Security perimeters return for VDI

Security, compliance and long-term cost savings are driving a few large virtual desktop infrastructure projects, especially in regulated industries. With desktops running on protected servers in the data center, IT can utilize VM provisioning systems to centrally control software configurations against unauthorized changes and use storage management systems to tightly administer confidential data. One of the side-effects of VDI is that IT has well-defined communications paths out of the data center and can re-establish a security perimeter for endpoints, with advantages for appliance deployments. In many cases, a virtual security center concept comprised of corporately hosted software and hardware appliances can independently inspect, detect, scrub, and audit activity while shifting the security burden away from distributed endpoints for businesses evolving to virtual desktops.

A virtual security center approach may host DLP appliances that are be easier to manage for VDI architectures. The usual downside of security appliances is the cost of distributing and managing hardware on affected network segments. However, since virtual desktops are hosted, a high speed DLP appliance can inspect content-in-motion for a broader range of users and, since remote display protocols keep computable data off of endpoints, there is less need for agent software to control USB devices or to provide local disk encryption. Vendors will be announcing high performance capabilities for discovery and usage monitoring of regulated data between now and the RSA Conference. Security teams should look at these DLP appliances as an easy to manage addition to virtual desktop infrastructures.

IPS appliances can also work within a VDI deployment to monitor inbound and outbound traffic between VMs and both internally and externally hosted applications. For example, Sourcefire's 20 Gb IPS performance that supports both real-time user and network awareness is nicely suited for security teams to efficiently monitor a larger number of end-users with high speed processors. A tuned IPS appliance can be an effective means of monitoring and auditing users and applications for behavior indicative of a malware infection. The appliance approach also preserves valuable compute cycles for virtual servers to execute desktops.

An important job of a virtual security center is to detect and scrub malicious code from Web and messaging traffic before malware can hit a virtual desktop. Even with virtual desktops, browsers will be pulling in data from the web. Cisco and Trend Micro are two vendors providing customer-hosted anti-malware capabilities for enterprises not yet ready to trust cloud-based services.  By placing anti-malware processing in a virtual security center, IT security can reduce administration costs while gaining the flexibility to deploy complementary and lighter-weight endpoint security within the virtual desktops. 

Shifting the burden of security processing and administration from endpoints to scalable appliances makes sense in VDI architectures. While vendor researchers sort out what features hypervisor security APIs really need to deliver, IT should re-examine traditional assumptions about security deployments. IT security may find that mimicking cloud-based services in an IT controlled virtual security center provides an easier to maintain, upgrade, and evolve security practice for virtual desktop infrastructures.