Securing virtual desktop infrastructure
Virtualisation-specific security optimises the shared resource environment that virtual desktops offer.
Businesses today, particularly those that handle sensitive customer data and have to worry about regulatory compliance and risk mitigation, are aware of the increasing number of breaches affecting all organisations. Using virtual desktop infrastructure can assist businesses with simplifying, provisioning and administration, and can help them extend their endpoint hardware investments, making it easier to support BYO endpoint devices.
However, implementing virtual desktops means implementing security controls that address the environment's unique challenges. Companies understand the security of mission-critical data is crucial when implementing desktop and application virtualisation, and using security that was designed with physical desktops in mind will be ineffective, as it will degrade performance and lower VM densities.
What is needed is virtualisation-specific security designed to optimise the shared resource environment that virtual desktops offer. Essentially, desktop machines are delivered as a service from the data centre, and are deployed through the cloud to where they are needed, whether local, satellite or branch offices. At the same time, applications are delivered far quicker and more consistently.
In this way, multiple desktops are sharing the host's hardware resources, creating a high level of density. In this environment, running simultaneous operations that are resource heavy, such as full system scans or major security updates, will result in a significant loss of desktop performance, even going as far as cutting off session connections altogether.
Although virtual desktops can be provisioned, cloned and reverted to previous instances fairly quickly, the flip side is that vulnerabilities or configuration errors may be unwittingly spread. In addition, there is the perception that virtual desktops are, by their nature, more secure than traditional desktops or laptops.
This is often thought to be the case because sensitive company data and applications now live inside a secure facility that's designed for resiliency and always-on availability. Confidential information resides within the data centre, as opposed to sitting on a laptop hard-drive that is vulnerable to damage, loss or theft.
Using security that was designed with physical desktops in mind will be ineffective.
It is important to remember that security measures don't miraculously disappear when changing from a physical to a virtual environment. Starting with the endpoints, regular assessments must still be an important element of the company's security practices. However, businesses should shift importance away from endpoint security software that is designed for physical machines and move instead to authentication and device risk, which features device access for thin-client, tablet, no-client and unmanaged devices too.
In physical and virtual desktop environments, solid authentication tools are a must for risk mitigation of unauthorised access. Data loss prevention solutions are also important, particularly with the rise of the mobile enterprise, where employees are working on a plethora of different personal devices.
In terms of networking, physical tools are still a vital part of the security chain, because virtual desktop remote display protocol crosses over the WAN. Hence, all traffic flows need to be encrypted and solutions implemented that address the ever increasing use of mobile devices in the enterprise.
Issues can crop up when desktops are consolidated virtually within the data centre, bringing them into the highly secure data centre environment. Having desktops now sitting within the data centre, among Web and application servers, storage arrays as well as networking infrastructure, means there is a far wider attack surface in the event of an incident on a user's machine.
Ultimately, today's threats require a robust security chain that follows an end-to-end approach, using the myriad tools and technologies that work together to protect the infrastructure, users, data and apps. Companies need to consider any and all weaknesses when it comes to their virtual environments, and deploy the necessary security tools to build a thick layer of protection against any impropriety.
Richard Vester has been in the ICT industry since 1997, intimately involved in product development, operations and product marketing. He has worked for some of the top ICT companies in SA and joined EOH as the divisional director of Cloud Services in 2012. He has a detailed knowledge and understanding of cloud computing and has developed one of the leading cloud businesses in Africa.