While security and compliance is a major driver of virtual desktop infrastructure projects, security is taking an otherwise decidedly low profile here at VMworld this week. Clearly customers are moving ahead with virtualization projects within the context of traditional security architectures. This is also reflected in the trend that attached costs for professional services, incremental storage, networking, and business applications are all greater in virtualization projects than security expenses. Virtualization projects are going ahead in the data center where application service configurations are relatively static and security can be placed in the physical infrastructure.
However, there is some noteworthy security activity happening at VMworld that is a far healthier discussion than the fear, uncertainty, and doubt of attacks jumping through hypervisors. There is tangible excitement about being able to control data and applications in the data center and the prospect of virtual desktop infrastructures may help IT focus on users and data while getting out of the endpoint device management business. The privately held security companies that stand out at VMworld are offering unique approaches to secure remote access, increase visibility in virtual environments and building in the flexibility for security to be paired with business VMs.
- Security and compliance drives VDI. Highly regulated industries with a largely non-mobile workforce, such as financial enterprises, are piloting virtual desktops to reduce the risk of data loss or malware at the endpoint. With VDI, the application executes on shared servers in the data center and confidential data remains within the protection of the data center. The IT tasks of managing security such as AV, DLP agents, or USB device control are significantly simplified if the endpoint is a thin client as there is no disk to protect or moving parts to break; if the endpoint is a zero client there is not even a cpu to manage. While CAPEX and OPEX savings of VDI infrastructures are often debatable, the security and compliance VDI benefits resulting from restricting applications to the data center are very clear.
- Traditional security vendors start with virtual appliances. Deploying security software as virtual appliances provides IT flexibility in placing security in the infrastructure. For instance, the provisioning of an Exchange VM on a new server may also result in the dynamic launching of firewall and DLP VMs to protect the new mail server. Virtual Appliance implementations do not add security capability, but VAs do give IT more options in where security is deployed.
- I'm not frequently hearing about new security requirements for virtualization. The good news is that there is almost no FUD discussion of attacks jumping through infected hypervisors to infect VMs on multi-tenant virtualization servers. Surprisingly, there is not much conversation from security vendors on detecting when a VM is infected and needs to be refreshed. It looks like it will take a security reaction to the first wave of hypervisor attacks to measure the value of VMsafe. There is also room for innovation in VM lifecycle security functions including scanning, patching, and upgrading of operating systems and applications as VMs are built and provisioned so IT can be confident that VMs are as pristine as possible.
For now, organizations are placing security at the boundaries between virtual and physical environments, partly for common administration, partly to always know where security exists in the infrastructure and partly because there are few new threats against the virtual environment to respond to. However, virtualization is fundamentally changing the way IT dynamically manages applications and desktops which will force security to adapt.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.