Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Desktops-As-A-Service Boost Security, But Beware

At RSA session, panelists argue that companies can better protect sensitive data and systems by using virtual desktop infrastructure, but warn that everything relies on the quality of the hypervisor

SAN FRANCISCO -- RSA CONFERENCE 2013 -- While many companies see virtual desktop infrastructure as a way to make the management of their employees' systems easier or offer mobile-device access to sensitive data, many firms have taken an interest in desktops-as-a-service for another reason: security.

RSA Conference 2013
Click here for more articles.

Speaking on a panel at the RSA Conference last week, four virtualization and security experts highlighted the security advantages of virtual desktop infrastructure (VDI), and many attendees confirmed that their companies used the technology to provide better security of their data. A chief information security officer for a large defense contractor said his company uses the technology to offer full-time telecommuters secure access to legacy systems using a one-time password. VDI allows access without the worries over the security of the workers' systems, said the contractor during the question-and-answer period.

"It's not a silver bullet, but we had the ability to add security to system," he said.

VDI, sometimes referred to as desktops-as-a-service, allows workers to run their computer workspace on a virtual machine instance in a data center. Companies can run the systems as a private service for their employees or can use virtual machines spun up by a service provider. Typically, companies using VDI can create either persistent virtual machines, which save state after the user exits, or nonpersistent virtual machines, which are created fresh from a master instance each time a user logs in.

The systems allow companies to manage and update a single virtual machine, thus easing management costs. In addition, because the employee's device becomes the window into the desktop, workers can use any device to access their desktops in the cloud, although processing power and bandwidth can hinder access.

[A combination of immature security tools, weak partnerships, and a lack of strong commitment to security leaves cloud service firms short of providing strong protections. See Cloud Security Falls Short ... But Could Be Great.]

Yet for companies worried about security, VDI has another big benefit: It separates the security of the user's device from the data being accessed. Even a worker using a compromised system to access his virtual desktop should not be able to infect his company's network. Like a firebreak, the virtualization puts a barrier to compromise.

"A lot of organizations are now -- for their very sensitive data -- using VDI," Punit Minocha, vice president of business development at Web security firm Zscaler and a panelist, told attendees. "You have a lot more security in-depth that you can adopt."

Virtual desktops do not just add a firebreak between the average user and a company's sensitive data; administrators can also benefit from having a virtual proxy -- or "jumpbox" -- that separates them from the sensitive systems they are managing, said Rob Randell, principal security and compliance solutions architect for virtualization firm VMware.

This configuration also prevents administrators from putting sensitive corporate data on their own systems, said Kurt Roemer, chief security strategist for virtualization software firm Citrix.

"We see people in high-security environments saying, 'Let's use virtualization to log into our admin portals, so that no one is logging into a laptop and having a key and certs -- the keys to the kingdom -- on a single device," Roemer said.

VDI also helps separate business space from personal space on the mobile devices that employees regularly bring into the workplace, protecting business data from leaking out since it's never moved to the user's device.

Not everyone agreed, however, that virtual desktops meant better security. While there are security benefits to turning desktops into a service, a number of challenges become evident as well, said Gerhard Eschelbeck, chief technology officer for Sophos. The availability of the systems could be a problem, and the shift to a service model does not change the biggest vulnerability: the user.

"VDI, fundamentally, does not fix the user," Eschelbeck said. "When the user goes to a website and clicks on the wrong link, they are still infected, just like if the desktop were sitting in front of them."

Nonpersistent desktop instances can solve this problem if they are deleted before the malware can spread.

Finally, the entire security of the virtual desktop environment depends on the hypervisor software on which the virtual machines run. An attacker who figures out how to compromise the hypervisor will have access to all of the virtual machines running on that system.

"That is one of the factors for VDI that everyone is worried about -- putting all your eggs in one basket," Roemer said. "Make sure that you can test the hypervisor to make sure it is valid, and also have measurement instrumentation to make sure the hyperviosr has integrity."

While such a breach has not happened today, it's a topic of active research.

"Knock on wood, we haven't seen it yet," VMWare's Randell said. "But never say never."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...
CVE-2020-26243
PUBLISHED: 2020-11-25
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded...
CVE-2020-25650
PUBLISHED: 2020-11-25
A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service fo...
CVE-2020-29071
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...