COLUMN

At VMworld 2009, companies focus on virtual desktops for security

By Eric Ogren 03 Sep 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

While security and compliance is a major driver of virtual desktop infrastructure projects, security is taking an otherwise decidedly low profile here at VMworld this week. Clearly customers are moving ahead with virtualization projects within the context of traditional security architectures. This is also reflected in the trend that attached costs for professional services, incremental storage, networking, and business applications are all greater in virtualization projects than security expenses. Virtualization projects are going ahead in the data center where application service configurations are relatively static and security can be placed in the physical infrastructure.

However, there is some noteworthy security activity happening at VMworld that is a far healthier discussion than the fear, uncertainty, and doubt of attacks jumping through hypervisors. There is tangible excitement about being able to control data and applications in the data center and the prospect of virtual desktop infrastructures may help IT focus on users and data while getting out of the endpoint device management business. The privately held security companies that stand out at VMworld are offering unique approaches to secure remote access, increase visibility in virtual environments and building in the flexibility for security to be paired with business VMs.

Listen to the VMworld 2009 interview with Eric Ogren: VMworld 2009: Virtualization security: Eric Ogren of The Ogren Group talks about the focus on security fundamentals and some virtualization technologies that increase security including virtual desktops. Ogren is attending VMworld this week in San Francisco.

• Security and compliance drives VDI. Highly regulated industries with a largely non-mobile workforce, such as financial enterprises, are piloting virtual desktops to reduce the risk of data loss or malware at the endpoint. With VDI, the application executes on shared servers in the data center and confidential data remains within the protection of the data center. The IT tasks of managing security such as AV, DLP agents, or USB device control are significantly simplified if the endpoint is a thin client as there is no disk to protect or moving parts to break; if the endpoint is a zero client there is not even a cpu to manage. While CAPEX and OPEX savings of VDI infrastructures are often debatable, the security and compliance VDI benefits resulting from restricting applications to the data center are very clear.

• Traditional security vendors start with virtual appliances. Deploying security software as virtual appliances provides IT flexibility in placing security in the infrastructure. For instance, the provisioning of an Exchange VM on a new server may also result in the dynamic launching of firewall and DLP VMs to protect the new mail server. Virtual Appliance implementations do not add security capability, but VAs do give IT more options in where security is deployed.

• I'm not frequently hearing about new security requirements for virtualization. The good news is that there is almost no FUD discussion of attacks jumping through infected hypervisors to infect VMs on multi-tenant virtualization servers. Surprisingly, there is not much conversation from security vendors on detecting when a VM is infected and needs to be refreshed. It looks like it will take a security reaction to the first wave of hypervisor attacks to measure the value of VMsafe. There is also room for innovation in VM lifecycle security functions including scanning, patching, and upgrading of operating systems and applications as VMs are built and provisioned so IT can be confident that VMs are as pristine as possible.

For now, organizations are placing security at the boundaries between virtual and physical environments, partly for common administration, partly to always know where security exists in the infrastructure and partly because there are few new threats against the virtual environment to respond to. However, virtualization is fundamentally changing the way IT dynamically manages applications and desktops which will force security to adapt.

Tags: Virtualization Security Issues and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Virtual appliances boost flexibility, improve security

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary