VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!

For almost 20 years now, I've been implementing Terminal Services and VDI solutions. During that time, I've spent a good deal of time speaking to people about the benefits of these solutions as well as implementing it for customers.

For almost 20 years now, I've been implementing Terminal Services and VDI solutions. During that time, I've spent a good deal of time speaking to people about the benefits of these solutions as well as implementing it for customers. There are numerous benefits of a centralized compute model and I'm not going to go into all of the benefits in this article. When presenting or consulting on TS/VDI I'm often telling people that centralized compute (be it Terminal Services, VDI or even a PC farm) does not implicitly provide any higher level of security than doing distributed compute model of standard desktops and laptops. This often puts me in the crosshairs of all sorts of TS/VDI related vendors who are using security as one of their main selling points of their solution. Hopefully after reading this series of articles, you will have a better understanding of where I'm coming from when I make these statements.

There's really only two forms of data

To start off, I will grossly over simplify security and focus solely on that of data security.  To me, data security is what we're ultimately concerned about. It doesn't matter how someone breaks into a system, because at the end of the day all we are concerned about is what that person (the hacker or thief) makes off with. Whether they acquire one's banking account number, passwords, social security numbers, plans to latest Air Force jet, etc it's all data. Data is important to us and should be the primary thing we are most concerned with protecting. To that end, in my oversimplified version there are only two forms of data:

1. Data at rest

Data at rest refers to data stored on some form of medium whereby the system that would access that data is currently powered off. The best way to think of data at rest is a desktop or laptop with data contained on the C: drive of the system, but that the operating system is powered off. Data at rest could also refer to data stored on removable media that is not inserted into a system, or it could refer to data stored on a centralized file server of SAN that is powered off.

NOTE: It is particularly important to focus on the fact that the system accessing this data is powered off because if it is in a sleep/hibernate state then this potentially means that disk encryption keys can be compromised on this system which ultimately will provide access to this data at rest. Centralized compute solution like Terminal Services and VDI can provide a model in which the endpoint system accessing the centralized compute has no data stored on it's local disk. If this is the case, then there is no data at rest on the endpoint and therefore VDI/TS improves data security at the endpoint by not having the data there in the first place. This is the main selling point that VDI/TS vendors make when promoting their solution. However, it's honestly the smallest piece of data security that one needs to be concerned with. It's a gross exaggeration for a few reasons:

  • Whole disk encryption products have been out for years now and given that a majority of federal, state, local governments require disk encryption on endpoint systems this is becoming less and less likely as a vehicle for loss of data when an endpoint is lost/stolen.
  • The proponents of improved security through centralized data often ignore the fact that while they *think* the users do not have any data on their endpoint, they can leverage things like Client Drive Mapping through TS/VDI, email forwarding, Dropbox like Cloud storage solutions, Evernote/OneNote, etc as a means of get data out of the central secured corporate environment and onto a platform where the end user can access it. Therefore, by *assuming* you have data security because it's centralized, you're simply living a lie. Pundits would say "You could just use firewall/proxy blocking, web filtering software, Systems Management Agents, DLP agents, and this and that ad naseum" and to those people I'll just say "Good luck with that and let me know how that works out for you" ;) Not surprisingly the people advocating this approach probably work for one of the vendors of said "security" software/hardware.

2. Live data

Live data refers to data stored on some form of medium whereby the system that would access that data is currently powered on. Given the scenario that we're talking about a VDI or TS desktop that is powered on with a user connected to it, then everything on the C: drive of that system as well as anything that system has access to on the network becomes Live Data. The data is called live because even if you have a whole disk encryption solution active on the disk volume that system is using, the data must be live unencrypted in order for the operating system to access it. There are ways of having separate data encryption that protects file systems after the operating system is booted, but again once I decrypt the data volume to read or write data to it, then the data becomes live data and can be compromised by anyone who controls my operating system.  Compromise of live data security is the biggest information security risk that we face today.

The data loss that happens from the "data at rest" scenario above is just due to people doing stupid things like not putting whole disk encryption on their laptops. When it comes to live data security compromises, it becomes a much more difficult thing to protect against.  Look at any of the recent high profile compromises in recent years and they are all being identified as an "Advanced Persistent Threat" or APT. APT isn't a new concept necessarily, it's simply a new term to describe a high level of sophistication of attacks.

Years ago, the biggest threat that the virus/malware companies were protecting us against were things like Internet worms, mass mailers, trojans, etc. There's still tons of that going on today, but the A/V companies have a good handle on this for the most part. If, however, you are a financial services firm, a Government Defense contractor, etc you have something more valuable than a bunch of zombie PCs. You have data that worth a lot of money to thieves, competitors or even foreign nation states. Live data compromise is without a doubt the biggest information security risk we face today. Deploying VDI/TS in your own data center, doesn't provide any innate benefit that addresses this particular threat. A Windows PC can be compromised in a data center just as easily as it can be compromised in the field.

At best, VDI/TS provides additional places where security *may* be able to be improved. But again, centralizing the data doesn't bring those benefits. Only after applying several defense in depth measures will you reach any higher level of detection/response capabilities. Let me very clear too that all these measures do is provide detection/response. They don't prevent the security risk, they only help you assess and respond faster.

Check out part 2 of this article where I'll discuss what benefits VDI/TS does provide

Dig Deeper on Virtual desktop management