Wales

Introduction to Desktop as a Service (DaaS) Security

Desktop as a Service (DaaS) has seen growing popularity, but with this popularity comes unique risks that have to be taken seriously.

DaaS is a unique cloud computing service that allows you to access a cloud-based virtual desktop from anywhere in the world, on any device. A DaaS platform allows you to use a fully functioning hosted desktop for any applications that you would normally be able to run on a typical desktop. They are easy to use and purchase and require no maintenance, IT, or dedicated cybersecurity to run.

DaaS services are typically offered on a subscription basis and have multiple different users leasing the service. A third-party cloud provider hosts the back end systems that make the DaaS platform run – such as backend virtual desktop infrastructure. From this, the DaaS provider streams the desktop to your device, in the same way, Netflix of GeForce Now streams television and video game content to your computer.

Because of this, the DaaS provider manages all of the security, maintenance, data backup, upgrades, and storage, while also ensuring that the virtual desktop infrastructure deployment is smooth and stable. On the customer side, there is simply the management of what the DaaS platform is being used for – such as which applications. This is why, amongst other reasons, DaaS is such a strong choice for businesses looking to avoid investing in expensive hardware or maintenance costs.

Why would you use a Desktop as a Service (DaaS)?

With remote working and flexible working on the rise, employees now wish to assess their company's network and desktop from anywhere, at any time, on any device. For companies requiring a low-cost solution to this problem, then DaaS is a strong option that avoids all the weaknesses of traditional PCs – such as a fixed location or IT management.

Like other “as a service” platforms, DaaS can be used to run a variety of businesses online. Many of these are disruptive. An easy example would be Netflix competing with traditional cinema, but newer examples would be people doing their accounting over the cloud or using a virtual service to play high spec video games on low spec devices.

There are several key benefits to using DaaS:

Reduced costs: You only pay for the subscription, reducing cost on capital and maintenance fees.

Security: Generally speaking DaaS is a secure access point to a desktop where the security is managed by the DaaS provider. As they have a reputation to maintain, they have to invest huge amounts of money into maintaining the security of their service.

Flexibility: Employees can connect to their workplace desktop from any location, anytime, anywhere, allowing them to be more productive and more in control of their work-life balance.

Is DaaS secure?

DaaS has gained even more popularity since Microsoft has introduced its Windows Virtual Desktop – a platform they’re making widely available and are continuing to push investment in. Windows Virtual Desktop allows companies to run a full Windows desktop over the cloud, on multiple devices, and at a relatively minimal cost. 

Having a big industry player like Microsoft embrace DaaS has helped give many businesses the push needed to start moving their company onto the cloud, and start allowing their employees to do their jobs using DaaS platforms. It is likely that DaaS will enjoy the same level of exponential growth that its predecessor, SaaS, has enjoyed

But this popularity and growth isn’t without its risks, as it turns the platform into a target for hackers. Security concerns over SaaS platforms like Dropbox have led many to seek more secure alternatives. But with any service, most of the security risks come down to basic errors on the user or provider side. I will discuss three of them now.

First, you have to understand that DaaS makes the entire OS more vulnerable. Because all users share the same OS, if one user is infected by any attack vector on Windows (i.e. websites, apps, plugins, malicious attachments), then the entire OS can get affected as well. This will expose the credential, data, apps of all other users to the same bad agent.

This could be enacted by an insider that is using their knowledge of the system to leverage vulnerabilities, or it could be an external attacker. This is actually far easier than you’d imagine. If the attacker can find software that hasn’t been patched and take advantage of its vulnerabilities, the attacker can invade the OS and start stealing valuable data. 

Second, as a DaaS platform is provided across the internet to any user, then an attacker can access the platform and analyze it to find vulnerabilities that they can exploit. If you are using the DaaS platform without two-factor or multi-factor authentication then this becomes a real danger. If they can intercept your login credentials then they can immediately gain access to your entire virtual desktop. With multi-factor authentication, this would be impossible.

Perhaps the easiest way for a hacker to intercept important information is to intercept it over an unsecured network or to find flaws in the protocol that connects the user to the virtual desktop. While protocol networks are becoming more and more advanced, this brings with it an expanded code base and thus an expanded attack surface. You might think these vulnerabilities are rare, but they are far more common than you think.

Finally, as the main desire behind adopting DaaS is to access a virtual desktop from any device, these same devices are extremely vulnerable. Many of these devices are unmanaged, with extremely low levels of cybersecurity, used by individuals with a poor level of cybersecurity level. 

Once infected with forms of cyberattack such as malware or ransomware, data from the remote desktop can be easily stolen, or any level of damage can be undertaken. Because this kind of attack capitalizes on the user and the user’s device, there is very little that can be done to stop it on the DaaS provider size.

Conclusion

If you use a DaaS service, you must make sure that you are using multi-factor authentication and using a service that is regularly patched and protected by a dedicated cyber-security team. You also have to make sure your devices are secure so that both attack vectors a hacker can use are protected.

Sam Bocetta is a freelance journalist specialising in US diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefence, and cryptography.

 

In partnership with