VMworld: Desktop virtualization drives security skepticism

By Dennis Fisher, Executive Editor 13 Sep 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A big part of that push is predicated on the idea, advanced by a number of VMware executives, that virtualized desktops provide better security than traditional PCs. VMware officials and others in the industry say that the market for desktop virtualization could eventually grow larger than the server virtualization market. However, security experts say that while there are some benefits to desktop virtualization, there are also a number of security drawbacks.

"Virtualization by its nature adds complexity and the idea that a virtualized desktop is more secure doesn't take into account the enterprise view… I have to document that I'm compliant with a number of different things here, like regulations and corporate guidelines," said Dennis Moreau, CTO of security vendor Configuresoft Inc., of Colorado Springs. "It's a very tactical view. But if you're an enterprise that's deploying desktop virtualization, that enterprise is going to have to invest in describing that desired state much more heavily. That doesn't say virtualization is bad, it just says it adds complexity."

Virtualization security In this feature for Information Security magazine, Dennis Fisher writes about the security implications of data center virtualization. Read how VMware touts the security benefits of virtualization. See all of our news, tips and advice on virtualization security. Check out more news coverage of VMWorld 2007 at SearchServerVirtualization.com.

At its VMworld conference this week, VMware is touting its various desktop virtualization products as key tools for locking down enterprise networks. Desktop virtualization comes in a couple of different forms: the application streaming model, and the managed desktop model. VMware's Virtual Desktop Infrastructure (VDI) uses an application-streaming architecture in which users access their desktop images through a virtual machine that is running on a back-end server. The company's ACE 2 product takes the managed desktop approach, which gives each user a complete operating system and application image running in a virtual machine on the desktop.

ACE allows administrators to deploy standardized desktop images to laptops, desktops and some mobile devices remotely. ACE also includes some security capabilities, such as a NAC-like ability to quarantine out-of-compliance virtual machines and force them to update their patch levels. The product can also prevent a host machine from accessing the network while still allowing the virtual machine to get on the network. ACE 2, VMWare officials say, is what the future of desktop security will look like.

Having the ability to centrally manage all corporate desktops on a low level can be quite useful, but Moreau said that the architecture itself can cause some thorny problems for IT security staffs.

"All those levels of abstraction hide traffic from me. There is more information to pay attention to, and the flexibility of the virtual environment hides detail," he said. "IT compliance and incident management just got a lot more complex."

Also, controlling the virtual machine on the desktop does not eliminate the threat posed by low-level malware on the host machine, such as keyloggers or rootkits, Moreau said. Such malware sits below the level of the virtual machine and would not be affected by changes or policies governing the virtual machine image.

Tags: Virtualization Security Issues and Threats,  Information Security Policies, Procedures and Guidelines,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Information Security Policies, Procedures and Guidelines Health Net breach failure of security policy, technology How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary