Desktops-As-A-Service Boost Security, But Beware

At RSA session, panelists argue that companies can better protect sensitive data and systems by using virtual desktop infrastructure, but warn that everything relies on the quality of the hypervisor
SAN FRANCISCO -- RSA CONFERENCE 2013 -- While many companies see virtual desktop infrastructure as a way to make the management of their employees' systems easier or offer mobile-device access to sensitive data, many firms have taken an interest in desktops-as-a-service for another reason: security.

RSA Conference 2013
Click here for more articles.

Speaking on a panel at the RSA Conference last week, four virtualization and security experts highlighted the security advantages of virtual desktop infrastructure (VDI), and many attendees confirmed that their companies used the technology to provide better security of their data. A chief information security officer for a large defense contractor said his company uses the technology to offer full-time telecommuters secure access to legacy systems using a one-time password. VDI allows access without the worries over the security of the workers' systems, said the contractor during the question-and-answer period.

"It's not a silver bullet, but we had the ability to add security to system," he said.

VDI, sometimes referred to as desktops-as-a-service, allows workers to run their computer workspace on a virtual machine instance in a data center. Companies can run the systems as a private service for their employees or can use virtual machines spun up by a service provider. Typically, companies using VDI can create either persistent virtual machines, which save state after the user exits, or nonpersistent virtual machines, which are created fresh from a master instance each time a user logs in.

The systems allow companies to manage and update a single virtual machine, thus easing management costs. In addition, because the employee's device becomes the window into the desktop, workers can use any device to access their desktops in the cloud, although processing power and bandwidth can hinder access.

[A combination of immature security tools, weak partnerships, and a lack of strong commitment to security leaves cloud service firms short of providing strong protections. See Cloud Security Falls Short ... But Could Be Great.]

Yet for companies worried about security, VDI has another big benefit: It separates the security of the user's device from the data being accessed. Even a worker using a compromised system to access his virtual desktop should not be able to infect his company's network. Like a firebreak, the virtualization puts a barrier to compromise.

"A lot of organizations are now -- for their very sensitive data -- using VDI," Punit Minocha, vice president of business development at Web security firm Zscaler and a panelist, told attendees. "You have a lot more security in-depth that you can adopt."

Virtual desktops do not just add a firebreak between the average user and a company's sensitive data; administrators can also benefit from having a virtual proxy -- or "jumpbox" -- that separates them from the sensitive systems they are managing, said Rob Randell, principal security and compliance solutions architect for virtualization firm VMware.

This configuration also prevents administrators from putting sensitive corporate data on their own systems, said Kurt Roemer, chief security strategist for virtualization software firm Citrix.

"We see people in high-security environments saying, 'Let's use virtualization to log into our admin portals, so that no one is logging into a laptop and having a key and certs -- the keys to the kingdom -- on a single device," Roemer said.

VDI also helps separate business space from personal space on the mobile devices that employees regularly bring into the workplace, protecting business data from leaking out since it's never moved to the user's device.

Not everyone agreed, however, that virtual desktops meant better security. While there are security benefits to turning desktops into a service, a number of challenges become evident as well, said Gerhard Eschelbeck, chief technology officer for Sophos. The availability of the systems could be a problem, and the shift to a service model does not change the biggest vulnerability: the user.

"VDI, fundamentally, does not fix the user," Eschelbeck said. "When the user goes to a website and clicks on the wrong link, they are still infected, just like if the desktop were sitting in front of them."

Nonpersistent desktop instances can solve this problem if they are deleted before the malware can spread.

Finally, the entire security of the virtual desktop environment depends on the hypervisor software on which the virtual machines run. An attacker who figures out how to compromise the hypervisor will have access to all of the virtual machines running on that system.

"That is one of the factors for VDI that everyone is worried about -- putting all your eggs in one basket," Roemer said. "Make sure that you can test the hypervisor to make sure it is valid, and also have measurement instrumentation to make sure the hyperviosr has integrity."

While such a breach has not happened today, it's a topic of active research.

"Knock on wood, we haven't seen it yet," VMWare's Randell said. "But never say never."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.