Blog post

Are SHVD (VDI) desktops more secure than physical? – In a word: “yes”

By Gunnar Berger | August 08, 2012 | 5 Comments

Recently I was reached out by a journalist whom I speak to fairly often, and this person asked me to provide some insight into Shawn Bass’s blog series on how VDI isn’t secure. It took me a long time to write the reply to this person because there was a lot to discuss, after spending all that time I actually felt my reply should go up as a blog post, so here is my reply with very little information edited.

I read Shawn Bass’s blog last night and while I do agree with him on his major point: VDI is no more secure than Physical PCs. (I agree because in the end they are both running the Windows OS which would be identically secure be it virtual or physical).

I do disagree with the minor points such as this one:

Whole disk encryption products have been out for years now and given that a majority of federal, state, local governments require disk encryption on endpoint systems this is becoming less and less likely as a vehicle for loss of data when an endpoint is lost/stolen.

I disagree that data can be secure at the end point device. If there is anything I learned in my college courses it’s that security is an illusion. No matter how hard you try to secure something there is always something that makes in insecure. Encryption products only delay the inevitable. It’s this belief that makes me say, I believe that there is a big difference between not having the data at the end point, verses having it, regardless of encryption. This means I believe verticals that are very data sensitive (health care with PHI) are better off with a SHVD or SBC solution that keeps the data off the end point device.

As far as Shawn’s point about securing the data in the datacenter, and protecting from things like drop box, I think he is spot on; this is very difficult. However I do think he is missing something here too, this argument has nothing to do with physical verse virtual desktops. The data in the datacenter is difficult to protect, that’s a problem in both worlds. The issue with physical PCs is that not only do you have to protect it in the datacenter, you also have to protect it at the end point. SHVD/SBC eliminates the need to protect it in two locations. But again, Shawn is right, it’s extremely difficult to protect this data.

I also think there is less risk in protecting the datacenter, these areas are under surveillance, in protected rooms, the chances of something being stolen is very low, compared to a desktop. So virtual desktops do provide better physical security than physical desktops, but that’s just layer 1.

The underlying issue Shawn is getting as is that it’s VERY difficult to secure yourself against users that rightfully have access to things and break the rules. In my background in health care, we couldn’t stop doctors/nurses from looking at records they have no business looking at, but we could track it. With employees, this is really your only defense, track and punish the offending user.

Live Data:
I also feel Shawn is missing part of the live data argument. In a SBC/SHVD world, the data doesn’t cross the network except in the datacenter. What is sent to the end point is just screen updates, which could be argued has data (but it’s going to be very limited) compared to say an ODBC query running across a VPN, in that scenario the data that is sent over the link is a full queried response (IE real data). But to Shawn’s credit he does say that SHVD/SBC “may” improve this, I would just go a step farther and say it “does” improve it.

Overall I very much agree with Shawn, I just pick at some of the finer points.

Now to answer your questions: (these are questions I was asked in the journalists email to me)

How are VDI-based virtual desktops better than PCs?

  1. Management. They are easier to manage. This is what the vendors push, this is what I talk about often. I can have thousands of desktops run off a single central image. Other products can do this but SHVD works in more use cases.
  2. Performance. In many cases performance can be improved using a virtual desktop. Poorly written apps, that send large amounts of data to a remote user over a VPN, can see a significant boost in performance when running on a gigabit network (on the back end) and then remotely accessed. This is true for both SBC and SHVD. Also, utilizing technologies like Atlantis ILIO make it possible to have VMs that boot in seconds not minutes. I have a health care client that cites poor desktop performance a patient safety issue. I like how that client thinks.
  3. Follow me desktop. This is one of those benefits of SBC/SHVD, the ability to have your desktop follow you anywhere, be it a tablet, desktop, or TV, your desktop following you is a big benefit. You could argue that laptops do this too, and you’d be right, but the ability to do this with follow me desktop technologies means I don’t have to carry one device with me, any device is my access point.

