Tip

Four VDI security concepts for every virtual desktop deployment

Many organizations are deploying virtual desktop infrastructures (VDI) with traditional physical security defense concepts, not realizing there are new capabilities available that can bring immediate security benefits to a VDI environment.

    Requires Free Membership to View

It is no surprise that virtual security lags behind VDI adoption.  According to a worldwide survey conducted earlier in 2011 by Trend Micro, 67% of enterprises when asked, “How long has your organization been using VDI?” replied they have been doing so for fewer than two years, with 9% having more than four years of VDI experience. For security teams, best practices for virtual environments are still evolving, and the opportunities to improve on existing security models are yet to be widely adopted.

There are exciting new advances that can help secure your virtualdesktop infrastructure; the following concepts should be part of each VDI deployment. (Note: The vendors listed below are intended to help identify categories and is by no means exclusive).

Deploy only antivirus products designed to support VDI security. Physical security products bundled into desktop virtual machines create resource contention problems that can significantly restrict VM density. Specifically, multiple desktop VMs that concurrently update pattern files and conduct system scans can bring a virtual server to its knees. The best approaches are:

  • Run a single security VM that handles antivirus for all hosted desktops on the virtual server – assuring only a single pattern file update and coordinated system scans (e.g. Trend Micro, VMware);
  • Include AV in each desktop VM, but use advanced shared scan caches and statistical back-off algorithms to smooth out AV operations when the virtual server is under heavy performance stress (e.g. Symantec);
  • Use application whitelisting within each desktop VM (e.g. CoreTrace).

Be sure to use endpoint security that is specifically designed for the needs of VDI and will not create AV storms.

Use provisioning software or apply NAC principles to keep virtual desktops compliant. There are many ways a virtual desktop can fall out of compliance – the VM may contain an obsolete version of application software or perhaps security policy has changed. One approach is to re-provision desktops each day to ensure only the latest supported versions of software are used (e.g. Citrix, DynamicOps), with the additional benefit that any malware will be flushed when the desktop VM expires. Organizations that prefer persistent desktop VMs should independently assess their compliance to allow security teams to remediate (e.g. ForeScout).

Evaluate user virtualization to facilitate a smooth evolution from physical to virtual and the cloud. Differences in user profiles between virtual and physical endpoints – including tablets and smartphones – can lead to security holes. User virtualization products, which decouple desktop components related to a user, ensure users get a consistent look and feel for their applications and computing environment, while providing security teams an element of visibility and control (e.g. AppSense, RES Software, RingCube).

Extend the concept of virtual desktops to remote access. Most organizations rely on VPNs for secure remote access to the business, but a secure pipe to a malware-infected endpoint can create a trusted path to the network for attackers. Virtual desktops with an IT-configured browser , VPN agent virtual desktop deployment and security software provides a more secure remote access environment against malware enabling enterprises to more confidently extend their network (e.g. Check Point, IronKey, MokaFive).

About the author:
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. 

This was first published in November 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.