Are virtual desktops more secure?

Desktop virtualisation separates the desktop device from the underlying hardware and the applications from the operating system, while still giving users a full PC desktop experience.

According to Citrix senior director of product marketing, John Humphreys, advances in desktop virtualisation software are now allowing the delivery of full-featured, customisable desktop images (Virtual Desktop Infrastructure or VDI) at lower prices than regular PCs, and with equivalent performance.

VMware A/NZ director of partners, David Blackman, also sees desktop virtual machines – commonly hosted inside the datacentre – as simplifying and reducing costs while maintaining centralised control and security.

“With hosted desktops, only mouse clicks and screen updates leave the datacentre with all documents and applications staying inside the datacentre. No data is stored on the end-user device, providing far greater security and control,” he said.

But Gartner Asia-Pacific research director for information security practices, Andrew Walls, predicted that by 2010, more than 50 per cent of virtualisation implementations will be less secure than on-virtual ones.

“It’s simply a matter of configuration management. [Security shortcomings] are not inherent in the technology, it can be secured beautifully,” he said.

“The issue is more in terms of how well configured it is and how well that configuration is managed – that’s where we will see most of the errors. You have to know what you’re doing, and have the skills and toolsets to help you…it’s still early days but give it a couple of years and it will get stronger.”

Walls warned attack strategies will eventually target the hypervisor – the underlying platform that allows multiple operating systems to run – and charged companies building hypervisors with the responsibility to ensure they are self-defending and self-repairing.

“Defending the hypervisor is a bit different to defending a regular OS. VMware has been putting a lot of emphasis on this, the Xen people under Citrix are doing excellent work in that space, and Microsoft still has a long way to go but they are getting a clue and starting to pursue it,” he said.

IBRS advisor, Dr Kevin McIsaac, has researched VDI for the past 18 months and authored several papers on the subject. After extensive talks with enterprise clients, he believes VARs considering VDI must be very cautious as it “has the potential to turn into a tar pit for sales and technical pre-sales resources with little or no return”.

One of the selling propositions of a virtual desktop is people can use it from home or a public Internet access point. But how do you know who they really are, McIsaac asked.

Page Break

“While you’ve moved the image to a secure location, you’ve now exposed the problem of ‘how do I know who is really accessing that terminal?’ So you need to have an appropriate authentication infrastructure in place,” he said.

“The thing around data loss prevention [DLP] is VDI only solves one particular problem – the security of the endpoint device. The question to ask regarding DLP is: How does any of that stop me from grabbing data, copying it into another program and emailing it somewhere else? It doesn’t.”

McIsaac argued there were security benefits for implementing VDI in certain cases, but claimed the idea that it generally improved security is a gross overstatement.

“What you need to do is realise that it secures one specific thing – the physical security of the desktop image and the data on the desktop – but at the same time you’ve now got an access control problem if people can access it from outside your corporate LAN,” he said.