VMworld: Desktop virtualization drives security skepticism |
 |
By Dennis Fisher, Executive Editor
13 Sep 2007 | SearchSecurity.com |
|
|
SAN FRANCISCO -- Virtualization has made a lot of inroads in the data center and in some enterprise environments, but VMware Inc. is pushing hard to move the technology onto corporate desktops.
A big part of that push is predicated on the idea, advanced by a number of VMware executives, that virtualized desktops provide better security than traditional PCs. VMware officials and others in the industry say that the market for desktop virtualization could eventually grow larger than the server virtualization market. However, security experts say that while there are some benefits to desktop virtualization, there are also a number of security drawbacks.
"Virtualization by its nature adds complexity and the idea that a virtualized desktop is more secure doesn't take into account the enterprise view… I have to document that I'm compliant with a number of different things here, like regulations and corporate guidelines," said Dennis Moreau, CTO of security vendor Configuresoft Inc., of Colorado Springs. "It's a very tactical view. But if you're an enterprise that's deploying desktop virtualization, that enterprise is going to have to invest in describing that desired state much more heavily. That doesn't say virtualization is bad, it just says it adds complexity."
At its VMworld conference this week, VMware is touting its various desktop virtualization products as key tools for locking down enterprise networks. Desktop virtualization comes in a couple of different forms: the application streaming model, and the managed desktop model. VMware's Virtual Desktop Infrastructure (VDI) uses an application-streaming architecture in which users access their desktop images through a virtual machine that is running on a back-end server. The company's ACE 2 product takes the managed desktop approach, which gives each user a complete operating system and application image running in a virtual machine on the desktop.
ACE allows administrators to deploy standardized desktop images to laptops, desktops and some mobile devices remotely. ACE also includes some security capabilities, such as a NAC-like ability to quarantine out-of-compliance virtual machines and force them to update their patch levels. The product can also prevent a host machine from accessing the network while still allowing the virtual machine to get on the network. ACE 2, VMWare officials say, is what the future of desktop security will look like.
Having the ability to centrally manage all corporate desktops on a low level can be quite useful, but Moreau said that the architecture itself can cause some thorny problems for IT security staffs.
"All those levels of abstraction hide traffic from me. There is more information to pay attention to, and the flexibility of the virtual environment hides detail," he said. "IT compliance and incident management just got a lot more complex."
Also, controlling the virtual machine on the desktop does not eliminate the threat posed by low-level malware on the host machine, such as keyloggers or rootkits, Moreau said. Such malware sits below the level of the virtual machine and would not be affected by changes or policies governing the virtual machine image.
|
|
|
|
