• 05/03/2008
    4:01 AM
  • Network Computing
  • News
  • Connect Directly
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Desktop Virtualization Drives Security, Not Just Dollar Savings

Infosec pros who don't take a stand on virtualizing their companies' desktops are missing a prime opportunity to boost safety while aiding manageability and compliance.
Intel and AMD offer new chip designs that will help IT make the most of desktop and server virtualization.
In terms of security, you've probably heard the lingo: hardware-assisted virtualization, unified threat management, adaptive security, Trusted Platform Modules. Symantec promises virtual security appliance Intel vPro desktops in about 18 months. A VDI station could run the user guest VM plus a security VM or virtual security appliance. Vendors know it's only a matter of time before security becomes a key decision point for organizations considering VDI, and they're taking two tacks to grab our interest: Some, including Intel and AMD, want to make the physical desktop smarter, more secure, and more manageable via intelligent, virtualization-aware processors. Others, including VMware, Pano Logic, and Stoneware, say we need to get rid of the client-server model altogether and invest in their revamped architectures.

We don't buy everything being pitched, and we don't believe that now is the time for ubiquitous VDI. But we do know that information security pros who aren't investigating the security advantages are missing out.RUN THE NUMBERS Especially when budgets are tight, costs are weighed against competitive benefit, business alignment, and how well the new initiative aids security and compliance efforts. VDI is a good investment on these counts, assuming you have the data center wherewithal to support the extra servers required. The computing power has to come from somewhere, and sites with limited rack space or that are running out of amps or have overtaxed air conditioning or ventilation systems should run the numbers.

VDI's biggest benefit comes from centralization. Changes to the desktop image are greatly simplified by abstracting the operating system. Financially, we expect to see lower total cost of ownership from extended thin-client hardware life, fewer cycles spent on hardware-induced OS failure, and lightened deployment efforts. Business continuity is another win. If you've been forced to back up desktops because policies allow for local storage of data, VDI will make your life easier. Possibly sensitive information no longer will reside on vulnerable end-user machines, and there are a litany of data management options enabled when all your files reside in a centralized site.

But what happens when a mashup meets virtual desktop infrastructure, or you're deep into building a service-oriented architecture? VDI doesn't intrude on Web 2.0 trends. And buying software as a service plays right into the general argument for virtualization: SaaS is simply a virtualized application deployed from the Internet. VDI and SaaS complement each other for mainstream productivity applications.

In the diagram on p. 48, we illustrate how virtual desktop components are delivered. A typical enterprise deployment begins with a server cluster in the data center. End users can connect with current hardware; simply remove Windows and install a hypervisor. When an employee fires up her desktop, she's immediately asked to log in and is issued a virtual desktop image. True IT control freaks will like the new dumb terminals, but with full desktops often in the $300 to $600 range, and good "thin" VDI clients in the $250 to $700 range, we're not yet convinced of the economics. With a legacy desktop, sure, an employee could bring in an OS on a flash drive and do mischief, but nothing is bulletproof. You will want to keep some fat desktop clients around to deliver access to apps that run only natively on Windows. Once an employee is connected, the desktop machine is simply a conduit. SSL protects traffic as it traverses the wire.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.

Log in or Register to post comments