Cloud based Virtual desktop infrastructures or VDI, is now common place in the enterprise sector. Improved security is consistently the key business driver for VDI for most companies, followed by ease of overall management, strategic application or cloud SaaS\PaaS deployments, and enhance remote access - especially via non-Windows or consumer devices such as tablets and smartphones. Furthermore, desktop virtualisation has removed physical assets from the network by moving isolated workstations and applications that were once separated by hardware and network levels onto a single server; in theory.

So, rising to meet this shifting environment are newer, alternative solutions, including the classic virtual desktop infrastructure and, more recently,  desktop or user virtualisation. Though these alternatives are not viable replacements for traditional desktop security management. The changes advocated by these approaches are not accompanied by adequately broad or maintainable gains. 

Instead, we now have Intel who proposes an evolutionary framework called Intelligent Desktop Virtualization, or IDV, whereby the overall system of managing user computing is made significantly more intelligent. IDV embodies an approach to desktop management that ensures the user experience is always maximised while also giving security engineers all the control it requires within an economically viable framework.

By migrating to a VDI service, we security folk can fundamentally deliver a more secure working environment to our users by streamlining desktop management for patching, improving the security strategy for incidents, migrate data risks on typical physical endpoints and ensure operational user continuity.  For example, from SearchSecuirty @ Techtarget, we can clearly see the befits in terms of security for an VDI envrioment;

Centralised provisioning allows security engineers to create virtual desktops from authorised images. Instead of chasing and assessing distributed endpoints, security operations in a  VDI approach only have to patch, upgrade, and check vulnerabilities of desktop applications on the centralized farm. This has the potential to significantly improve security performance metrics, including those for patch coverage and time to remove critical desktop vulnerabilities.

Once a compliant desktop image has bee created, terminating idle virtual desktops during off hours and re-provisioning automates the delivery of compliant desktops to the user, effectively reducing the possibility of desktops drifting out of compliance. This not only allows IT to easily deploy new software agents, replace software that is not easily patched such as obsolete versions of Adobe, Java, or custom built applications, but it also means that malware is less likely to persist on the desktop because the malware disappears when the virtual desktop is terminated.

Security software can be shifted from individual desktops to become a shared resource on the virtual server host. For example: Antivirus that is designed for VDI shares signature pattern files and coordinates system scans across all virtual desktops resident on the server; transparent disk encryption can be enabled for sensitive data; virtual patching allows security to plug a critical vulnerability at low levels in the server without disrupting users’ desktops; and high performance application whitelisting is being utilised to ensure the integrity of the virtual desktop. This approach reduces the complexity and costs of managing desktop security – and antivirus will always be active with the most up-to-date patterns. Hypervisor aware AV is now the de facto for virtual farms.

User virtualisation technology removes user preferences from the desktop allowing users to move freely between virtual desktops, remote desktops, and mobile devices and tablets. As organisations evolve from physical to virtual desktop infrastructures, user virtualisation can provide the consistent look and feel across devices to increase user satisfaction and increase the chances of a successful VDI roll-out.

Simplify data leakage prevention, DLP,  strategies by restricting sensitive data to the data center with virtual desktops. Since the data never leaves the data center, not only is there less risk of costly disclosure incidents due to data loss, there is also less demand to purchase and administer device control and DLP software on desktops.

Sensitive data can be transparently encrypted, and data center resources can be used for automatic backup and recovery of desktop data. The separation of data from the physical constructs of the PC also allows security executives to evaluate the cost savings of cloud-based storage.

Reduce the costs of a disaster recovery plan by shifting virtual desktops to remote data centers. Rather than purchasing extra hardware in stand-by data centers, business continuity services maintain copies of the provisioning server to be able to recreate virtual desktops and reconnect users to the business.

 

All sounds great, but like all things nice and shiny, we have some concerns. VDI has its own set of associated risks which unfortunately not most people know of.

Before virtual machines, compromised systems gave attackers access to the internal network. With virtual machines, not only do they get access to the network, but also any attached virtualisation infrastructure, putting all virtualised systems  and the data they contain at risk.

With various virtualisation platforms, the attack surface (the area that systems are prone from attack)increases from multiple physical machines to standalone hosts containing numerous virtual machines. So why can an attack area widen despite your efforts at server consolidation? To prevent this problem, you need to treat each VM as a standalone host and consider the physical servers on which they reside.

For example, all a Virtual machine is at the basic level is a set of configuration file and a virtual disk file. An attacker can easily gain access to the storage network, SAN or intercept storage traffic and grab the virtual files, resulting in the actual machines and any data being stolen. I have seen proof of concept rouge deployments, in which the attacker can replace the virtual machine files with a modified compromised versions, again resulting in an internal breach; we can protect against this to a certain degree but VDI opens up security risk that previously would not be feasible within physical desktop constraints.

For instance, malware scanning tools will need to look specifically for emerging malware that targets virtual platforms and will need to be created with a virtual platform in mind.

Look at storage; NFS, iSCSI, and SAN storage pass data in clear text, which implies disk data can be read by others. If a VM has mounted an iSCSI target from the same storage network as used to hold virtual disks, then this is a possible attack point. Take HP left-hand network boxes, have you change the default SNMP string as we can exploit a known vulnerabilities to gain root access to the storage array.

Finally, I have also seen poorly configured hypervisors with default SSH access credentials, console NIC’s inside DMZ networks, unencrypted replication traffic sent over WAN…

Food for thought?

Dan

This post is brought to you in partnership with Intel(R) as part of the “Technology in tomorrow’s cloud & virtual desktop” series.

Thanks to Intel, VMware & TechTarget for some of the material above