Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

VDI security supports active protection strategies

ISM November 2011 cover story: Eric Ogren on how virtual desktop infrastructure enhances compliance, data protection and malware protection.

Information Security magazine November 2011Organizations are embracing virtual desktop infrastructure (VDI) with the expectation of persistent security enhancements and reduced desktop operating costs across the enterprise. This strong coupling between desktop security and IT operations  backs up the thinking among early VDI adopters that centrally controlled desktop configurations are more resistant to malware and keeping regulated data off of distributed physical desktops reduces the business risk of a data loss incident. However, realizing these security benefits requires more than simply recreating traditional security in a virtual world; it requires a practical approach to inevitable breaches of desktop security.

While defense-in-depth prevention is still critically important to the business, a VDI security-based approach favors active strategies for continuous malware resistance and compliance, data protection and incident response. These approaches are based on the following desktop security observations:

  • It is inevitable that desktops will be breached in the coming year. The traditional approach to desktop security is to build a compliant desktop image and then deploy layers of security software to protect that image. However, experience shows that desktop applications are commonly breached and the VDI security-based approach starts with the assumption some desktops in the network are already infected.
  • It is very difficult to determine how long a desktop has been breached to gauge the exposure of regulated data. Once a traditional desktop breach has been detected, security teams embark on a labor-intensive investigation and recovery process. VDI offers security teams an automated mechanism for responding to security incidents that is focused on restoring business productivity.
  • The cost of continuous endpoint management is increasing, particularly with the increase in hard to maintain remote devices. While automated patch and software upgrade products have helped to reduce the time a vulnerability can be exploited, it remains costly to maintain a compliant infrastructure – and the problem gets worse as business complexity scales. Virtual desktops can always be reached for software maintenance activities such as patches, upgrades, and removal of unsupported software.

Security executives apply lessons learned from deploying virtual applications in the data center to solve desktop security problems and gain cost-saving efficiencies in continuous desktop compliance management. Improved security is consistently the primary business driver for VDI for most organizations, followed by ease of management, enable strategic cloud initiatives, and enhance remote access - especially via non-Windows devices such as tablets and smartphones. VDI not only saves significant operational expenses, increases resistance to advanced persistent threats, and removes obstacles towards increased use of the cloud, but it enables security executives to promote active desktop security strategies including:

  • Streamline a continuous desktop management security strategy. Maintaining a malware-resistant infrastructure is costly and time-consuming. Security executives are using VDI to fundamentally change approaches to software installation, patching and upgrades, fault detection, removal of unsupported software, and service desk activities. Security teams can deliver a more secure environment to the business while controlling operating costs.
  • Implement an automated data protection strategy. While the business requires the sharing of sensitive information, the loss of regulated data can result in costly and disruptive public disclosure events. Security teams that cannot practically enforce data protection policies on all physical endpoints are evaluating VDI to maintain visibility and control of critical data by restricting operations on that data to the protected data center.
  • Instill an active incident response strategy. Desktop infections and intrusions are inevitable - browsers in desktop virtual machines are be infected with malware just as easily as browsers operating in traditional physical machines. Security executives realize the potential of virtual desktop infrastructure to reduce the risk of serious security incidents by automating the return of desktop configurations to compliant states and using cloud-based services for high availability of desktops.

Traditionally security executives focus on strategies for protecting desktops from malware and networks from intruders. The challenges today are to evolve the reactive device-centric approach with active strategies for protecting data and users. The opportunities to drive security benefits through desktop virtualization are compelling, including the sophisticated evolution of incident response strategies, data protection approaches, and streamlined maintenance of compliant desktops.


Security executives cannot control when or where malware will strike, but they can control endpoint software configurations to keep the infrastructure compliant with security policies and as resistant as possible to infection. This is reflected in many of the security performance metrics that organizations use to drive security operations, such as the time required to patch a critical vulnerability in a percentage of corporate desktops, the number of calls to the service desk due to non-compliant endpoints (including disabled security software), the rate of discovery for critical vulnerabilities, the number of PC refreshes (with loss of user productivity) necessary to recover from a malware incident, and the total cost of security per desktop. However, it is becoming increasingly difficult in a physical desktop environment for security to improve on these performance metrics since desktops can be powered down or disconnected from the network – there will always be endpoints that remain un-patched or desktop applications that have not been upgraded. The chart, based on Qualys’ Laws of Vulnerabilities in 2010, illustrates how long it takes to even approach 100 percentcoverage of a critical software patch. In fact, 100 percent completion is often unattainable as there are desktops unavailable for extended periods of time.

A strategy toward a malware-resistant compliant infrastructure relies upon virtual desktops to simplify desktop management, reducing the risk of security incidents and returning operating costs to the business. VDI has the attractive properties of creating virtual desktops from centralized images where it is easier for security operations to maintain compliant desktop configurations and to ensure that users operate under the most recent versions of authorized software. The ability to provision new desktops from pristine images, and to automatically re-provision desktops when users logout gives security executives the chance to evolve towards the next generation infrastructure.

  • Centralized provisioning allows security to create virtual desktops from authorized images. Instead of chasing and assessing distributed endpoints, security operations in a next generation approach only have to patch, upgrade, and check vulnerabilities of desktop applications on the centralized servers. This has the potential to significantly improve security performance metrics, including those for patch coverage and time to remove critical desktop vulnerabilities.
  • Once security has built a compliant desktop, terminating idle virtual desktops during off hours and re-provisioning automates the delivery of compliant desktops to the user, effectively reducing the possibility of desktops drifting out of compliance. This not only allows IT to easily deploy new software agents, replace software that is not easily patched such as obsolete versions of Adobe, Java, or custom built applications, but it also means that malware is less likely to persist on the desktop because the malware disappears when the virtual desktop is terminated. Organizations that allow virtual desktops to persist on the server are losing one of the key benefits of VDI.
  • Security software can be shifted from individual desktops to become a shared resource on the virtual server. For example: Antivirus that is designed for VDI shares signature pattern files and coordinates system scans across all virtual desktops resident on the server; transparent disk encryption can be enabled for sensitive data; virtual patching allows security to plug a critical vulnerability at low levels in the server without disrupting users’ desktops; and high performance application whitelisting is being utilized to ensure the integrity of the virtual desktop. This approach reduces the complexity and costs of managing desktop security – and antivirus will always be active with the most up-to-date patterns.
  • User virtualization technology removes user preferences from the desktop allowing users to move freely between virtual desktops, remote desktops, and mobile devices and tablets. As organizations evolve from physical to virtual desktop infrastructures, user virtualization can provide the consistent look and feel across devices to increase user satisfaction and increase the chances of a successful VDI roll-out.

The operational cost savings of a virtual desktop infrastructure can be significant. For example, Ogren Group research finds that it is not uncommon for roughly one percent of corporate desktops to require service each month from normal operations. Reducing that percentage, and reducing the costs of a desktop refresh, with a continuous desktop management strategy based on VDI  promises to sharply reduce this operating expense and increase user productivity. Security teams are hitting the limits of improving key security performance metrics with physical infrastructures where each distributed desktop needs to be accessible. The next generation approach that is based on VDI promises to reduce the burdens of securing endpoints and delivering a compliant desktop infrastructure to the business.


Modern attackers are much more interested in avoiding discovery and stealing intellectual property than they are in damaging infected desktops. Security executives are responding to this trend by prioritizing data protection strategies along with creating a cost effective automated desktop management infrastructure and an active incident response strategy.  Virtual desktops allow security teams to more tightly control regulated data, and to respond to security incidents with actions including:

  • Simplify data leakage prevention, DLP,  strategies by restricting sensitive data to the data center with virtual desktops. Since the data never leaves the data center, not only is there less risk of costly disclosure incidents due to data loss, there is also less demand to purchase and administer device control and DLP software on desktops.
  • Sensitive data can be transparently encrypted, and data center resources can be used for automatic backup and recovery of desktop data. The separation of data from the physical constructs of the PC also allows security executives to evaluate the cost savings of cloud-based storage.
  • Just as a single copy of antivirus can serve all virtual desktops hosted on a server, for protecting data a single copy of a data loss protection (DLP) product can block sensitive data from flowing to unauthorized locations. DLP can be expensive to operate, partly because it must reside on each individual PC to offer effective corporate coverage. Security teams are working with DLP vendors to reduce administration overhead by integrating DLP with servers hosting virtual desktops.

The costs of compliance reporting are greatly driven by the number of security products that must be checked – the more software products the more time must be taken. Using virtual desktops to reduce the number of individual agents is reducing the cost of security, while protecting critical corporate information.


Unfortunately, it is not enough to operate a continuously compliant infrastructure that offers enhanced security with reduced operating costs. Attacks will still infect browsers and applications in virtual desktops just as they exploited vulnerabilities in physical desktops. Being virtualized does not change that. However, with VDI security executives can establish a pragmatic incident response strategy that expedites mitigation actions, is less disruptive to the users, and keeps the business running. Again, the keys are the ability of VDI to automate the provisioning and termination of virtual desktops with capabilities such as:

  • Isolate infected desktop VMs and easily block access to the network to reduce the risk of data loss and a malware conflagration that runs throughout the company.  While it is very difficult to isolate a physical desktop, virtualization servers can rapidly isolate infected VMs in response to a security incident such as an unauthorized change to a desktop virtual machine.
  • Apply virtual patches by correcting network flows in the server before the traffic reaches the virtual desktops. This allows security teams to implement a correction while waiting for a released patch from the affected vendor. Protecting desktops with patches on the virtual server allows security to shrink the window of vulnerability – the critical time between discovery of a vulnerability and application of a released patch.
  • Disable access to the network and applications by simply terminating the user’s virtual desktop when the user leaves the company or security suspects an intrusion. The termination action disconnects the user and removes any malware along with the desktop VM.
  • Reduce the costs of a disaster recovery plan by shifting virtual desktops to remote data centers. Rather than purchasing extra hardware in stand-by data centers, business continuity services maintain copies of the provisioning server to be able to recreate virtual desktops and reconnect users to the business.

Finding an effective incident response strategy to minimize disrupting user productivity has bedeviled the security industry – vendors and enterprises since the inception of ‘scan and hope’ antivirus software. The traditional approach of refreshing an infected desktop is time consuming and costly. An active and pragmatic incident response strategy automates the termination and re-construction of desktop VMs, flushes malware before it can spread, and gives security teams the flexibility to leverage off-premise services for disaster recovery.

Organizations are leveraging virtual desktop infrastructure to enhance security, reduce operating costs, and pave the way for cloud-based computing.  Security executives were tasked with protecting the business even while VDI security was poorly understood. However, security executives are now turning to VDI security to drive the costs out of desktop management and improve corporate resilience against attacks. They are using the powers of virtualization to evolve towards a continuously compliant desktop management infrastructure, establish a rational and active incident response plan, and elevate the priority of protecting important information. Virtualization has been a game-changer in the data center and the time is rapidly emerging where virtualization will also be a game-changer for desktop security.

Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Send comments on this article to [email protected]

Dig Deeper on Virtualization security issues and threats