Employees today think of their workstations as their very own PCs because we've given them admin rights and free reign to do everything except conduct business in a secure manner. Now we are looking to VDI to reign in this IT nightmare.
I've been an IT consultant for over 30 years, so I remember installing and supporting a Xenix/Unix accounting systems. They used dirt cheap dumb terminals and networked Windows PCs running terminal emulation programs to interface to the Xenix/Unix accounting server. Only certain employees got access to the PCs, and they could only download files from the server to their PC (no uploading). Everyone else could enter or query information from cheap, recycled Wyse terminals, and they couldn't upload or download files, either.
Back then, report and form printers were located in well-trafficked office locations and were continuously monitored. There was no Internet, although users with the proper credentials could dial-in via modem and get admin shell for server maintenance.
As far as we could tell, there was never a security breach and we were perfectly able to handle all reasonable business transaction requests with near 100% reliability and security.
Fast forward to 2011, where everyone is running client/server networks and employees have admin rights to desktops, smart phones, USB thumb drives, malware-vulnerable browsers and email. The network defenses used by even the most secure corporations are routinely breached by highly skilled cybercriminals, and financial theft, intellectual property theft, identity theft, and APT spyware run rampant.
Network administrators are throwing every possible defense onto the network infrastructure, trying to lock down PC’s and remove admin privileges from over-empowered end users.
Using VDI for desktop security
Looking back, the original mainframe computing model was so secure because simple dumb terminal communications protocols facilitated user interactions with applications and data residing on the "mainframe" and file transfers in either direction were prohibited.
It makes no sense to provide a path of potential data leakage to employees who only need to enter, edit, delete and query individual transaction records that are stored in a database, but in many contemporary client/server networks, this capability lurks just beneath some fairly weak safeguards that are easily subverted by privilege escalation.
VDI may be a logical step in reclaiming data security, because it takes data and applications away from end user PCs and puts it all back on a secure server in the data center (similar to the mainframe computing model). VDI also gives administrators a way to tightly control the user experience and dissolve or distribute virtual desktops on demand.
Of course, you also have to secure those VDI servers while delivering an acceptable user experience.
Securing VDI in a virtualized data center begins with the sober observation that we must learn the architecture of unfamiliar VDI components to defend them along with the physical resources we are already struggling to secure.
Great! We can use all the free time we have on our hands to delve into the inner workings of VDI and divine some extensions to our layered security defenses that will include these new components. Should be a piece of cake…
The problem is, even companies with deep pockets such as RSA can't defend its digital fortress from professional hackers, so what makes us think that we can succeed? All we can do is put forth our best efforts and hunker down in front of our security workstations while watching anxiously for come what may.
Over the coming months, I will write VDI Security articles for SearchVirtualDesktop.com that explore all the layers of security you must deploy to have even the hope of robust virtualized network security defenses. I'll look at all of the components that make up a modern, virtualized client/server network, several classes of known vulnerabilities that must be continuously defended against, and specific security products and services that provide the necessary defenses.
ABOUT THE AUTHOR:
Alan J. McRae has been a self-employed IT professional for over 30 years. He has provided advanced application support services to independently owned computer franchisees, Fortune 1000, SMB, and SOHO clients. Uncovering an APT security breach at a client site awakened him to the importance of properly securing contemporary client/server networks from professional cybercriminals. As president of LANCOPS SecureNET Services, he is actively researching new security technologies and advising clients on security best practices.