Not everything that happens in Vegas stays in Vegas. My laptop picked up the Secure Shield Virus at VMware Partner Exchange, and I ended up sending it back to Corporate IT for reimaging.
A virtual desktop (vDT) does not prevent laptop malware infection – at least not if local browsing is permitted, but it does leave a user’s corporate desktop unimpaired. Not withstanding this example of the type of security benefits vDTs can provide, a debate continues as to whether or not virtual desktops are on a whole more secure than their physical counterparts.
Gaps in Physical Desktop Security
Security requires both IT visibility and control, but these capabilities diminish once a corporate laptop leaves the building and is no longer on the network or Wi-Fi. The device becomes susceptible to malware, can become a gateway to the corporate network and can be lost or stolen along with sensitive organizational information.
Data breaches, whether on a stolen laptop or on a hacked remote office server or desktop can be very costly to organizations to remediate, and they can create irreparable damage to corporate brands and reputations. Computer encryption is touted as the solution, but in practice only 1/3rd of laptops are encrypted according to a 2009 Ponemon Institute study. Encryption software costs money, must be managed and can make the user experience less productive.
BYOD exacerbates security challenges by making it difficult to monitor whether or not employees are conforming with organizational policies and regulatory requirements. A jailbroken iPhone, for example, is particularly vulnerable to attack. Litigation can lead to discovery and forensic review which then raises privacy issues as employers gain access to employee personal information and Web viewing habits.
By virtual desktops, I mean the centrally hosted variety as part of VDI (Virtual Desktop Infrastructure). The vDTs are housed, administered and backed up in data centers – regardless of access. This centralized model is more easily managed than a distributed environment where users can download applications and store corporate data on their local machines.
Technologies such as VMware OffLine or Citrix XenClient allow for local instances of virtual desktops, but centralized control is lessened as VMs and/or data now travel back and forth between local devices and the data center. Some users demand access to corporate information when data center connectivity is unavailable, such as when flying. But rather than make exceptions to a centralized desktop computing model, users can work on other tasks during the flight, or to book aircraft providing Wi-Fi.
VDI enables desktop control similar to the mainframe and VAX days when applications were accessed via dumb terminals, except that users can create Excel reports in minutes rather than wait for months in an MIS Queue. And, of course, users can securely access their vDTs from almost any type of device whether PC, Mac, Zero-client terminal, tablet or Smart Phone.
Virtual desktop session recording enhances IT visibility into user level activities and can provide an audit trail showing both who is accessing senstitive corporate information and how it is being accessed. IT can prove, for example, that a solen laptop never had access to senstitive information thereby negating the onerous requirement to notify customers of a potential breach.
The VMware View and Citrix Xen Desktop connection brokers provide useful information such as IP addresses, connection times, and whether or not a USB stick was plugged in and, if so, what type. Connection broker policies can be set to disable copy & paste and printing. They can also prevent mappings of USB devices or local drives to the virtual machine, thereby making it difficult to extract corporate data.
Additional tools enable further protection. VMware vShield, for example, can wrap around a VM to prevent malware from coming in. Varonis provides log-on information about files opened, Web sites hit, etc. Tools from RSA can scan the copy/paste buffer and then flush it if it sensitive information is detected. RSA Envision produces a report of access to all sensitive information.
One of the most compelling VDI benefits is the elimination of common BYOD concerns surrounding security and privacy issues. As an example, IT no longer needs to be able to remote wipe a personal device in the event it is lost or stolen. The employee’s corporate desktop and data continue to reside securely in the data center; a simple password change prevents unauthorized access.
On the downside, VDI, as Brian Madden points out in a April, 2010 SearchVirtualDesktop article, “moves your unpredictable users from out in the field into your data center.” The article goes on to provide some good practices for addressing this risk.
VDI also can mean increased susceptibility to a single point of attack since all vDTs run on a data center hypervisor. Once past the perimiter, a skilled hacker can get access to the IP addresses of the other VMs. A product such as VMware vShield can mitigate this risk by creating a firewall allowing VMs on the same desktop pool to speak with designated resources, but not with each other. Today’s version of vShield requires substantial effort to set up the rule, though tighter integration at the VMware View level should be able to largely automate the process.
So is a Virtual Desktop More Secure than the Physical Version?
Virtual desktops, out of the box, may not be more secure than a well-managed physical desktop environment; however, in my experience this type of environment is uncommon. Physical desktops demand significant IT resources for provisioning, image management, upgrades, patches and for desk side troubleshooting service; security often lacks the attention it should have.
In not-so-well-managed environments, just the process of centralizing desktops and data is, on balance, going to be more secure. Virtual desktops, unlike the physical varieties, are not susceptible to loss, theft or physical attack. Hackers are limited to keylogging and screen scraping, and third-party tools can help minimize these risks. VDI can also potentially reduce risks of access/attack and regulatory noncompliance of remote office servers and desktops by virtualizing and consolidating them back to the data center as part of a VDI architecture.
Even well-managed physical desktops do not offer the control and visibility options available with VDI, and they lack the advantage of a much more flexible virtual environment. IT, for example, can address HR security concerns by providing each HR employee with two vDTs: The first prohibits access to a sensitive HR application while the second only allows access to the designated application and prevents Internet browsing.
VDI cannot guarantee data security – employees can perform malicious acts such as taking pictures of their screens. But VDI does enable IT to piece together the big picture with a forensic approach determining when the user was logged in, what was accessed and how long it was on the screen.
IT Staff Resources
Attempting to tighten down the physical desktop environment is not only costly, but can create user satisfaction and productivity issues as well. VDI eliminates the need for desktop upgrades while slashing administrative and troubleshooting requirements. IT has more resources to devote to security as well as to integrating vDTs into an overall IT-as-a-Service strategy for making their organizations more innovative, efficient and competitive.
Huge thanks to Mike Foley (@mikefoley) of RSA and to Andre Leibovici (@andreleibovici) of VMware for their assistance with this article. Please see some of Foley's direct thoughts on this topic below.
Securing Virtual Desktops. 02/09/2012. Mike Foley. The Cloudcast
Virtual Desktops and Security – Leverage, Control, Enable. 01/27/2012. Mike Foley. – I’m Tellin’ Ya Now!
Why BYOD Isn’t a Trend. 12/05/11. David Strom. ReadWrite Enterprise
How VDI Can Make Your Desktop Security Worse. 04/24/2010. Brian Madden. – SearchVirtualDesktop