Securing Virtual Desktop Infrastructures with Strong Authentication

(1)

Securing Virtual Desktop Infrastructures

with Strong Authentication

(2)

VDi access Security Loopholes

VDIs can be deployed inside the firewall. However, they are increasingly accessed over the Internet. Often, the only barrier that stands between them and sensitive corporate resources is a simple password, which cannot prevent the sophisticated level of attacks that have become increasingly prevalent, and which result in compromised identities, wide-scale credential theft, and data breaches. Organizations also need to be vigilant about internal threats that can result from lax security around sharing endpoints or data theft resulting from internal sources, such as disgruntled employees.

access Vulnerabilities

Password and Credential Theft

In today’s escalated risk environment, static passwords are the weakest link in remote access. Data breaches carried out for the purpose of criminal harvesting of user credentials has become rampant. In June 2012, hackers attacked LinkedIn’s password database and published millions of passwords online. And in April 2011, Sony suffered an attack that resulted

in the theft of 77 million accounts, as well as credit card data. These breaches highlight the unsafe - but common - practice of using the same password to access several online resources. Cybercriminals take advantage of this by hacking into vast databases in order to harvest passwords and sell them, resulting in the illegal use of the stolen passwords to gain unauthorized access to VDIs from thin clients, laptops, and mobile devices.

Brute Force Attacks

The use of password guessing and brute force attacks is another risk to VDI access. These attacks are designed to breach online resources by using dictionary attacks and password guessing, in which mathematical algorithms are used to systematically break the user password in order to gain access.

Malware

Malicious software embedded on a laptop or mobile device has the ability to steal passwords and other forms of user credentials. This allows access by unauthorized users to VDIs, and, depending on the sophistication of the malware, to the corporate network as well.

Identity Spoofing

Identity spoofing is a hacking method designed to hide the identity of the sender or impersonate another computing system. Email spoofing is used by hackers to fraudulently send email messages in which the sender’s address and other parts of the email header are

Users are increasingly dominant in determining the adoption of new computing environments, especially around the

use of mobile devices.

Static passwords cannot adequately validate or protect the identities of users accessing virtual desktops and other

remote resources.

Flexibility, user-centric computing, and mobility are strong trends that are driving growth in the Virtual Desktop

Interface (VDI) market. These factors are pushing IT teams to find solutions that will offer the flexibility employees

expect while allowing them to maintain controls over the various endpoints used to access corporate resources. IT

teams are also seeking to centralize security policies and data controls away from endpoints. As a result, companies

need the means to implement consistent security processes and comply with regulations without increasing the

burden on IT staff or inconveniencing their users.

(3)

The common purpose of these spoofing attacks is to trick users into providing personal and confidential information that is subsequently used for identity theft. The credentials can be reused later by the attacker to impersonate the user and gain access the corporate network and VDI.

Session Hijacking

Session hijacking – also known as Man-in-the-Middle - is an attack in which the attacker can actively inject messages into the traffic between the user’s computer and the authenticating server.

In this type of attack, the attacker can eavesdrop on the communications between the legitimate user and the server, or manipulate the communications in such a way that transactions and operations are performed on behalf of the user but without the user’s control.

Secure access to Virtual Desktop infrastructures

VDIs offer considerable benefits to organizations by allowing them to improve employee productivity through Bring-Your-Own-Device policies, while still maintaining isolation, separation, and security between a user’s work and personal environments. But organizations could undermine these efforts and expose themselves to data breaches if they ignore vulnerabilities around VDI access points.

One way of overcoming these risks is through the use of a strong authentication solution that provides a second factor of authentication beyond simple passwords when the user logs on to the VDI and other remote access points.

With the expansion in user access scenarios in the enterprise, implementing security authentication for VDI calls for a versatile authentication solution that can support numerous and diverse use cases that are common to most organizations, and also allow them to meet privacy and security regulations. By adopting an overall strategy for secure access that is enabled by a comprehensive authentication platform, organizations can secure access to VDIs from different endpoints and tailor the level of authentication to suit diverse groups of users without burdening IT teams.

The Need to Accommodate Mobility

A growing impetus for implementing VDIs is the need to provide employees with mobility and flexibility. This goal has led to a rise in the number and type of endpoints that employees are using. Diverse endpoints are exposed to different attack vectors and cannot be lumped together in a single risk category.

Consequently, the authentication method used by the end user needs to factor in usability and risk. For example, it may be appropriate to require that a sales rep on the road use a certificate-based hardware token for VPN and remote access but suffice with OTP or out-of-band authentication when using a computer at home.

