An Overview of the Security Benefits Offered by Desktop Virtualization

by David Morgan

Desktop virtualization is a new and exciting topic in the computer industry.

I want to give a brief overview of the benefits that desktop virtualization can provide in comparison to more traditional methods.  Discussion of the physical security aspects of the desktop virtualization arrangement compared to the traditional workstation setup is also going to be covered.

I will provide an overview of the benefits and detriments that come with migrating to the desktop virtualization model as this relates to the security of the client and network.  Social engineering will also be covered with both desktop virtualization and more traditional implementations.

Profits gained from migrating to desktop virtualization will also be analyzed.  Providing applications, operating systems, and user data as services is a secure and more efficient way to utilize server hardware and network resources.

Desktop virtualization has many advantages over the typical workstation with a local operating system and local program installations.  Using desktop virtualization software such as Citrix XenDesktop and XenApp, virtualization of applications and operating systems becomes possible.  Desktop virtualization results in less software maintenance, lower hardware cost, and less time spent updating and supporting clients.  A few more advantages of desktop virtualization include less administrative and program support that needs to be given, smaller and cheaper workstations, and an escalation in scalability.  Along with monetary advantages, desktop virtualization also offers numerous security advantages.

Desktop virtualization is a technology that allows multiple users to remotely access operating systems, applications, and data as if they were local to the client.  This technology is similar to the terminals hosted on mainframes back in the 1980s.  Back then, a user would access a terminal and work on the mainframe from their workstation in a command line interface.  Desktop virtualization provides a GUI that is identical to the desktop that users are used to seeing.  Desktop virtualization relies on three elements: a program to virtualize the desktop, a client or "thin client," and a server to run the virtualization program on.

Thin clients come in all different shapes and sizes.

An average thin client is about one quarter the size of the traditional desktop workstation using the ATX standard.  The small build of the clients allows for more room on the user's workspace as well as more users per workspace if space is an issue.  Thin clients are hardware minimal; however, the traditional quad-core desktop may have $350 of hardware or more depending on the needs of the user.  Less hardware means less risk if a workstation is stolen or lost.  Most thin clients include a space for a Kensington lock to be inserted to secure the workstation to a table or desk, making it nearly impossible to remove.  The thin client also does not have any user data locally stored, therefore no data can be compromised if the client is stolen, since user data resides safely in the user's virtual desktop, unlike the traditional desktop.  The level of physical theft prevention depends on the furniture the client is mounted on, as well as the type of locks used to secure the client, monitor, and peripherals.

In a white paper regarding security concerns that arise when users use mobile devices for work, Microsoft said, "Wherever possible, data should reside within protected clouds or data centers.  In this way, data should not be exposed on the local device."

Microsoft brings up an interesting point regarding data security.  When valuable data is taken from the premises, how can it be protected?  Possibly one of the most beneficial aspects of desktop virtualization is having a mobile workforce.  This enables workers to access their computer away from work and improves efficiency and accessibility, but at the same time this creates a security problem for IT personnel, the problem being how to make mobile connections to the virtual desktop secure.  The solution is for a user to access their desktop through a Virtual Private Network (VPN), a private and secure network connection between systems.  This VPN may be accessed with any device that meets the requirements specified by the terminal server.  As for the problem with data being moved in and out of the organization, this can be remedied by a strict policy to only store sensitive data on their virtual desktop (also referred to as the cloud).  If a user must have sensitive information on a mobile device, then remote wiping of the device must be properly configured.

As with any new technology, desktop virtualization requires changes to be made to the network, client systems, and peripherals.  Switching from traditional computing to computing as a service requires extensive network changes, client changes, and qualified personnel trained to implement these systems and services.  These personnel must have an in-depth knowledge of how desktop virtualization works in addition to the skills to set up and maintain the infrastructure.  Desktop virtualization relies solely on the network being functional.  Network support and setup is a crucial aspect of the migration.  The client migration is dependent on the users in the organization.

For example, if there are only 30 users, there would be no need to migrate to thin clients.  Instead of migrating, the virtualization client program could be installed on the existing computers.  Encryption inside and outside of the network will depend on how the data is being transported.

