In the first article in this VDI security series, the case is made for moving client/server network security back towards the mainframe model, with operating systems, applications,
data and the host security suite all residing in the data center. In this article, we explore ways cybercriminals successfully breach enterprise security and why VDI may be a better approach.
Recent high-profile security breaches prove that cybercriminals target users on your client/server network. Even companies with top-notch IT security teams and antivirus software, such as RSA, can't protect their networks -- so chances are, your company isn't safe either.
But if you use VDI, you at least have a prayer.
Security measures fall short
Many companies install client security suites, filter end user Internet access and email, lower user access privileges, monitor LAN traffic, and lecture end users on acceptable use policies and best practices. But none of those security practices protect organizations from targeted attacks.
That's because the teams of people behind cybercrimes do a thorough recon of your layered defenses, and they strategize a stealth attack to penetrate all of your security layers unobserved. Cybercriminals buy crimeware construction packs with 24x7 support and guaranteed Fully Undetectable (FUD) service level agreements to breach your network. In fact, if your data is extremely valuable, they may even build a network similar to yours to simulate attacks so they can make sure their efforts succeed the very first time.
So, even with a state-of-the-art multilayered network defense system in place, a professionally provisioned cybercriminal team can breach your defenses like they don't even exist.
That's the hard truth that confronts the IT security industry today. Once we clearly understand the crimeware development and installation lifecycle, how droppers and downloaders actually work and the state-of-the-art programming they use to create undetectable crimeware, we see that we are outclassed in this cat and mouse game.
Something has to radically change this paradigm -- and fast. So let's envision a model that is favorable to enterprise security.
The VDI fortress
While it is impossible to secure numerous uniquely configured desktop hosts that are continuously changed by users, it is possible to create, secure and monitor a small number of standardized golden virtual machine (VM) images that run entirely in the data center using Virtual Desktop Infrastructure (VDI).
Deploying golden VM images that are carefully engineered to do only what is absolutely necessary for business is ideal for a number of reasons. For one, if users can only access enterprise transactional systems via tightly secured VDI clients, IT pros can focus on maintaining the purity of their golden VM images and keeping their core infrastructure and database servers secure.
These golden VM images can be carefully monitored for unauthorized changes and if an image is compromised somehow, IT can easily dissolve it and re-deploy a fresh image. This also eliminates concerns about lingering malware components that remain after disinfecting desktop images with antivirus software.
IT can also use virtualization and standardization to create purpose-specific virtual workstations that do only what is operationally relevant, and move all other activities into wild west, low security Internet zones where potential damage to the enterprise is contained.
While VDI provides the level of security enterprises require, we also need to validate the integrity of virtual desktop technologies, such as client hypervisors. (Zero clients appear to be the most secure client device option since these stateless devices minimize the attack surface. But zero clients don't help us with mobile users and let's face it: mobile users are our biggest security threat.)
In the next VDI security article, we'll look at VDI golden image creation, deployment and monitoring and explore two vital components of layered security: file system change monitoring and application white listing.
You will also learn how one company used these technologies to detect and thwart the very same attack that brought down RSA.
ABOUT THE AUTHOR:
Alan J. McRae has been a self-employed IT professional for over 30 years. He has provided advanced application support services to independently owned computer franchisees, Fortune 1000, SMB and SOHO clients. Uncovering an APT security breach at a client site awakened him to the importance of properly securing contemporary client/server networks from professional cybercriminals. As president of LANCOPS SecureNET Services, he is actively researching new security technologies and advising clients on security best practices.
This was first published in August 2011