Optimally, an organization should strive to implement secure access for all endpoints with a single versatile authentication solution that offers central administration and supports numerous authentication methods. In this way, organizations can implement unified secure access policies for all users regardless of the endpoint and provide a better user experience. At the same time, they can reduce the administrative burden on their IT teams and significantly increase security.

Organizations could undermine the benefits provided by VDIs if they don’t protect themselves from data breaches and

ignore vulnerabilities around VDI access points.

(4)

The Need to Accommodate Usability

The desire to balance the need for secure access, the ability to support multiple endpoints, and facilitate usability around security mechanisms can be achieved by implementing different authentication methods for groups of users with different usability needs and risk profiles. The optimal way to achieve this is by deploying a versatile authentication solution that supports different authentication methods and endpoints.

The Need to Achieve Compliance

In many cases, a reason for implementing strong authentication is driven by the requirement to comply with industry, or country-specific regulations. There are numerous regulations, including PCI DSS, HIPAA, and FFIEEC, that recommend strong authentication as a “best practices” measure for validating the identities of people accessing online resources. In addition, SP 800-63 (NIST Electronic Authentication Guideline) was updated and revised in 2011. This publication from the National Institute of Standards and Technology (NIST) expands the options for government agencies that need to verify the identity of users of their Web-based services and determines different assurance levels. The NIST Guideline offers a 5-step process to help companies map identified risks to the defined assurance levels, and then select an appropriate authentication technology based on NIST’s e-authentication technical guidance.

assessing Strong authentication Solutions for VDis

There are many different methods of strong authentication available for VDIs. For IT professionals, the challenge lies in avoiding the trap of taking a piecemeal approach but rather implement an authentication solution that is able to provide access security for all VDI endpoints, facilitate usability for employees, and achieve cost efficiencies in terms of management and administration. In the following paragraphs, we’ll take a look at the management requirements and most commonly used strong authentication methods, and how these can contribute to securing access to VDIs.

authentication Management and administration

All authentication solutions are managed by a corresponding authentication back end. The management platform is a crucial element in any authentication solution since it directly impacts an organization’s ability to optimize identity and access processes. The authentication management platform deals with:

• authentication and validation: There are numerous authentication methods and

technologies. An authentication management platform that supports a wide range of methods provides a greater degree of flexibility and allows organizations to take a risk-based approach to authentication by allowing them to deploy different methods of authentication according to the risk level of different types of users.

• provisioning and enrollment: Provisioning and enrollment is an admin-intensive task that

can be highly time-consuming. Management platforms that allow for the automation of these tasks can significantly reduce IT administration overhead and streamline processes.

Compliance is not just about meeting regulations. Organizations need to manage risk around security, ensure best

practices, and pass security audits with flying colors.

The authentication back end is a crucial part of any authentication solution since it is the foundation of efficient

administration and determines the ability to implement consistent secure access policies for all resources.

(5)

• Lifecycle and ongoing administration issues: A management platform should offer the ability to automate processes associated with ongoing usage scenarios. These include automatic token and password recovery in case the token or end device is lost or stolen; the ability to easily revoke or unblock certificates; the ability to offer self-service portals to users and reduce calls to the help desk, and the ability to automatically provision new certificates when old ones expire.

• Broad endpoint support: Selecting an authentication management solution that is able

to address different groups of users and roles, integrate easily with a variety of access endpoints (thin clients, mobile devices, laptops, etc.), and support numerous applications (VPNs, VDIs, SaaS applications, Web-based applications, etc.) is fundamental to an organization’s ability to implement an effective authentication strategy.

authentication Methods

There are several authentication methods appropriate for securing access to VDI. These include:

SMS Out-of-Band Authentication

In SMS authentication, a dynamic passcode is sent via SMS to a user’s mobile phone. Since people carry their phones with them at all times, this is a convenient and easy way to deliver dynamic passcodes.

One-time Passcodes (OTP)

One way to overcome security risks related to static passwords is to use a randomly-generated one-time passcode (OTP) when logging into a VDI. The passwords are generated by a hardware token or software token. When the user enters the OTP, the login client communicates with a back-end OTP authentication server that validates the value of the OTP based on a mathematical secret shared between the OTP client device and the OTP authentication server.

