access company email
- Which apps can access company email
- Which apps can be installed on company-owned devices
- Enforcing a lockscreen passcode
- Preventing jailbroken and rooted devices from accessing company resources
- How you will remote wipe a device when it is lost or stolen, or the employee is terminated
After making these decisions, you need a way to implement them. Mobile device management (MDM) solutions like Microsoft Intune allow comprehensive management of endpoints running Windows, macOS, Android, and iOS. In this way, a seemingly small decision like allowing company email to be accessed on mobile devices opens a much larger discussion around compliance.
When might Azure Virtual Desktop make sense to use?
While we don’t recommend virtual desktops as a primary compliance solution, there are some situations where it might make sense to use them.
- Remote work and bring-your-own-device (BYOD): Virtual desktops are one of the better options to provide remote workers with secure access to company resources. You still need to enforce strong security policies that prevent data leakage such as strong passwords, multi-factor authentication (MFA), OS patching, and endpoint detection and response (EDR). Disabling clipboard sync and local drive access also enhances the security of your virtual desktops.
- Contractors and partners: Virtual desktops can be used to provide contractors and partners with secure access to company resources without giving them direct access to the corporate network. For example, you might assign a contractor a virtual desktop to access a project folder without giving them access to anything else.
- Legacy apps: Some legacy apps can no longer be run safely, or at all, on modern Windows operating systems. Virtualizing older applications in a controlled and isolated environment can allow you to keep using them while meeting security and compliance standards. However, we recommend modernizing whenever possible.
Technology is only one part of compliance
Technology is a tool for work. Like any tool, you still need policies, procedures, and training to make the tech you implement is used correctly and safely.
- Know what’s in scope: Document what data you have, what systems it touches, who should have access to it, and what security controls you need to implement. This helps you avoid wasted effort and your compliance auditor is going to be looking for this type of information.
- Know your gaps: Compare where you’re at with where you want to be. Assessing your current state against regulatory standards or recommendations will identify vulnerabilities so you can prioritize remediation efforts.
- Perform regular audits: Check your data security controls to make sure they are working effectively and look for any areas for improvement.
- Provide regular user awareness training: Educate employees on their responsibilities for data security and provide them with the tools and knowledge they need to protect sensitive information. This should include topics such as password hygiene, phishing awareness, and safe data handling practices.
- Implement data protection, retention, and disposal: Establish policies and procedures for protecting data throughout its lifecycle, including encryption, access controls, and data backup. Also, implement data retention policies so data is not kept longer than necessary and dispose of data securely when it is no longer needed.
- Create an Incident Response Plan: Despite best efforts, breaches may still happen. Have a well-defined incident response plan in place to quickly and effectively respond to security incidents, minimizing damage and downtime.
Next Steps
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Not sure if you need managed IT services?
Take the IT Maturity Self-Assessment
In a few minutes, get actionable insights on your IT strategy, plus a free strategic consultation.
Industries
Locations
Waynesboro, VA
Corporate HQ
215 Fifth St.
Waynesboro, VA 22980
Sales: 540-217-6261
Service: 540-885-3129
Accounting: 540-217-6260
Fax: 703-935-2665
Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366
Sales: 202-888-2770
Service: 866-692-9082
VA DCJS # 11-6604
Locations
Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801
Sales: 540-569-3465
Service: 866-692-9082
Richmond, VA
3026A W. Cary St.
Richmond, VA 23221
Sales: 804-729-8835
Service: 866-692-9082