This content is part of the Essential Guide: Virtual desktop security guide
Problem solve Get help with specific problems with your technologies, process and projects.

Does VDI eliminate the need for antivirus software?

The combination of VDI and antivirus software for virtual desktops provides significant security benefits compared to traditional PCs.

What do you and a Bank of America executive have in common? It may not be the number of zeros in your salary. But...

you both use laptops for business, and if you aren’t using desktop virtualization, you could also become a data theft victim like one Bank of America executive.

You may remember reading about the bank executive whose unencrypted laptop with customer information and sensitive corporate data was stolen a few years back. The contents of his hard drive were later extracted and made available on the WikiLeaks website. It was a leading story in the evening news.

And more recently, the Massachusetts labor department had to apologize for a computer virus that may have compromised sensitive data from as many as 210,000 unemployed workers. The virus reportedly came from “criminal hackers” who collected confidential job claimant and employer information from 1,500 state computers.

Looking at those events, I wonder if Virtual Desktop Infrastructure (VDI) could have prevented these incidents and countless other data theft and virus cases.

Let thieves have the shell, you keep the pearl
Pearl divers love the hunt for the treasures inside the shelled homes of an ocean creature called the mollusk.  Much like a computer information thief, the thrill of the steal is only the beginning.  The real prize is what’s contained inside; information that, in the wrong hands, could harm a company's reputation and potentially impact its finances. 

With VDI, you can turn the devices into simple shells and hold the real treasure -- the company information --in the data center with  policies around access. 

This means the virtual desktop access devices – thin clients, PCs, iPad, and other types of client hardware - become little more than empty shells.

Does VDI eliminate the need for antivirus software?
Some IT admins have suggested antivirus software isn’t necessary for virtual desktops because of the inherent security virtual desktops provide. The concern of resource overload further encourages the removal of antivirus software.

But the merits of antivirus software are still valid in a VDI environment.  Image restoration and centralized control are excellent methods of preventing or slowing the spread of a virus, but they do nothing to prevent the initial infestation.  Even if you enforce strict policies for data transfer, the numerous ways of transferring files (including email viruses that get past the email scanner) means that even a virtual desktop has risk exposures. 

McAfee and Symantec recently announced that their software will operate more intelligently in VDI environments, and Symantec published a whitepaper showing how Symantec Endpoint Protection (SEP) version 11 includes enhancements for virtual desktop environments.  Additionally, they announced at the recent Symantec Vision Conference that SEP version 12 will have further enhancements including awareness of cloned images and over 90% reduction of IOPS in VDI environments.

With the combination of VDI and antivirus software enhancements, it’s clear that virtual desktops offer significant security benefits compared to traditional PCs.

Data encryption on local drives is not enough
Of course, some say that encryption for traditional PCs is sufficient. There are excellent products on the market, such as Symantec's PGP Whole Disk Encryption (WDE) that create a security "force field" around local hard drives.  

The problem is, when the data on a device is no longer in the physical control of the employee or the IT department. To trigger the "poison pill" built into the PGP-compliant chipset, the device needs to reconnect to the public network and receive the command to “swallow the pill” to disable itself. 

The PGP security administrator could set a policy forcing systems to rendezvous with the security controller within a predefined time period.  If the system misses the rendezvous, it commits hari-kari.  It sounds like a James Bond spy movie, and that’s the problem; it’s closer to make-believe than reality. 

Those of us in the real IT world know how impractical this feature is in most enterprises. I liken it to a loud car alarm that goes off for 15 minutes before the neighbor calls the police, who arrive 10 minutes later.  A professional car thief breaks into a car and hot-wires it under one minute.  Similarly, a savvy data thief can extract data from storage media before the next scheduled rendezvous.

If you keep all the data in the data center and present that data via virtual desktops, implement data extraction policies and monitor/control/protect data in transit out of the data center, you preserve the most valuable asset a company has -- information. 

VDI is not the answer to all desktop security problems, but together with antivirus software, it is a strategy that should be considered for today’s toughest security challenges.

Read more from Eugene Alfaro

Eugene Alfaro
leads IT Engineering for Cornerstone Technologies, an IT engineering services firm in San Jose, CA. He has architected, managed and operated corporate IT environments for multi-national companies since 1998. He has been a speaker on topics such as virtualization, WAN optimization, enterprise storage, Voice-over-IP and others.

Dig Deeper on Virtual desktop strategies and architecture