Desktop Virtualization Drives Security, Not Just Dollar Savings - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

11:00 AM

Desktop Virtualization Drives Security, Not Just Dollar Savings

Infosec pros who don't take a stand on virtualizing their companies' desktops are missing a prime opportunity to boost safety while aiding manageability and compliance.

Especially when budgets are tight, costs are weighed against competitive benefit, business alignment, and how well the new initiative aids security and compliance efforts. VDI is a good investment on these counts, assuming you have the data center wherewithal to support the extra servers required. The computing power has to come from somewhere, and sites with limited rack space or that are running out of amps or have overtaxed air conditioning or ventilation systems should run the numbers.

VDI's biggest benefit comes from centralization. Changes to the desktop image are greatly simplified by abstracting the operating system. Financially, we expect to see lower total cost of ownership from extended thin-client hardware life, fewer cycles spent on hardware-induced OS failure, and lightened deployment efforts. Business continuity is another win. If you've been forced to back up desktops because policies allow for local storage of data, VDI will make your life easier. Possibly sensitive information no longer will reside on vulnerable end-user machines, and there are a litany of data management options enabled when all your files reside in a centralized site.

But what happens when a mashup meets virtual desktop infrastructure, or you're deep into building a service-oriented architecture? VDI doesn't intrude on Web 2.0 trends. And buying software as a service plays right into the general argument for virtualization: SaaS is simply a virtualized application deployed from the Internet. VDI and SaaS complement each other for mainstream productivity applications.

In the diagram on p. 48, we illustrate how virtual desktop components are delivered. A typical enterprise deployment begins with a server cluster in the data center. End users can connect with current hardware; simply remove Windows and install a hypervisor. When an employee fires up her desktop, she's immediately asked to log in and is issued a virtual desktop image. True IT control freaks will like the new dumb terminals, but with full desktops often in the $300 to $600 range, and good "thin" VDI clients in the $250 to $700 range, we're not yet convinced of the economics. With a legacy desktop, sure, an employee could bring in an OS on a flash drive and do mischief, but nothing is bulletproof. You will want to keep some fat desktop clients around to deliver access to apps that run only natively on Windows. Once an employee is connected, the desktop machine is simply a conduit. SSL protects traffic as it traverses the wire.

As current systems are phased out, look at what's available for VDI-optimized clients. The term "dumb terminal" evokes some bad memories, but today's thin VDI systems dodge two significant limitations of thin clients--limited memory and small CPUs. Desk-side hardware is modular, with few moving parts. No spinning hard disks or complicated driver sets.

The client-host operating system--an ultrasmall, embedded desktop hypervisor--doesn't dictate the applications that can run on the system. Users can make calls to one or more virtualized operating systems at the same time, run localized versions of those VMs, benefit from a physical desktop's horsepower, and gain added security via a hypervisor's intelligence and reliance on underlying hardware engineered specifically to provide solid virtualization.

Hypervisors are what makes virtualization possible, and that's just as true on the desktop as on the server. Because the hypervisor enforces virtual machine boundaries and resource requests, it's also the linchpin in the security stack and should be treated as such.

So it stands to reason that if the desktop hypervisor has a small footprint, is hardware-embedded, or functions as a virtual appliance itself, security is much improved. VMware is stepping down its hypervisor and service console from a sizable, and potentially more vulnerable, 2 GB to an entire platform baked into a 32-MB footprint, bootable from an embedded location, a USB key, or a CD-ROM. Once the hypervisor is on board at the desktop level, users can ask it to perform the work they need and the negotiation they require of it--including network authentication and machine isolation.

Chip manufacturers are at work here as well. Consider the Trusted Platform Module. Think of a TPM chip as a hardware-based lockbox where users can store credentials and certificates, manage keys, and encrypt e-mail and files. The VDI hypervisor can make use of this security mechanism, making calls to hardware instead of storing important information in software.

CPU enhancements, though, are where Intel and AMD earn their keep, by providing a trusted processing platform that can accommodate all virtualization software. Call it universal extensibility--just like we want the ability to swap out hardware without impacting the software, so, too, do we want to future-proof our virtualization software investments. This movement is centered on the CPU now, but peripherals are in play for future capability.

Impact Assessment: Desktop Virtualization

(click image for larger view)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 4
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll