Many organizations are deploying virtual desktop infrastructures (VDI) with traditional physical security defense concepts, not realizing there are new capabilities available that can bring immediate security benefits to a VDI environment.
It is no surprise that virtual security lags behind VDI adoption. According to a worldwide survey conducted earlier in 2011 by Trend Micro, 67% of enterprises when asked, “How long has your organization been using VDI?” replied they have been doing so for fewer than two years, with 9% having more than four years of VDI experience. For security teams, best practices for virtual environments are still evolving, and the opportunities to improve on existing security models are yet to be widely adopted.
There are exciting new advances that can help secure your virtualdesktop infrastructure; the following concepts should be part of each VDI deployment. (Note: The vendors listed below are intended to help identify categories and is by no means exclusive).
Deploy only antivirus products designed to support VDI security. Physical security products bundled into desktop virtual machines create resource contention problems that can significantly restrict VM density. Specifically, multiple desktop VMs that concurrently update pattern files and conduct system scans can bring a virtual server to its knees. The best approaches are:
- Run a single security VM that handles antivirus for all hosted desktops on the virtual server – assuring only a single pattern file update and coordinated system scans (e.g. Trend Micro, VMware);
- Include AV in each desktop VM, but use advanced shared scan caches and statistical back-off algorithms to smooth out AV operations when the virtual server is under heavy performance stress (e.g. Symantec);
- Use application whitelisting within each desktop VM (e.g. CoreTrace).
Be sure to use endpoint security that is specifically designed for the needs of VDI and will not create AV storms.
Use provisioning software or apply NAC principles to keep virtual desktops compliant. There are many ways a virtual desktop can fall out of compliance – the VM may contain an obsolete version of application software or perhaps security policy has changed. One approach is to re-provision desktops each day to ensure only the latest supported versions of software are used (e.g. Citrix, DynamicOps), with the additional benefit that any malware will be flushed when the desktop VM expires. Organizations that prefer persistent desktop VMs should independently assess their compliance to allow security teams to remediate (e.g. ForeScout).
Evaluate user virtualization to facilitate a smooth evolution from physical to virtual and the cloud. Differences in user profiles between virtual and physical endpoints – including tablets and smartphones – can lead to security holes. User virtualization products, which decouple desktop components related to a user, ensure users get a consistent look and feel for their applications and computing environment, while providing security teams an element of visibility and control (e.g. AppSense, RES Software, RingCube).
Extend the concept of virtual desktops to remote access. Most organizations rely on VPNs for secure remote access to the business, but a secure pipe to a malware-infected endpoint can create a trusted path to the network for attackers. Virtual desktops with an IT-configured browser , VPN agent virtual desktop deployment and security software provides a more secure remote access environment against malware enabling enterprises to more confidently extend their network (e.g. Check Point, IronKey, MokaFive).
About the author:
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor.
This was first published in November 2011