Unfriendly software security risk for desktop virtualization

End-point security software are not built with desktop virtualization in mind and this is proving to be one of the biggest management challenges in virtual desktop infrastructure (VDI) environments today.

According to Richard Sheng, Trend Micro's Asia-Pacific regional director for business development and product marketing, because existing endpoint security tools are unable to recognize the presence of virtual machines, they contend for resources at the CPU, storage and network levels.

On physical machines, such utilization of resources would not be significant but in desktop virtualization, where multiple desktops are co-located on one physical server, the base load on that machine is considerably more strenuous.

Sheng explained in an e-mail: "Take the so-called '9 a.m. problem' when workers come to their desk in the morning and start up their virtual image. Immediately the images would reach out to download the latest security updates, like filters and scan-engine updates. This leads to serious contention on the CPU and the storage side."

Similarly, when a scheduled malware scan runs on a VDI system, it overloads the CPU and storage capacity, causing all task sessions to slow down. Sometimes, users are unable to even login and virtual sessions get dropped, he noted, adding that the entire VDI host may even come to a complete halt.

As a result, Sheng warned that customers may resort to removing security completely from their VDI installations, exposing their desktops to significant risk.

Trend Micro last month announced the OfficeScan 10.5, which the company touts can decrease scan-time as well as memory consumption and CPU utilization by up to 80 percent in a VDI environment. "Customers no longer have to choose between security and VDI returns on investment," said Sheng.

Security inherent, but still a must in desktop virtualization
Martin Duursma, vice president of Citrix Labs and chair of the CTO Office, noted that security is one of the inherent capabilities of a VDI offering as data and applications are under the control of the data center, not the endpoint.

"As soon as you can start to centralize information, it has to be a more secure solution than when you move files, presentations, content down to a laptop," Duursma said in an interview at the Citrix iForum 2010 held in Singapore earlier this month.

"Today when organizations have PCs or laptops, they lose control of their corporate information--people are downloading corporate spreadsheets and files onto machines," he noted. "There's a spread of information and the IT [department] has really little knowledge of where it's all going. When you use a VDI, that spread doesn't occur."

Neville Burdan, Datacraft Asia's general manager for Microsoft solutions, concurred. However, he pointed out that the enhanced security does not remove the "need for good security practices on the desktop", such as putting in place virus protection and encryption technologies.

"Many people think that because [management of] the desktop is now placed in the data center, they do not need to do this. However, this is not true," Burdan said.

"Secure your desktop just as you would with your laptop, then you will have new tools and benefits of backing data and managing the image in the data center but remember to secure those desktops," he said.

Trend Micro's Sheng also advised companies to, from a risk management perspective, treat a VDI desktop like any other desktop. "We acknowledge that VDI desktops are easier to revert to a clean state if infected, but the risk of getting infected is the same as with a physical desktop.

"[This means] the risk of spreading malware and exposing corporate or sensitive personal information is the same," he said.