Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Desktop Virtualization Drives Security, Not Just Dollar Savings: Page 5 of 7

Those familiar with network access control will recognize a key similarity with the next generation of desktop virtualization security: Moving authentication requests beyond a software-based mechanism to more robust, less user-reliant hardware. Imagine never having to issue network user names and passwords; rather, the machine that an employee uses to connect to the network is authenticated, and virtual machines follow suit. For now, VDI users will still need to log in with credentials and passwords, though a thin client with a connection broker offers single sign-on.

Hypervisor security problems are fairly well understood, but they're only part of the story. VDI provides the ability to run the most up-to-date security software automatically when the virtual desktop links to the network. There's real value here--no more out-of-date signatures. IT also gains intrahost threat detection and the ability to be notified if VMs begin attacking one another. We'll be watching development of desktop virtual security appliances, and you should be, too.

Diagram: Virtual Desktop Infrastructure
(click image for larger view)

Microsoft-Kidaro's architecture is particularly interesting. The Kidaro end-user client provides a wrapper for encryption and firewall security, managed by a central software mechanism that also functions as a virtual desktop administration point. Stoneware's security offerings are strictly software-based and include SSL, two-factor authentication, and directory integration. Pano Logic's approach to VDI employs a device that has no software, no CPU, no memory, no operating system, and no drivers--otherwise known as a "zero client." Security is all in the back end. Pano's is a novel, unique approach--clean, simple, and true to the desktop replacement mantra. And the little silver box is pretty sexy, too.

A recent development is IBM Phantom, which is still more of a research project than a specific product initiative. IBM's objective is to greatly improve the security of the virtual environment, specifically the hypervisor, via the use of an intrusion-prevention system. Details are sketchy at present, and there's no definitive timeline for product development, but we'll keep an eye on whether Phantom evolves into a real product companies can use.

For now, SSL is the mainstay in secure communications. We tried VDI with SSL enabled, using VMware's Virtual Desktop, and did not notice much of a performance hit on server CPUs for SSL overhead. It's up to you whether all your intraenterprise traffic needs to be encrypted around the clock. If you're using VDI over a VPN, there's no need to encrypt twice.SIGN ON THE DOTTED LINE

Given all this security goodness, you might wonder why companies aren't signing up for VDI in droves. Some are. In "How Merrill Lynch Plans To Virtualize Half Its Desktops", we explore how Merrill Lynch is building a virtual infrastructure, and we recently profiled Cincinnati Bell's client virtualization initiative (see "Cincinnati Bell Sees Desktop Virtualization As Cost Saver And Profit Maker").