Five Azure Virtual Desktop Considerations in Risk Management


Risk management and asset protection in a distributed workforce environment need to include fully leveraging the identity, and access controls feature offered by Azure and Azure Virtual Desktop. Amol Dalvi, vice president of product at Nerdio, shares key considerations to keep in mind for better risk management.

Risk management centers on assessing an enterprise’s overall level of risk – notably determining which data and assets are of high value and high threat of attack- and formulating a risk mitigation strategy to protect these high-value assets. Risk management has become a more complex challenge in the current cloud-based, hybrid, and virtualization environment. With a distributed workforce, it is critical to determine which remotely shared applications and data present high-value risk and how IT and security teams can protect against attack without disturbing the productivity of employees. It is also imperative to examine access security controls in external, third-party collaborative environments to ensure those controls support risk management objectives.

For teams administering public cloud and virtualization environments such as Azure cloud and Azure Virtual Desktop, protecting high-value assets will include leveraging various Azure security features to improve risk mitigation further and practicing continued vigilance in threat defense practices like patching and updates.

Reduced Risk with Azure and AVD

While running a desktop in the cloud inherently reduces risk, Azure and AVD can reduce risks further. Here are five aspects to consider:

1. Reverse connect:

In the past, the open ports required for RDS (Remote Desktop Services) based virtual desktops were often a major security concern. Using TCP (Transmission Control Protocol) listening on these open ports creates the vulnerability of exposure from malicious inbound communication. In contrast, AVD uses reverse connect transport for establishing a remote session and for carrying RDP (Remote Desktop Protocol) traffic. Using outbound connectivity to AVD over an HTTPS connection eliminates the need for inbound ports, thus reducing risk.

2. Desktop images:

All AVD host pools that serve up virtual desktops to end-users are based on a desktop image that IT administrators and security teams can control. They can vet applications their end-users are getting access to and ensure the right applications are installed on images. Rather than trying to manage the myriad endpoint devices in use or the various host pools, IT can oversee security by focusing on desktop images.

3. Remote application controls

While not new to AVD, the ability to publish individual applications to end-users instead of a full desktop is something that is often overlooked as an excellent way to reduce security risk. By controlling which applications end-users have access to, IT admins can limit data access. A remote worker, for example, can have access to an application they need for their workflow but will not have access to data that is not relevant to their job function. 

Indiscriminate access to data and lax controls can result in incidents like the Cash App Investing brokerageOpens a new window data breach. According to its parent company, Block, a former employee was involved in the breach that affected over 8 million U.S. users. The former employee could even access a customer’s trading activity for the day and portfolio value, according to a published report by The Ascent. 

In other reports, it was revealed the former employee did have legitimate access to reports and customer information to do their job. However, after they ceased to work for the company, they could still access the data, causing the breach.

See More: DIY, DaaS or Cloud PC: What’s the Best Approach To Virtual Desktops?

4. Identity management:

AVD relies on Azure AD (Active Directory) for identity management. Authentication is offloaded to Azure AD, allowing IT admins to leverage the security features inherent in Azure AD. Microsoft terms its current approach as the ‘new identity-drivenOpens a new window control plane,’ which uses Azure AD Conditional Access to analyze a number of signals in order to make a decision on application access. Signals include user or group membership, IP location, device, application, and real-time risk detection. Conditional Access controls kick in after first-factor authentication is completed.

Microsoft also offers a “hybrid identity” with Azure AD to manage user access for on-premises and cloud applications. It creates a common user identity for authentication and authorization of all resources, regardless of location. This extends to sign-in: users can sign into both on-premises and cloud-based applications using the same passwords, which saves help desk calls. Azure AD validates their passwords.

Managing communication with external Azure AD organizations has been improved by Microsoft. In July, it said its cross-tenant access settings now give IT granular inbound and outbound access control settings that work on a per org, user, group, and applications basis. The settings also enable IT to trust security claims like multi-factor authentication from external Azure AD organizations.

5. Patching and updates:

Since AVD is image-based, the process of patching and keeping the applications up to date is far more consistent, reliable and rigorous. IT admins can apply patches to images more regularly on their schedule. They can then test that image, from both a security and functional perspective, without disturbing the workflow productivity of end-users. Once IT is ready, they can deploy the image to live session hosts with minimal disruption to the workforce.

AVD Security in Third-party Collaboration

These practices, tighter access and application controls, rigorous identity management and vigilant patching, form the foundation of day-to-day risk mitigation at the end-user level. It’s also prudent to examine further how IT and security control third-party access to sensitive data and how AVD organizations collaborate with external AVD organizations. Making sure IT takes advantage of these controls will add another layer of threat defense, particularly in regard to high-value assets such as sensitive financial data or intellectual property. As the use of the cloud continues to expand, governing external identities’ communication with employees needs to be as vigorous as internal access controls.

How are you improving risk management in an era of virtual work? Let us know on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .


Image Source: Shutterstock