Access control is a very important part of information security.

The traditional approach of limiting user access to installed applications as well as the permission to install applications involves using a local security policy or a group policy to essentially "lock down" features that are sometimes useful or needed.  This is often an annoyance to users, sometimes leading them to attempt to traverse around the policy, which leads to lost productivity among other things.  Using desktop virtualization gives administrators the ability to centralize all user data, programs, and operating system images separately on servers.

While this may result in a single point of failure if not implemented correctly (i.e., no backup in place and no failover servers), this is an excellent way to ensure that access to sensitive data, programs, and operating systems is available to users everywhere.  Administrative control over access to operating systems and applications allows administrators to limit or give access to any user or group.  This feature can be useful for a number of reasons.  Using the permissions offered with the virtualization software, you may select which applications and operating systems the user has permissions to access.

Updating programs, installing security patches, and updating operating systems are some of the most security critical and time-consuming tasks for support technicians.  Applying fixes in a non-virtualized environment may take days, weeks, or months, depending on how many clients there are in the organization.  Using the desktop virtualization model, patches and updates can be applied to a pool of virtual images, even while the images are being used.  Applications are updated similarly.  With XenApp, a Citrix application of virtualization software, updating applications is as simple as running the update package that comes with the software in need of the update and XenApp does the rest (i.e., configuring the user profile with the program's run-once).

As anyone who has worked in a technology support position knows, the user is oftentimes the weakest link in the information security structure.  Aside from education of the user, which is, of course, a good policy, desktop virtualization can be configured to restrict functions per application if necessary.  By requiring each user to have a domain account, this creates a wall barring access to any user without an account and password.

These usernames and passwords are very important since they give access to the LAN as well as the users' data.  Since user accounts are managed using Active Directory or a Linux equivalent such as Samba, an account can be deactivated or their password can be changed if necessary by a technician.  With logging enabled on the cloud, any social engineer or dumb user accessing or changing sensitive files would be logged by the system.

Therefore, if they had physical access to a client with an active account and password, their activity would be logged by the server running their virtualized desktop.  Of course, a contingency plan should be in place if an event like this arises.  Quotas for RAM usage, hard disk space, CPU usage, network bandwidth, etc. can also be set so a single user does not consume an excessive amount of resources.  In a standalone computer setup, there would have to be a monitoring service installed on the computer in communication with a server or an SNMP service.

Unfortunately, this is not a good method since the attacker could disable logging in the operating system and stop the process logging their actions.  This is the reason many companies have their workstations "locked down," disabling features such as the Task Manager.  With desktop virtualization, this can be avoided.

The typical setup of standalone workstations simply does not compare with the thin client virtual desktop setup.  Desktop virtualization uses thin clients which are valued at an average of $150 which includes keyboard, monitor, and mouse.  These systems are far less costly than fully built systems that have more hardware components, utilize more power, and require more maintenance.

Of course, these workstations would not work if not for a server hosting the virtual desktop.  Instead of having a separate license for 3,250 computers, the organization would have to buy one virtual installation license (provided the organization providing the program has a virtual license option).  Power consumption is another reason to switch to virtual desktops, since the thin client workstations take less than half the power of commonly used workstations.  This would improve electricity consumption and reduce the carbon footprint of the organization using virtual desktops.

In conclusion, desktop virtualization provides a much more broad control over client and network security.

Physical security of thin clients is simple to implement with proper locks and proper furniture to mount the clients on.  If a client is stolen, the impact will be minimal on the business.  The support of secure mobile devices will increase productivity and ensure data security with a VPN and strict data handling policies.  Migrating to a virtualized desktop environment requires trained personnel and a well-monitored network.  User password compromise can be prevented with user training.

If a user's password is compromised, a log of files accessed will be available to the cloud administrator.  Locking down systems is no longer necessary.  This eliminates the trouble of employees seeking to bypass security locks in place and increases productivity.

Program updates are a cinch and require no downtime.

References
Return to $2600 Index