How Secure is Your VDI Solution?
“What Keeps You Awake at Night?”
According to a recent survey1 of State CIO Priorities for 2012, “Virtualization” ranked number #1 in the CIO list of priority technologies, applications and tools. As for their 2012 top strategies, management processes, and solutions, “Governance”, “Cloud Computing” and “Security” were ranked as #3, #5, and #6. So now that we have visibility into some of the issues that keep the State CIOs up at night, I’d like to get a little up-close-and-personal and ask you this, “How comfortable are you with the security of your VDI solution?”
In this blog, I’ll discuss some of the inherent security that is built-in to the average virtual desktop solution. In subsequent blogs, I’ll present the most important best practices and guidelines that should be followed, to ensure the highest level of security available for your virtual desktop solution. Later, I’ll provide my opinions on emerging security technologies in the area of VDI solutions.
Below are three of the most valuable security advantages that the virtual desktop infrastructure offers, in my opinion. These points should help you sleep well at night:
Sensitive Data Stays in the Data Center: Your Company’s sensitive data remains in the data center, whether that data center is internal to the enterprise, or remotely located in a third-party data center. Incidentally, Managed Service Providers (MSPs) are one of the largest users of this method to deliver desktops as “software-as-a-service” (SaaS). Third-party hosting allows the data to be easily secured, backed up and centrally managed.
Because only a “rendering” of your data, rather than the data itself, is delivered to the virtual desktops, even if endpoint devices are lost or stolen the source data remains securely warehoused in the data center. This is important, considering the average cost to a company for a lost laptop or desktop, including lost data, is conservatively estimated at $49,2462 and can even reach into the millions of dollars. Of course, lost or stolen devices must be protected against unauthorized access, using safeguard measures such as strong authentication via username/password, optional second-factor authentication, whole-disk encryption, and enforced session timeouts. Lastly, the back-end storage infrastructure, whether local or shared, must be securely protected from unauthorized access as well. The main point is that data which is critical to the business operations of the enterprise is housed and secured in the data center.
Virtual Desktop Software, Configurations, Upgrades and Patches can be Securely Controlled: Because user machines are delivered only copies of a master desktop image, virtual desktops can be administratively locked down so users are unable to change or tamper with the software and its configurations. This means users can be prevented from downloading their favorite (and potentially malware-infected) applications to their virtual machine, or downloading alternate versions of productivity tools that may not meet corporate guidelines. In addition, product upgrades and software patches can be centrally managed, tested and automatically distributed via updated virtual desktop images, ensuring timely and system-wide compliance.
There is No Cross-Transmission of Malware from Physical Desktop to Virtual Desktop: There is no execution traversal path between the physical desktop operating system and the “guest” operating system of the virtual desktop. This means that any malware that infects the physical desktop cannot “jump” to the virtual desktop. However, malware on the physical machine can be used to compromise the access credentials to the virtual desktop, and how to prevent that will be discussed in another blog on best practices.
In my next blog, I’ll introduce you to key best practices that you would be wise to follow, unless you want to join the CIOs who lay awake, worrying about the security of their VDI solution! One sheep, two sheep, three sheep…
1 The 2012 CIO survey was conducted by the National Association of State Chief Information Officers (NASCIO).
2 According to a 2009 Poneman Institute study, this figure includes the value of the lost data on the machine, replacement cost, forensics, lost productivity, and legal, consulting and regulatory expenses, and others.