Many companies are looking into Virtual Desktop Infrastructure (VDI) environments and looking to overcome the security challenges posed by VDI environments (maximizing guest OS density, scheduled scan “storms” hammering servers, the 9 AM problem when lots of VDI images fire up at the same time and receive pattern file updates). Trying to figure out if they are going to be supporting persistent images, mobile images or both, and how to handle these environments.
These are some of the opportunities that need to be addressed before rolling out your VDI environment. I have read a White Paper from Trend Micro titled “When desktops go virtual, infrastructure security challenges” and below are some excerpts from that white paper I thought were worth reading.
One of the strengths of VDI is its ability to support a full range of desktop types. This is essential to adoption, since many users want all the benefits offered by a traditional desktop. VDI gives users the features they need, such as personal storage space, but without the failure issues. This approach creates opportunities for cost and resource optimization in several areas:
Deployment and Initial Provisioning of End Points: VDI streamlines deployment and speed time to functionality. Virtualized end points are typically all based on single base image (“Gold Image”). That image consists of the operating system, relevant patches, and standard applications. Deploying new virtualized desktops is as easy as creating a copy of that base image and starting it up as a new instance on the VDI host system.
Extended Desktop Hardware Lifecycle: Operating systems and applications have grown increasingly resource hungry. Running new programs on older hardware sometimes creates challenges, requiring enterprises to replace the systems with newer hardware. In VDI environments, all operating systems and applications run on powerful central servers. This minimizes the importance of the hardware performance on the actual desktop PC. Because this enables existing desktop hardware resources to be used for a prolonged period of time, enterprises are able to extend endpoint hardware refresh cycles.
Regulatory Compliance: Because with VDI all systems are centralized in the data center, complying with regulations is much easier. Controls mandated by regulations can be implemented and enforced to virtualized end points in a repeatable, streamlined fashion in the datacenter-much easier than in a traditional desktop environment, where endpoints are dispersed.
End Point Backup: Creating backup of dispersed desktop computers has always been a challenge for enterprises. In particular, increased mobility and ever growing storage capacities have made creating backups increasingly difficult. In a VDI environment desktops are centralized, making the backup of all desktops a much easy task. Because the backup data never leaves the high-performance infrastructure at the datacenter, the entire process of backing up becomes easy, fast, and painless.
Data Protection: Confidential or sensitive data on dispersed endpoints-especially mobile endpoints-is hard to control. Enterprises put a lot of effort in endpoint data loss prevention, hard-disk encryption, and other technologies designed to prevent data from being accessed-especially in cases where a laptop is lost or stolen. In a VDI environment, it is easier to protect data because it resides on a central server and never leaves the secure boundaries of the corporate datacenter.
Operations, Maintenance, and Support: Maintaining desktops in a VDI environment is much easier than in traditional environments. Rolling out patches, deploying new software, and even adding RAM or hard-disk capacity all happens at the central server level. This eliminates concerns about endpoints being switched off at the time of patching or software deployment. The ability to dynamically allocate hardware resources to virtualized desktops not only saves time, it also enables much more efficient use of hardware resources. For example, if a users calls in with a support issue, the support staff can access the virtualized desktop in the datacenter rather than having to access a physical machine that might be remote.
Security Considerations on Virtual Desktops
The risk profile of a desktop-whether physical or virtual-is very different from that of a server. Endpoints are more dynamic and interact within a wider range of potentially dangerous environments. Risks increase for desktop usage due to the difficulty of controlling users who frequently:
- Surf the web and might access malicious web content
- Might be lured into exposing confidential information
- Open potentially malicious email-attachments
- Install applications and “tools” on their desktops
In addition to behavioral differences, system-specific threats present significant security challenges.
Systems need to be continually up to date to protect from these threats. Protection should include:
- Shielding vulnerabilities from being exploited
- Preventing unauthorized access over the network
- Ensuring malware-free data storage
The dynamic nature of the desktop requires a combination of several technologies to effectively protect virtualized deployments:
- Preventing exposure to threats with cloud-based security
- Detecting malicious files at the endpoint in real-time while maintaining system performance and keeping a small footprint
- Shielding vulnerabilities before patches can be deployed
- Regular full-system scans (scheduled and/or on-demand) to detect and remove malware that might not have been detected earlier
When multiple virtualized desktops share a common hardware, even a powerful server can quickly become overwhelmed. For desktops in particular, there are certain resource-intensive operations that cause no issue when executed on individual PCs, but can quickly result in an extreme load on the VDI system.
Full System Scans
During a full system scan, the entire file system is scanned for malware. This introduces a notable amount of load on any individual system. Typically, full system scans are scheduled by the administrator to take place at a certain time (e.g. 3PM on Thursdays). If several-or all-virtualized desktops start a full scan at the same time, the underlying shared hardware of the VDI server will experience extreme load, causing a slowdown of all virtual systems on the server. To ensure smooth operation and normal load on the host system, a VDI-aware endpoint security solution must serialize full scans for systems on the same VDI host.
Larger client updates present many of the same challenges and must be treated in a similar fashion to system scans. Pushing out a major update to multiple virtualized desktops at the same time can saturate the host’s network connection and introduce high I/O load on the host. This can seriously impact the performance impact on the virtual desktops that are running at that time. This load balancing must also be addressed with VDI-aware endpoint security.
SERIALIZATION OF FULL SYSTEM SCANS PER VDI-SERVER
Trend Micro’s OfficeScan will allow only a given number of virtualized endpoints to perform a full system scan at the same time. With this serialized approach, the overall impact on performance is low, yet all systems will be scanned – one after the other.
SERIALIZATION OF CLIENT UPDATES PER VDI-SERVER
Similar to the serialization of full scans, Trend Micro’s OfficeScan management will only update a configurable number of virtualized desktops per VDI server at the same time.
PRE-SCANNING AND WHITELISTING OF BASE IMAGES
Most virtual desktops will be created using the same base image. Administrators can pre-scan and whitelist the elements of that base image. The result is that in each instance of virtual desktop, OfficeScan will only scan for deviations from the base image. This eliminates most extraneous scanning, resulting in much shorter scan times which ultimately contribute to lower performance impact and increased productivity.
INTEGRATION WITH VDI MANAGEMENT
The next release of Trend Micros OfficeScan will integrate with VDI management to retrieve information about the status and location of secured virtual desktops. This will help optimize resource utilization across the entire virtual desktop environment.
I hope that read was worth your while. As always make sure you engage a reliable partner to help you with your VDI assessment and roll out, and work with a company that represents you not the vendor community.