Desktop Virtualization Drives Security, Not Just Dollar Savings

Thin is back in, and you can thank server virtualization. We all know what happened last time IT tried to make business desktops smaller, leaner, and easier to manage: Users balked at being told they couldn't install their pet applications. IT realized that a data center-based operating system rendered on a diskless thin client yielded only marginal cost and manageability improvements. And security groups never took up the cause of terminal services because they worried about the implications of an attacker gaining access to the central server. But now, virtualization on the server side has paved the way for broader acceptance throughout the business. Today's virtual desktop infrastructure, or VDI, might not make your end users any happier than yesterday's thin clients did, but IT and information security pros are paying attention, and liking what they see.

In a VDI, server memory is divvied up among individual virtual machines, bringing significant manageability and security benefits. This is a new paradigm in desktop computing--secure, mobile, and platform independent. Clients are "thin" in the sense that the operating system isn't tied to hardware but centrally stored. A compact, specialized desktop hypervisor is the sole interaction point between client and network.

All the big names in server virtualization have desktop offerings. VMware provided the push that got VDI into IT's consciousness. Citrix Systems, long a leader in terminal services, acquired XenSource last year, and Microsoft announced in March that it would buy VDI vendor Kidaro. At present, virtual desktops need Windows licenses just like their fat kin, so Microsoft is in a win-win situation. And not all your applications will be supported in a virtual environment--AutoDesk, for example, doesn't recommend using ProductStream or Vault virtually--but most mainstream apps will run fine. As a bonus, with virtual desktop infrastructure, you can strictly manage licensing and ensure that any given application is accessed only when and by whom it's meant to be used. Support for legacy systems that need nonstandard operating systems will be eased.

Not to be outdone, hardware vendors are moving in with offerings geared to VDI. Architecturally, VDI shifts the repository of user desktops to a central server or servers and requires a large, fast storage system--most likely, a storage area network. For users to take advantage of the latest and greatest hardware-assisted virtualization, systems equipped with CPUs optimized for hypervisors will provide the best performance. Intel is supporting VDI in a big way with its vPro and Virtualization Technology-embedded CPUs, and so is Advanced Micro Devices.

DIG DEEPER

CHIPS AHOY

Intel and AMD offer new chip designs that will help IT make the most of desktop and server virtualization.

Download this
InformationWeek Report

>> See all our Reports <<

In terms of security, you've probably heard the lingo: hardware-assisted virtualization, unified threat management, adaptive security, Trusted Platform Modules. Symantec promises virtual security appliance Intel vPro desktops in about 18 months. A VDI station could run the user guest VM plus a security VM or virtual security appliance. Vendors know it's only a matter of time before security becomes a key decision point for organizations considering VDI, and they're taking two tacks to grab our interest: Some, including Intel and AMD, want to make the physical desktop smarter, more secure, and more manageable via intelligent, virtualization-aware processors. Others, including VMware, Pano Logic, and Stoneware, say we need to get rid of the client-server model altogether and invest in their revamped architectures.

We don't buy everything being pitched, and we don't believe that now is the time for ubiquitous VDI. But we do know that information security pros who aren't investigating the security advantages are missing out.RUN THE NUMBERSEspecially when budgets are tight, costs are weighed against competitive benefit, business alignment, and how well the new initiative aids security and compliance efforts. VDI is a good investment on these counts, assuming you have the data center wherewithal to support the extra servers required. The computing power has to come from somewhere, and sites with limited rack space or that are running out of amps or have overtaxed air conditioning or ventilation systems should run the numbers.

VDI's biggest benefit comes from centralization. Changes to the desktop image are greatly simplified by abstracting the operating system. Financially, we expect to see lower total cost of ownership from extended thin-client hardware life, fewer cycles spent on hardware-induced OS failure, and lightened deployment efforts. Business continuity is another win. If you've been forced to back up desktops because policies allow for local storage of data, VDI will make your life easier. Possibly sensitive information no longer will reside on vulnerable end-user machines, and there are a litany of data management options enabled when all your files reside in a centralized site.

But what happens when a mashup meets virtual desktop infrastructure, or you're deep into building a service-oriented architecture? VDI doesn't intrude on Web 2.0 trends. And buying software as a service plays right into the general argument for virtualization: SaaS is simply a virtualized application deployed from the Internet. VDI and SaaS complement each other for mainstream productivity applications.

