Our very own Texiwill hosts a weekly Virtualization Security Round Table podcast. This round table provides an open forum to discuss all things related to Virtualization, Virtual Environment and cloud computing security. We’ve questioned before the benefits of a virtual desktop infrastructure with respect to security. Is VDI secure? Is VDI inherently more secure than “traditional desktops”? The article Virtual Desktop Security? Are They Secure? considered the VDI vendor claims that there are several big virtual desktop security wins such as
- Centralized Management
- Centralized Patching
- Improved Availability
- and importantly, data never leaves the data center
The article and the associated Bright talk presentation generated a good deal of interweb discussion, which in turn led to #73 in the Virtualization Security Round Table VDI desktops – are they really secure? The regular podcast team were joined by Simon Crosby (CTO @ Bromium), Tal Klein (Director Technical Marketing @ Citrix ) and Andrew Wood (Analyst @ TVP).
The discussion meandered in a lively fashion to answer the question – can VDI make your environment more secure than standard desktops?
While this was a security focused podcast – there was healthy debate on whether VDI was a good solution in itself. For purpose of this summary we’re only going to consider “VDI” i.e. hosted desktop sessions running on a hypervisor – be they persistent or non-persistent.
However, in moving from a distributed end-point environment (like with traditional PCs/laptops) to a centralised one (with access via VDI desktops), rather than “solve” security issues, the new architecture poses additional security issues. For example:
- Are your virtual desktops designed with segregation in mind? or is everything a flat network? Do you treat virtual desktops as a new trust zone?
- These are juicy targets that were moved into your data centre, can your data centre survive an attack that happens to be within your virtual environment?
- Is your virtual environment following best practices with the use of virtual desktops?
Core issues that can be attributed to the inconsistencies with VDI security claims are in themselves common security misunderstandings:
- Security is easy: implement VDI rather than standard desktops and you will be secure. No. Security is not easy and is a complex thing to deliver and you are not magically more secure than before.
- Find and patch is sufficient While regular testing is necessary to look for and patch flaws, it’s not a replacement for having security by design. All penetration testing is doing is finding holes to harden a broken product, which forces the organization to always be reactive. True security is making sure the common issues are not there in the first place. However, with the caveat that no security solution will ever be perfect.
- One tool can defend everything: There is no single technology that will secure your network. It doesn’t exist. While there are excellent anti-virus, intrusion prevention, network monitoring and forensics tools available, none of them can do everything. Security tools are specialized, there is no silver bullet. Importantly, VDI inherently contains none of these tools.
In this light, the round table discussion arrived at the following considerations:
VDI’s centralisation offers little additional security over well managed standard desktops
If you have in place a well managed, locked down desktop environment (be that using desktop management tools from vendors such as Dell, Microsoft or Symantec) moving from your distributed environment to VDI will offer little in terms of additional security.
There is an advantage in the fact that – within a VDI environment the ability to deliver updates can be faster. However, with a non-VDI solution you can still achieve centralized management and centralised patching with far less infrastructure, and less complexity.
VDI can expose additional security risks
VDI is meant to be more secure: how can this be? There was a valid point made that introducing a VDI means that data does not need to be stored on the end-point. If the end-point is lost or stolen, there will be no data loss. Indeed, given the processing power is transferred from the end-point to the centre, having a VDI means that end points can be replaced with simple thin client devices which are easier to manage, require no local data storage, reduce peripheral functionality and are less likely to be lost due to theft.
The corollary; this is of the benefit if you can, and only, deploy thin-client devices. There are functions and features of VDI that are beyond thin clients, you may have decided not to use thin clients, but have users access from their own PCs, or re-provisioned PCs. Most importantly, VDI requires access via a remoting protocol. If the user’s experience of using the VDI service is degraded from what they had before, it is very likely that those users will attempt to circumvent processes in order to get on with their job. For example, if your laptop builds are replaced with a BYOC/BYOD service using VDI and it is slow and cumbersome, users will look to email/download the data to work locally. A poor VDI implementation can actively encouraging data to be exported outside of your network to devices you have no control over.
Yes, such issues are solvable by introducing additional technologies to monitor and control the environment. However, these are additional technologies: they are not inherent within existing VDI solutions.
Can VDI make your environment more secure than standard desktops?
If you have a poorly managed “traditional” desktop environment – and you virtualize it by implementing VDI – you new environment, with its hypervisors, its storage networks, it brokers – will not be more secure than what you had before in relation to the cost of implementing that environment.
To be considered secure, your VDI needs to be complemented with additional security layers: just like a traditional desktop environment. VDI out-of-the-box is in itself not more inherently secure than traditional desktops.
So, will VDI die as a desktop technology?
This question was raised for sure, but it’s not a security question and this is was a security focused podcast. There was a good deal of discussion on whether VDI was the most appropriate technology to deliver a good user experience, the most appropriate technology to deliver to users in a mixed on-line/off-line environment. These are important considerations when you are designing a secure environment. There is definitely scope for further discussion on topics such as ‘is presentation virtualisation more secure than VDI”, and “layering additional technologies to secure virtual desktops”
VDI is not a useless technology: however, to consider it as a technology that will solve security issues on its own, to consider it as a technology to make a poorly managed environment more secure – is misguided.
By all means listen to the podcast to hear more and feel free to feedback your own thoughts.
* The travelogue video was produced by Lars Troen
In addition to the and points that you highlighted above, there is one additional factor that should be given consideration. Deploying a new desktop infrastructure brings with it the opportunity to revisit security policy in a way that is often difficult to achieve when attempting to improve an existing system. Of course this is not unique to VDI, it applies equally to any new desktop infrastructure system, and as you rightly say
A poor VDI implementation can actively encouraging data to be exported outside of your network to devices you have no control over.
Nevertheless the opportunity to use VDI to fix a broken desktop security environment is valid and should not be overlooked.
True, rethinking / redesigning your application delivery model is a good time to reassess security. It shouldn’t be overlooked,especially if vdi is being used to extend the workplace to roaming/home/external users
However.. as you point out – this isn’t unique to vdi and I’d suggest doesn’t make vdi more secure than tradional desktops
100% Locking down a Desktop is easier and pretty much solves the security issue.
Hello Dennis,
This depends on how you lock down the desktop, if you are just talking the desktop and not the underlying hardware (regardless of virtual or not), then there is an underlying security issue. What really is the issue with desktop lockdown is that a user may not stay on the desktop but move around an internal or external network to get data, the desktop is just one component of an overall security practice. The flipside is that if you make security too difficult, users will find a way around it to “do their job”. In either case, there are security issues that need to be considered.
Best regards,
Edward L. Haletky