Certificate-based Authentication Solutions

Certificate-based authentication (CBA) uses digital certificates as a means of identifying one or both parties in a transaction. A certificate contains the name of its subject (the person identified by the certificate) and the name of a Certificate Authority (CA), who vouches for the identity of the subject. Additionally, each certificate contains the subject’s “public key,” which is associated with a corresponding “private key” that is kept secret. Only someone in physical possession of the private key can use the certificate to identify himself.

• Certificate-based hardware authenticators: The most secure way of using certificates

is embedding them in the protected environs of a smartcard chip on a portable hardware token. In this manner, the certificate’s private key is generated within the confines of the smartcard chip. Since the smartcard is stored on a tamper-evident hardware device, it is not exposed to the vulnerable PC environment, which can be infected by malware. Certificate-based hardware authenticators are available in USB or credit card form factor.

• Software-based Certificate authentication Solutions: Software-based certificate

authentication solutions can offer comparable advantages of certificate-based smartcard form factors and USB authenticators. By storing the certificate’s private key within a virtual smartcard that is installed on the endpoint, software certificate-based solutions prevent unauthorized network access and overcome traditional password security weaknesses.

• embedded Certificates: Some endpoints – particularly mobile devices – do not support

the use of smartcard form factors and USB authenticators. In these cases, it is possible to overcome password weaknesses by provisioning a certificate to the device and using it to authenticate the user at login.

endpoint Compatibility

SMS Out-of-Band authentication

≥ Laptop

≥ Desktops

One-time passcodes (Otp)

≥ Thin clients ≥ Laptops ≥ Desktops Certificate-based authentication Solutions ≥ Thin clients ≥ Laptops ≥ Desktops ≥ Mobile Devices

(6)

Fitting the authentication Method to the endpoint Device

One of the key drivers for adopting VDI environments is the desire to enable uniform access to corporate computing environments from diverse endpoints. In the following section, we’ll discuss the types of strong authentication methods that can be applied to different endpoints.

thin Clients

Certificate-based Hardware Authentication

The use of certificate-based authentication offers a very high level of security for thin clients. When this solution is implemented, authentication takes place before the actual VDI session is launched. When booting the thin client, the user inserts a certificate-based USB token and enters the token password. The beauty of this solution is that since the USB token can contain several certificates, the same token can be used to securely access other resources, such as Web-based portals and local network resources.

OTP Authentication

Thin clients can be configured to support OTP hardware and software authentication via standard RADIUS, integration agents, or Web services API.

Out-of-Band (OOB)

A passcode sent via SMS to a user’s mobile phone is another way of avoiding the use of static passwords.

Mobile Devices

A user-friendly way of overcoming password vulnerabilities on mobile devices, and facilitating Bring-your-own-Device (BYOD) policies, is by provisioning a certificate to the mobile device. Unlike the use of OTP authentication, the use of a certificate does not require the user to type in an OTP and is therefore more convenient and less error-prone. If the device is lost or stolen, the IT administrator revokes the certificate and thus blocks access from the VDI client. The PIN on the mobile device serves as another authentication factor if the device is lost or stolen.

Laptops/Desktops

One aspect of growth in the BYOD trend is a desire on the part of IT departments to enable secure use of laptops and desktops that are not issued by the corporate IT department. For example, an organization might want to provide flexibility to employees by enabling them to access the VDI from their home computers. Secure access in this case could be achieved through the use of OTP or hardware- and certificate-based strong authentication. There are other use-case scenarios that benefit from different forms of certificate-based authentication. These are discussed below.

Mobile VDI Client Combined with CBA Authenticator

This solution consists of a VDI client stored on the encrypted Flash memory of a certificate-based USB authentication device. The device combines certificate-certificate-based strong

authentication and encrypted Flash storage, which allows for secure storage of the VDI client on the USB token.

This solution offers a high level of security and a high degree of mobility since it enables users to connect the USB token to any laptop or desktop. Users benefit from this solution because it offers them the convenience and flexibility of total mobility. IT professionals benefit from the fact that they don’t have to concern themselves with installing VDI clients on non-corporate

authentication Solutions

for Diverse endpoints

Laptops / Desktops

≥ Certificate-based Authentication (CBA)

≥ CBA combined with VDI Client installed on portable USB authentication device

≥ One-time Passcode (OTP)

≥ Out-of-Band (OOB)

Mobile Devices

≥ CBA - embedded certificate

≥ OTP

≥ OOB

T

hin Clients

≥ CBA smartcard

≥ OTP

The ability to implement different authentication methods for different endpoint devices and centrally manage them

with a single authentication server is key to a achieving a consistent and uniform secure access strategy.

