Desktop Virtualisation: Overcoming Security Challenges to Reap the Benefits

2009 is expected to be a year when organisations of all sizes take a step back and reassess their IT priorities. As businesses attempt to reexamine costs, some may be tempted to make wholesale budget cuts and delay investment in new technology or IT strategy. However, forward-thinking organisations are taking the opportunity to look at the bigger picture and reexamine all the options to ensure they are prepared to capitalize on the resurgence of the market. They are likely to be review emerging technologies, such as virtualization, to see how it can improve business efficiency, drive down hardware and power costs and above all enable their business to work smarter. The benefits of virtualization have been much heralded over the last few years. Server virtualization has become increasingly popular over the last five years, and now desktop virtualization is quickly increasing in popularity by similarly reducing the need to have high-powered CPU’s on every user’s desk. Virtual desktop infrastructure (VDI) can also help reduce the costs associated with desktop maintenance at user-managed systems, by allowing IT staff to provide and control the user desktop experience centrally, rather than at individual workstations. It also eliminates the need to constantly re-image machines that have degraded through common usage. Imagine how many fewer headaches users would experience if a new copy of the OS could be imaged on a daily basis. This would eliminate the end user’s productivity suffering, which often occurs as a result of the 'plaque' build up that slowly kills machine performance. While the financial benefits are clear, as organisations shift to virtualization to improve efficiency and reduce costs, there are challenges that first must be addressed, especially around security. Coordinating and enforcing user access policies becomes far more complex, because identities are now relevant within multiple layers across the virtual desktop. The way in which IT departments manage user identities, authenticate systems and enforce access policies across the corporate network, all need to be thought through in the context of a new VDI environment. One of the key advantages to desktop virtualization is the ability to create on-demand dynamic desktops specific to the user’s role within the organisation, which are all deployed centrally once the user’s identity is established. Therefore, having a centralised point of management for user identities, access rights, IT policies and auditing is vitally important. Within a virtual desktop infrastructure, users are authenticated and connected to sessions via a connection broker, that controls the access permissions to specific desktop and applications. The connection broker controls how users, IT policy and password rights are managed. This however, by its very nature, presents a security risk, as it now serves as the single point of access to the entire virtual infrastructure. If the connection broker is compromised, the whole VDI is also potentially placed at risk. One way to secure this is by introducing an additional layer of security, through appliance-based authentication. Utilising strong authentication factors, such as biometrics authentication, password or token, the appliance acts as an agent that sits between the user and the connection broker, ensuring that the employee logging in has the rights and permissions to access the virtual desktop. Because in many cases, VDI environments keep applications ‘hot’ through snapshots of all user sessions, the copying of a running virtual machine can potentially enable the same virtualized session to be recreated on another machine, and be hacked at leisure to gain access. It is at this point that auditing and reporting become crucial – in many cases, reporting and auditing from the connection broker is not possible at a granular level that would be sufficient to facilitate forensic investigations. IT staff have visibility of users accessing virtual machines from the main defined point of access, such as a server room, rather than at the local level through an IP address or other identifier. Organisations need to also have information on who is accessing what applications and from where. The spread of virtual desktop resources requires new levels of understanding, and by allowing users to only access tailored desktops with defined access can be immensely valuable in securing computing resources and data. Utilising a single location for the authentication of virtual resources, obtaining desktop access rights and auditing session related information is arguably as important, if not more so, than within a conventional desktop environment. As organisations look for increased flexibility and ROI from IT investments, desktop virtualization will prove to be an increasingly popular solution. Fear, uncertainty and doubt (FUD) are often the barriers against embracing emerging technology, and security concerns are often central to FUD. There is still work to do, but the sooner these challenges are faced head on and we can replicate the user’s current experience and make it easier to enforce IT policy across the virtual desktop, the sooner both users and IT staff can enjoy a more flexible, reliable, green and secure IT infrastructure.