ARCHITECTURAL WONDER
In the diagram on p. 48, we illustrate how virtual desktop components are delivered. A typical enterprise deployment begins with a server cluster in the data center. End users can connect with current hardware; simply remove Windows and install a hypervisor. When an employee fires up her desktop, she's immediately asked to log in and is issued a virtual desktop image. True IT control freaks will like the new dumb terminals, but with full desktops often in the $300 to $600 range, and good "thin" VDI clients in the $250 to $700 range, we're not yet convinced of the economics. With a legacy desktop, sure, an employee could bring in an OS on a flash drive and do mischief, but nothing is bulletproof. You will want to keep some fat desktop clients around to deliver access to apps that run only natively on Windows. Once an employee is connected, the desktop machine is simply a conduit. SSL protects traffic as it traverses the wire.As current systems are phased out, look at what's available for VDI-optimized clients. The term "dumb terminal" evokes some bad memories, but today's thin VDI systems dodge two significant limitations of thin clients--limited memory and small CPUs. Desk-side hardware is modular, with few moving parts. No spinning hard disks or complicated driver sets.

The client-host operating system--an ultrasmall, embedded desktop hypervisor--doesn't dictate the applications that can run on the system. Users can make calls to one or more virtualized operating systems at the same time, run localized versions of those VMs, benefit from a physical desktop's horsepower, and gain added security via a hypervisor's intelligence and reliance on underlying hardware engineered specifically to provide solid virtualization.

Hypervisors are what makes virtualization possible, and that's just as true on the desktop as on the server. Because the hypervisor enforces virtual machine boundaries and resource requests, it's also the linchpin in the security stack and should be treated as such.

So it stands to reason that if the desktop hypervisor has a small footprint, is hardware-embedded, or functions as a virtual appliance itself, security is much improved. VMware is stepping down its hypervisor and service console from a sizable, and potentially more vulnerable, 2 GB to an entire platform baked into a 32-MB footprint, bootable from an embedded location, a USB key, or a CD-ROM. Once the hypervisor is on board at the desktop level, users can ask it to perform the work they need and the negotiation they require of it--including network authentication and machine isolation.

Chip manufacturers are at work here as well. Consider the Trusted Platform Module. Think of a TPM chip as a hardware-based lockbox where users can store credentials and certificates, manage keys, and encrypt e-mail and files. The VDI hypervisor can make use of this security mechanism, making calls to hardware instead of storing important information in software.CPU enhancements, though, are where Intel and AMD earn their keep, by providing a trusted processing platform that can accommodate all virtualization software. Call it universal extensibility--just like we want the ability to swap out hardware without impacting the software, so, too, do we want to future-proof our virtualization software investments. This movement is centered on the CPU now, but peripherals are in play for future capability.

(click image for larger view)

SECURITY VIA SOFTWARE
VMware is securing its flagship VDI product's traffic with SSL, and with its ACE desktop virtualization management offering, VMware uses Virtual Rights Management to manage security policies and access controls of offline VMs. And yes, you can encrypt a virtual disk.

VDI products from VMware and Citrix control access and secure traffic in roughly the same manner. Both deliver desktop access via a centralized authentication mechanism that syncs with Active Directory and imposes provisioning rules so only people who are permitted to use given virtual desktops have access.

Provisioning and reclamation of user rights happens via a central console. Companies such as Sun Microsystems and Ericom, which offers an array of VDI and emulation products, are back-end-vendor agnostic; Sun provides client hardware via its Sun Ray line. What's consistent is that all these options use software as the primary method of lockdown: Virtual machines are still stored in the data center and delivered elsewhere.

So how much added security does VDI really buy you right now, and is this type of implementation worth the cost when other enterprise security initiatives are also on the table?Those familiar with network access control will recognize a key similarity with the next generation of desktop virtualization security: Moving authentication requests beyond a software-based mechanism to more robust, less user-reliant hardware. Imagine never having to issue network user names and passwords; rather, the machine that an employee uses to connect to the network is authenticated, and virtual machines follow suit. For now, VDI users will still need to log in with credentials and passwords, though a thin client with a connection broker offers single sign-on.

Hypervisor security problems are fairly well understood, but they're only part of the story. VDI provides the ability to run the most up-to-date security software automatically when the virtual desktop links to the network. There's real value here--no more out-of-date signatures. IT also gains intrahost threat detection and the ability to be notified if VMs begin attacking one another. We'll be watching development of desktop virtual security appliances, and you should be, too.

(click image for larger view)

Microsoft-Kidaro's architecture is particularly interesting. The Kidaro end-user client provides a wrapper for encryption and firewall security, managed by a central software mechanism that also functions as a virtual desktop administration point. Stoneware's security offerings are strictly software-based and include SSL, two-factor authentication, and directory integration. Pano Logic's approach to VDI employs a device that has no software, no CPU, no memory, no operating system, and no drivers--otherwise known as a "zero client." Security is all in the back end. Pano's is a novel, unique approach--clean, simple, and true to the desktop replacement mantra. And the little silver box is pretty sexy, too.

A recent development is IBM Phantom, which is still more of a research project than a specific product initiative. IBM's objective is to greatly improve the security of the virtual environment, specifically the hypervisor, via the use of an intrusion-prevention system. Details are sketchy at present, and there's no definitive timeline for product development, but we'll keep an eye on whether Phantom evolves into a real product companies can use.

For now, SSL is the mainstay in secure communications. We tried VDI with SSL enabled, using VMware's Virtual Desktop, and did not notice much of a performance hit on server CPUs for SSL overhead. It's up to you whether all your intraenterprise traffic needs to be encrypted around the clock. If you're using VDI over a VPN, there's no need to encrypt twice.SIGN ON THE DOTTED LINE

Given all this security goodness, you might wonder why companies aren't signing up for VDI in droves. Some are. In "How Merrill Lynch Plans To Virtualize Half Its Desktops", we explore how Merrill Lynch is building a virtual infrastructure, and we recently profiled Cincinnati Bell's client virtualization initiative (see "Cincinnati Bell Sees Desktop Virtualization As Cost Saver And Profit Maker").The success of a VDI pitch depends largely on how well the IT team tailors it to business priorities; how much you've spent on technologies, including disk encryption, to stave off the security risks inherent in your existing desktop infrastructure; and how much application disruption you're willing to endure.

Companies need to examine whether virtual desktop infrastructure will buy them enough benefit in terms of management, flexibility, and decreased risk that it's worth using now. VDI is just now making headlines, but this isn't bleeding-edge technology so much as a twist on a proven platform. The sticking point is that the typical enterprise has so much invested in the physical desktop infrastructure and the processes that surround this manner of deployment, it's hard to change course.

Going forward, the way to answer the question of how to justify the expense is to ask how you can justify continuing to deploy security-challenged physical desktops. At some point, this technology will reach critical mass, and you'll lose your competitive edge because of time spent continuing inefficient practices. The ability to preserve the application environment, provision users faster, increase security, and extend the hardware life cycle make for a pretty persuasive argument for VDI.

We've operated for too long in the "security or manageability, pick one" mentality. If you adopt VDI right now, with existing hardware, you'll gain manageability, lower your total cost of ownership, and benefit from a more secure desktop environment, even without hardware-assisted virtualization. Intel says that its vPro embedded hardware management technology will reduce desk-side visits for software and hardware issues by as much as 56%. But the catch is, vPro must be pervasive across the company.

Certainly your developers will benefit from running multiple isolated virtual machines. Highly secure environments that have typically required separate networks and desktops for secure vs. nonsecure work will derive tremendous value as well. However, the concept of issuing offline VMs, particularly for mobile users, will require a fair amount of work to bring to fruition; we don't yet see a commensurate return. First, deal with the most painful and expensive problem--sprawling, unsecure, unmanaged desktops--before making the foray into complicated offline VDI.Not quite ready? You won't go wrong letting this technology bake a bit longer. It's just a matter of time until Intel's vPro and AMD's Execute Disabled and No Execute memory protection schemes become standards in hardware instead of enhancements, and pricing for the software leaders falls.

But make no mistake: VDI--and virtualization in general--is the future. In 18 to 24 months, a full-on explosion of virtualization options will sweep through the market. The question is, will you be flying high on top of the curve, or grounded under the weight of securing fat desktops?

Jonathan Berdyck is an InformationWeek contributor. He manages a team of IT analysts for a health care provider in western Pennsylvania and holds a master's degree from Carnegie Mellon University. Write to him at [email protected].

Continue to the story:

How Merrill Lynch Plans To Virtualize Half Its Desktops