(7)

Hardened VDI Client

The solution described above is available in an even more secure format for organizations that want to reduce risk to a minimum. In this case, it is possible to harden the VDI client with anti-malware components. So, not only would the VDI client be stored in encrypted Flash memory, it would also provide active protection against malware.

Dynamically Downloadable Hardened VDI Client

In this variation, a hardened or regular VDI client is dynamically downloaded from a secure website after the user authenticates with their certificate-based USB authentication device. This variation offers IT teams a greater level of control over the VDI client in use since it is managed on the server side and not distributed on the actual USB authentication device.

SafeNet Strong authentication Solutions for VDi

SafeNet’s award-winning solutions provide an extensible, comprehensive foundation for securing an organization’s VDI environment. SafeNet offers on-premise or cloud-based management platforms that support secure access to VDI clients from multiple endpoints with a broad range of authentication methods and form factors. This versatile approach allows organizations to choose the delivery model that best suits them and centrally manage their entire authentication environment while implementing unified strong authentication policies for all resources.

Benefits

≥ Lower tCO: Organizations need only deploy one management server that serves as a single infrastructure for a range of secure

access solutions. This approach enables IT departments to seamlessly extend access security to as many applications as needed as user requirements and threat landscapes change, without having to invest in additional software or hardware.

≥ Greater flexibility and scalability: Support for a wide range of authentication methods and form factors creates a versatile

authentication solution that allows organizations to use a single platform to address numerous user needs and risk levels by deploying different authentication methods, or adding them, side by side, as required.

≥ pro-active security preparedness: SafeNet’s extensible approach, together with ongoing investment in technological innovation,

provides organizations with the assurance that the solution they are deploying meets their present needs, while also providing them a solid basis to meet the challenges of a rapidly evolving security landscape.

Management platforms

SafeNet Authentication Manager

SafeNet Authentication Manager supports SafeNet’s entire range of OTP, certificate-based, and software authentication solutions, allowing organizations to secure access to VDIs, as well as numerous other resources. SafeNet Authentication Manager offers extensive authentication lifecycle management and reporting capabilities, which reduce IT administration and help desk calls, and facilitate security auditing.

VDI Server RADIUS Server Mobile Laptop/Desktop Thin Client SafeNet Authentication Manager THE DATAPROTECTION COMPANY List THE DATAPROTECTION COMPANY List

On-Premise

(8)

SafeNet Authentication Service

SafeNet Authentication Service is a cloud-based service that delivers fully automated OTP strong Authentication-as-a-Service. With no infrastructure required, SafeNet Authentication Service protects a wide range of access points, including VDIs, SaaS applications, and Web-based portals.

Encouraging business in the cloud, SafeNet Authentication Service offers an OPEX

subscription model to its fully automated, highly secure, simple, and intuitive Authentication-as-a-Service solution.

Authentication Devices

SafeNet offers a wide range of authentication devices. These include OTP hardware and software authenticators; CBA authenticators in USB, smartcard, and software form factors; OOB solutions; and hybrid solutions, which combine certificate-based authentication with OTP or encrypted Flash memory.

Conclusion

Virtual desktop solutions offer a way for IT departments to consolidate and streamline their computing environments and improve processes around distributing updated software patches and upgrades, as well as licensing issues. Moreover, as mobile devices are increasingly used as an extension to traditional computing environments, VDI solutions are also seen as a way to extend corporate controls to mobile environments and as a way of accommodating the need to facilitate user access from multiple endpoints.

These benefits should not be undermined by lax security around access points. The use of a versatile strong authentication platform that can keep pace with escalating threats, ensure compliancy with regulations, offer IT efficiencies in terms of management and administration, and address the diverse computing environments that are evolving in most organizations is a critical factor in an organization’s overall information security strategy.

By ensuring that strong authentication is a key part of their VDI strategy, along with other data protection measures such as encryption, organizations can protect their data centers, secure access to VDIs, and comply with privacy regulations.

about SafeNet

Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data, and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies, and in over 100 countries, trust their information security needs to SafeNet.

For more information, go to

www.safenet-inc.com/authentication VMware View Connection Server VDI Server RADIUS Server Laptop SafeNet Authentication Service Thin Client THE DATAPROTECTION COMPANY List THE DATAPROTECTION COMPANY List

Securing Virtual Desktop Infrastructures with Strong Authentication

Contents