Securing Virtual Desktops
Virtual desktops are by definition, more secure than traditional desktops or laptops, right? Corporate data and applications now reside inside a security-hardened facility that’s architected for resiliency and always-on availability. Sensitive data stays within the data center, instead of sitting on a laptop hard-drive, prone to damage, loss, or theft. So in many ways, yes, virtual desktops are more secure, but some important security implications still need to be considered. As we’ll discuss in this post, and a couple that follow, a robust security architecture for virtual desktops requires a holistic approach. We’ll examine where and how various security solutions and technologies provide value to virtual desktops as we move from physical endpoints to network to data center to virtual machine.
So let’s start with endpoints – security practices don’t evaporate when moving from physical to virtual. Endpoint assessment continues to be important, but the emphasis shifts away from the importance of complex endpoint security software suites that often run on traditional Windows PCs and instead towards authentication and device risk with zero-client, thin-client, tablet and unmanaged device access. In both physical and virtual desktop environments, strong authentication solutions (ex: RSA SecurID or client certificates) are still needed for risk mitigation of unauthorized access. The importance of data loss prevention (DLP) is brought into focus when you consider that enterprises are increasingly supporting a more mobile than ever user population – one that’s choosing from a wide spectrum of PCs/tablets/smartphones/etc. to conduct business on, enabled by desktop virtualization.
From a network perspective, physical-world solutions still play an important role especially as the virtual desktop remote display protocol traverses the WAN. These traffic flows must be encrypted, and solutions like Cisco Adaptive Security Appliance (ASA) as well as clientless endpoint solutions like Cisco AnyConnect Secure Mobility Solution that address the rapidly expanding use of smartphones and tablets, help to complete the overall virtual desktop security architecture.
As Brian Madden points out, some problems can arise as you consolidate desktops virtually inside the data center, and bring your users’ computing environment into that trusted, hardened environment. Certainly with user desktops now sitting within the data center, on a trusted network, amidst corporate web and application servers, storage arrays and networking infrastructure, this presents a much larger attack surface for when things go awry with an individual user’s machine. This specific aspect of virtual desktop security brings us to an important assertion we made in an earlier post – desktop workloads are not your typical enterprise workload, and by definition need a distinct infrastructure that recognizes the unique requirements associated with end-user computing. However, virtualized desktops residing within the data center can in fact benefit from some of the same architectural features that serve an important role on the enterprise web and app workload side.
As a proof point, consider hypervisor-based networking and security services as delivered by Cisco Nexus 1000v, and Cisco’s Virtual Security Gateway (VSG). These solutions work in tandem to provide context-aware security policies at the VM/virtual-desktop level, enforcing secure segmentation and isolation with zone based access control. In this model, we can ensure that enterprise web and application zones are isolated, secured, and managed separately from virtual desktops, and vice-versa. This VM-aware networking and security architecture also enables administrators to ensure that a virtual desktop’s membership to a specific logical zone (ex: Finance Dept. Virtual Desktop Zone) is dynamically updated as a desktop moves between physical hosts, due to VM’s being added, deleted or redeployed. We’ll discuss Cisco VSG and its critical role in securing virtual desktops more in an upcoming post.
Also at the hypervisor level, we have VMware’s vShield Endpoint as implemented in conjunction with vSphere and View 4.5. With this solution, anti-virus and anti-malware functions are offloaded from the individual desktop and implemented within a security-hardened VM, that’s co-resident on the same physical host. This approach takes the security agent off the desktop, and instead provides a centralized point for monitoring and management, (making it easier to ensure compliance) as well as updating the AV engine and security file, without having to hit each individual VM on a host. It can also help prevent performance impacting bottlenecks from multiple concurrent AV and malware scans. If we think about the end-user perspective, now they don’t have to focus on AV agents since the primary security value of them has been offloaded to a virtual security appliance optimized and designed for virtual desktop environments. vShield Endpoint leverages an ecosystem approach, providing an API to which solution partners such as Trend Micro, Symantec, Sophos, McAfee and others are able to plug-in.
Clearly, a robust security architecture necessitates an end-to-end approach, that employs multiple technologies working in concert to protect users, data, applications and infrastructure. We’ll be discussing security in more detail in a number of upcoming posts, so please stay tuned, and as always, I’d welcome your thoughts on any of this.
On a final note, RSA 2011 is coming up February 14-18. If you happen to be there, please stop by booth #1717. In addition to a number of speaking sessions we’ll be delivering, you can check out our solution demonstrations including the Cisco ASA, AnyConnect, and Virtual Security Gateway solutions mentioned earlier.
Related Cisco Desktop Virtualization Resources: