Gunnar BergerRecently I was reached out by a journalist whom I speak to fairly often, and this person asked me to provide some insight into Shawn Bass’s blog series on how VDI isn’t secure. It took me a long time to write the reply to this person because there was a lot to discuss, after spending all that time I actually felt my reply should go up as a blog post, so here is my reply with very little information edited.
Security:
I read Shawn Bass’s blog last night and while I do agree with him on his major point: VDI is no more secure than Physical PCs. (I agree because in the end they are both running the Windows OS which would be identically secure be it virtual or physical).
I do disagree with the minor points such as this one:
Whole disk encryption products have been out for years now and given that a majority of federal, state, local governments require disk encryption on endpoint systems this is becoming less and less likely as a vehicle for loss of data when an endpoint is lost/stolen.
I disagree that data can be secure at the end point device. If there is anything I learned in my college courses it’s that security is an illusion. No matter how hard you try to secure something there is always something that makes in insecure. Encryption products only delay the inevitable. It’s this belief that makes me say, I believe that there is a big difference between not having the data at the end point, verses having it, regardless of encryption. This means I believe verticals that are very data sensitive (health care with PHI) are better off with a SHVD or SBC solution that keeps the data off the end point device.
As far as Shawn’s point about securing the data in the datacenter, and protecting from things like drop box, I think he is spot on; this is very difficult. However I do think he is missing something here too, this argument has nothing to do with physical verse virtual desktops. The data in the datacenter is difficult to protect, that’s a problem in both worlds. The issue with physical PCs is that not only do you have to protect it in the datacenter, you also have to protect it at the end point. SHVD/SBC eliminates the need to protect it in two locations. But again, Shawn is right, it’s extremely difficult to protect this data.
I also think there is less risk in protecting the datacenter, these areas are under surveillance, in protected rooms, the chances of something being stolen is very low, compared to a desktop. So virtual desktops do provide better physical security than physical desktops, but that’s just layer 1.
The underlying issue Shawn is getting as is that it’s VERY difficult to secure yourself against users that rightfully have access to things and break the rules. In my background in health care, we couldn’t stop doctors/nurses from looking at records they have no business looking at, but we could track it. With employees, this is really your only defense, track and punish the offending user.
Live Data:
I also feel Shawn is missing part of the live data argument. In a SBC/SHVD world, the data doesn’t cross the network except in the datacenter. What is sent to the end point is just screen updates, which could be argued has data (but it’s going to be very limited) compared to say an ODBC query running across a VPN, in that scenario the data that is sent over the link is a full queried response (IE real data). But to Shawn’s credit he does say that SHVD/SBC “may” improve this, I would just go a step farther and say it “does” improve it.
Overall I very much agree with Shawn, I just pick at some of the finer points.
Now to answer your questions: (these are questions I was asked in the journalists email to me)
How are VDI-based virtual desktops better than PCs?
- Management. They are easier to manage. This is what the vendors push, this is what I talk about often. I can have thousands of desktops run off a single central image. Other products can do this but SHVD works in more use cases.
- Performance. In many cases performance can be improved using a virtual desktop. Poorly written apps, that send large amounts of data to a remote user over a VPN, can see a significant boost in performance when running on a gigabit network (on the back end) and then remotely accessed. This is true for both SBC and SHVD. Also, utilizing technologies like Atlantis ILIO make it possible to have VMs that boot in seconds not minutes. I have a health care client that cites poor desktop performance a patient safety issue. I like how that client thinks.
- Follow me desktop. This is one of those benefits of SBC/SHVD, the ability to have your desktop follow you anywhere, be it a tablet, desktop, or TV, your desktop following you is a big benefit. You could argue that laptops do this too, and you’d be right, but the ability to do this with follow me desktop technologies means I don’t have to carry one device with me, any device is my access point.
I want to switch gear, you are putting me as the VDI protagonist, but I’d like to flip it around. There are a lot of reasons not to use SHVD.
- Cost. Need I say more. It’s expensive, and you tend to only see the benefits in OPEX not CAPEX. A major change in storage architecture could change this story. So I tend to praise any vendor that bring storage into the hypervisor host.
- Other technologies that would do a better job. For instance, SBC would be better suited to deliver an application to a tablet than an SHVD desktop. Provisioning technologies like Citrix Provisioning Server, Wyse Streaming Manager, VMware Wanova, would be better suited to solve the management complexity of physical desktops without the need to build out a huge SHVD solution. This is especially true for environments that have already upgraded their physical PCs to Windows 7 so they have good hardware but still have major management complexities.
- Expertise. SHVD isn’t simple and at scale requires some pretty sharp IT staff to keep it running. Thankfully technologies like Citrix’s VDI-in-a-box, Nutanix and others are working to simplify this complexity.
My stance is that you use whatever technology makes sense, and try to ignore all the negativity that is out there. PCs still make a lot of sense, so does SHVD, SBC, disk streaming technologies. They each have their place, they each solve a problem. No single technology is going to replace the need for all other technologies (at least not yet). I think VMware’s stance with Wanova further backs up this point, also what I just said could be used to define what Citrix calls Flexcast, so they too stand by that philosophy.
Category: Uncategorized Tags:
6 responses so far ↓
1 Solis Consulting August 9, 2012 at 7:13 am
Hate to nit pick but I disagree with a few of your points…
Before I go any further I must state that I’m a strong believer in the benefits of VDI/SBC (as this may not be the impression you get from my comment)
from the section:
How are VDI-based virtual desktops better than PCs?
1. Management: They are easier to manage? I disagree with you here, as successful management of virtual desktops requires a higher level of skill and and also introduces more risk for instance a screw up in the management instead of bringing down a single application / machine can bring down all of the desktops used by your company / division – this can happen at the gateway, the broker, the disk image, etc). As an example I’ve seen 1000+ users come to a standstill due to a single setting on a web interface server (this affected multiple gateways and didn’t happen immediately so no level of change control or testing could have saved this
2. Agree totally with you here, assuming correct use case and configuration.
3. Agree here too, a laptop / tablet with native apps is more convenient offline though. Any means of delivering data outside of the organization introduces a security risk – a stolen laptop without remote access means you risk all local data on this laptop falling into the wrong hands, a stolen remote access session means risking all of the data the compromised account had access to – note I’m not stating its worse with VDI/SBC, its just the same as all remote access methods.
There are a lot of reasons not to use SHVD.
Only going to comment on 3. Expertise. Yes you need sharper IT skills to manage VDI/SBC at scale, but for example VDI in a box really don’t scale and are targeted more at the SMB market. I don’t see large scale VDI / SBC deployments coming into the realms of easy management by “generic” Windows admins for many years to come.
Again I totally support VDI/SBC in all use cases where it benefits the organization and I have been working with the technology for more than 10 years and don’t for see a time when I’ll stop using it, however added security and ease of management aren’t the trump cards that they are made out to be.
2 Gunnar Berger August 9, 2012 at 12:22 pm
Nit picking is good. I love comments, especially well thought out comments like yours.
I will say again this was a response to a press inquiry and I wasn’t trying to make every point possible. My main point was that virtual desktops do offer “some” added security, specifically layer 1. The first part of the email was just meant to give enough support to backup that argument (not fill every gap in security). As I said, I agree with the overwhelming majority of Shawn’s post.
Now to your points.
1) Good point. You do need sharper IT staff, but I’d argue this is a benefit. I’d rather higher 1 or 2 very sharp IT staff than have 30 staff that only know how to ghost machines. We’ve talked to companies who have been able to do just this and reduce their overhead. So yes, its more complicated and you can really screw it up. (I for one had a similar experience with a failed SQL service causing all desktops to stop) but it still reduces management (especially end point management). But to your point, it does increase risk (which is where good design comes into play).
2) Use case is everything. I don’t advocate SHVD or SBC in every use case, in fact my research that will soon publish is all about where you use what technology. There is no perfect technology.
3) This goes back to the point #1 above.
As for my comments on VIIB and Nutanix. I have to point out the use of the present tense verb “working”. I have major concerns on how these solutions scale, and completely agree with you for now its SMB only. But they are “working” on it and that gives me hope, because this stuff has to get simpler and cheaper and these approaches could be the key.
3 Mike Moore August 16, 2012 at 8:14 pm
One area I don’t see mention of is vulnerabilities in VDI clients. For example keyboard recording. One of the security issues I see with VDI is it assumes that just because itself is secure that the data is secure. One of the benefits of a platform that is protected from boot onwards is that trust is built on solid foundations. With VDI or any remote terminal you don’t know what is wrapped around the remote access and what it can do and that needs also needs to be considered in the arguments on security. While tactics exist to limit risk such as one time passwords you don’t mention these as additional attack vectors in VDI situation. These vulnerabilities also exist outside of VDI but solutions do exists such as locking bios and boot order, protecting USB ports, removing physical access to machines as in internet kiosk.
4 xcp November 9, 2012 at 12:27 am
XCP-I appreciate for your kind and generous sharing.Shop online at christian louboutin mall for a great selection of christian louboutin boots, christian wedding shoes,christian louboutin ankle boots and sandals for girls,women and men with free shopping on all orders.Welcome to luxury christian louboutin sale online store.The best christian louboutin at best price, free delivery,easy returns & exchanges,100% quality guarantee!Save 82% Off.Cheap christian louboutin daffodile makes a woman’s feet dazzle and shine even after the twelve strikes of midnight.Own a pair of stylish and wonderful christian louboutin is women’s lifetime pursuit. We offer christian louboutin red bottom shoes online shopping by an elegant but easy way. Shopping online at discount price for red sole signature designer. Order products in christian louboutin sale store are free shipping.If you want to be more remarkable,do not miss christian louboutin daffodil. They are sexy and gorgeous christian louboutin.Welcome old and new customers,we will offer you the best service.All shoes has been worked by good craftsman and christian louboutin men for men by hand and this is the result of a careful selection.If you are engaged in the vogue or you want keep the same pace with the trend,christian louboutin could be your best choice.It is really nice of you to share the excellent shoes information to others. christian louboutin shoes is absolutely representative of fashion and recreation,became a matter of course the popular protagonist of the season.christian louboutin outlet will try our best to satisfy you christian louboutin wedges.
christian louboutin sale is french hot brand in the world,We provide different kinds of christian louboutin usa.Choose the woman wearing louboutin slingback,often has realised that many men somehow to high-heeled shoes have deep interest,wear cheap christian louboutin sales shoes can easily outright conquest many men,can easily get many men worship,can easily make many men excited.In fashionable arena occupies a place of christian louboutin ankle boot forever and always makes women fascination.christian louboutin outlet foot that one wipe enthusiastic red,no matter how plain clothes,they were unable to hide the hostess as fire the lively personality.christian louboutin sandals is fashionable and beautiful, recently new appearance of new women’s sandals,presenting an one colour profusion,design and material collocation also ingenuity, pretty,both restoring ancient ways,full of female lasting appeal,sweet call a person fondle admiringly
christian louboutin shoes sole design very clever,”catch” the selling point of sight let woman enchanted,sexy very narcissistic is frowsty coquettish,imagine a man to follow his sole after the line of sight of red,women must have is willing to pay. The identification of the “red sole degree is high,it’s another benefit is let female stars free advertising.christian louboutin sale shoes as a woman’s external wearing choice embodies her connotation,her taste,her pursuit of her life,understanding.christian louboutin sandals is a woman’s life cannot resist temptation of summer follow sandal high is undoubtedly the most powerful-naked fiber foot,Dan red nutmeg, summer air fragrance in stimulating fashion masters of inspiration,the perfect cheap christian louboutin daffodile,in people the envy of look in the eyes supports a pieces of living color.Delicate the luxury of girl for oneself of each clothes to acquire a pair of high heels to match,but always than a double take christian louboutin 2012 to reality.
Whether you are what kind of woman need to wear a pair of christian louboutin shoes on the red carpet,your choice,we are unable to intervene,but you should know that Mr.Bhutto’s name.christian louboutin outlet today has five stores in the United States,two in New York the rest of South Beach Plaza in Los Angeles,Las Vegas and Orange state,some christian louboutin sale stores are planning to open in the Bal harbour,Boston and Chicago.The famous U.S. talk show host Oprah Winfrey,christian louboutin sandals is an art,recent and famous director David Lynch co-operation,his collection of shoes do one called “Idol”exhibition.R &B singer Ciara,Jay-Z’s song with the lyrics of christian louboutin canada content.
Red soled christian louboutin shoes’s signature logo,highlighting women’s lovely,beautiful,quieter and mature sexy christian louboutin sale store favorite with a variety of bright colors,especially open-toed style won him favor with the soleNama red flag,the performance of a woman with high heels the sexiest,swaying side.No wonder so many stars are even willing to free to speak for him,showed off alone belong to the christian louboutin outlet’s style on the red carpet.Frenchman christian louboutin sales world is absolutely impossible to ignore.It is a favorite of European and American actress!”Red shoes” to identify high,another advantage is that the female stars free advertising.See the red soles of christian louboutin uk,the fundamental need to find the logo.
5 Christian Louboutin Flats March 12, 2013 at 9:43 pm
This is really interesting, You are a very
skilled blogger. I have joined your rss feed and look forward
to seeking more of your excellent post. Also, I have shared your site in my social networks!
6 vSentry and the Art of VDI Security | A Collection of Bromides on Infrastructure April 26, 2013 at 4:59 pm
[...] about whether VDI itself is inherently “secure”. This blog will not attempt to answer that question. Instead I want to focus on how we, at Bromium, view VDI security, and how we can help protect [...]
Leave a Comment