Are HTML5 VDI Solutions Secure Enough for Financial Institutions?

Many Virtual Desktop Infrastructure (VDI) solutions offer both a native client and an HTML5 alternative, the latter of course having the advantage of not requiring anything installed on the user’s computer and the ability to work from any device.

HTML5 Clients are not new, however, until recently, they underperformed significantly when compared to the native alternative.

Now that HTML5 is delivering what many see as a good-enough user experience, there is still a question about security and privacy concerns, which could not be provided by the facilities of the browsers. In many regulated industries, security should outweigh usability within reason, as such, the question of whether HTML5 VDI is secure enough is critical.

Does the isolation provided by the HTML5 client provide sufficient security that even an unmanaged, personal device can be used to safely access critical applications, for example, banking applications?

Putting it to the Test

We simulated a malicious malware, screen capturing information on the host device while connecting to different sites. The “attack” was successful, and we were able to extract information from the ongoing html5 session. With MetaAccess, we then implemented a profile to prevent screen capture, and the hacker got black screens similar to the example here:

What a hacker will see if they try to capture the screen with MetaAccess screen capture protection enabled.

So, Are HTML5 VDI Solutions Secure Enough for Financial Institutions?

In short, no.

There are still significant risks for privacy and security issues inherently from any device connecting to company resources and especially in a regulated industry.

As part of a zero-trust methodology, it is critical to ensure the device implements good hygiene before allowing a connection, such as an up-to-date and fully configured antimalware solution, encrypted drive, screen lock enabled, and so on. It is also very important to get an overview of the compliance status of the organization for audits.

Let’s say your organization has decided to allow any device to connect to company resources over HTML5. There might be a possibility malware protection is not enabled, and even if it is there is a possibility that a malicious remote access trojan (RAT) is able to evade such detection.

If So, What is the Risk? 

The risk is they will remotely access data in screen captures and keylogging, without the device owner or the company knowing.

The result is sensitive data, displayed and typed into the html5 session, being leaked to the attacker.

To protect from this not-so-unlikely attack, it is important to use screen capture protection and anti-keylogger technology that can stymie the attacker.

No Doubt About it. Compliance and Privacy Regulations Need to be Taken Seriously.

Companies such as Morgan Stanley and JP Morgan both learned this expensive lesson recently.  As such, it is worth having a defense-in-depth approach. OPSWAT offers such technology as part of its MetaAccess solution.  

  • With MetaAccess’ screen capture prevention enabled, the captured image is replaced with a blank image, as depicted here:
  • MetaAccess’ Application Control blocks the use of messaging apps, such as WhatsApp, while they are connected to the corporate VDI system
  • With MetaAccess’ anti-keylogging enabled, hackers see random text rather than what users type, as depicted here:

Real Power for Real Protection

MetaAccess provides the necessary protection to prevent leaking data and avoid fines, but the real power for VDI protection comes in the integration offered with VMware Horizon.

OPSWAT has partnered with VMware to provide a tightly integrated joint solution that can ensure these protections are in place, in a zero-trust fashion, before and while the user is accessing applications through Horizon.

For example, if a user tampers with the OPSWAT Client to disable the screen capture protection, the user will be blocked from accessing the VDI session.

For the HTML5 Horizon client, MetaAccess leverages your organization’s existing Identity Access Management solution, such as Ping Identity or Okta, to check compliance as part of the SAML authentication process before the user gains access to any applications.

This works well to ensure compliance — even for BYOD.

Circling back to the main question, as to whether HTML5 VDI session isolation is sufficient to secure untrusted devices, the answer is still no.

To comply with regulations and protect corporate sensitive data, it is important to maintain defense-in-depth tools on the enclave host with capabilities like MetaAccess can provide.  

For more information, please contact one of our cybersecurity experts.

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.