I want to switch gear, you are putting me as the VDI protagonist, but I’d like to flip it around. There are a lot of reasons not to use SHVD.

  1. Cost. Need I say more. It’s expensive, and you tend to only see the benefits in OPEX not CAPEX. A major change in storage architecture could change this story. So I tend to praise any vendor that bring storage into the hypervisor host.
  2. Other technologies that would do a better job. For instance, SBC would be better suited to deliver an application to a tablet than an SHVD desktop. Provisioning technologies like Citrix Provisioning Server, Wyse Streaming Manager, VMware Wanova, would be better suited to solve the management complexity of physical desktops without the need to build out a huge SHVD solution. This is especially true for environments that have already upgraded their physical PCs to Windows 7 so they have good hardware but still have major management complexities.
  3. Expertise. SHVD isn’t simple and at scale requires some pretty sharp IT staff to keep it running. Thankfully technologies like Citrix’s VDI-in-a-box, Nutanix and others are working to simplify this complexity.

My stance is that you use whatever technology makes sense, and try to ignore all the negativity that is out there. PCs still make a lot of sense, so does SHVD, SBC, disk streaming technologies. They each have their place, they each solve a problem. No single technology is going to replace the need for all other technologies (at least not yet). I think VMware’s stance with Wanova further backs up this point, also what I just said could be used to define what Citrix calls Flexcast, so they too stand by that philosophy.


Leave a Comment


  • Hate to nit pick but I disagree with a few of your points…

    Before I go any further I must state that I’m a strong believer in the benefits of VDI/SBC (as this may not be the impression you get from my comment)

    from the section:
    How are VDI-based virtual desktops better than PCs?

    1. Management: They are easier to manage? I disagree with you here, as successful management of virtual desktops requires a higher level of skill and and also introduces more risk for instance a screw up in the management instead of bringing down a single application / machine can bring down all of the desktops used by your company / division – this can happen at the gateway, the broker, the disk image, etc). As an example I’ve seen 1000+ users come to a standstill due to a single setting on a web interface server (this affected multiple gateways and didn’t happen immediately so no level of change control or testing could have saved this

    2. Agree totally with you here, assuming correct use case and configuration.

    3. Agree here too, a laptop / tablet with native apps is more convenient offline though. Any means of delivering data outside of the organization introduces a security risk – a stolen laptop without remote access means you risk all local data on this laptop falling into the wrong hands, a stolen remote access session means risking all of the data the compromised account had access to – note I’m not stating its worse with VDI/SBC, its just the same as all remote access methods.

    There are a lot of reasons not to use SHVD.
    Only going to comment on 3. Expertise. Yes you need sharper IT skills to manage VDI/SBC at scale, but for example VDI in a box really don’t scale and are targeted more at the SMB market. I don’t see large scale VDI / SBC deployments coming into the realms of easy management by “generic” Windows admins for many years to come.

    Again I totally support VDI/SBC in all use cases where it benefits the organization and I have been working with the technology for more than 10 years and don’t for see a time when I’ll stop using it, however added security and ease of management aren’t the trump cards that they are made out to be.

  • Gunnar Berger says:

    Nit picking is good. I love comments, especially well thought out comments like yours.

    I will say again this was a response to a press inquiry and I wasn’t trying to make every point possible. My main point was that virtual desktops do offer “some” added security, specifically layer 1. The first part of the email was just meant to give enough support to backup that argument (not fill every gap in security). As I said, I agree with the overwhelming majority of Shawn’s post.

    Now to your points.
    1) Good point. You do need sharper IT staff, but I’d argue this is a benefit. I’d rather higher 1 or 2 very sharp IT staff than have 30 staff that only know how to ghost machines. We’ve talked to companies who have been able to do just this and reduce their overhead. So yes, its more complicated and you can really screw it up. (I for one had a similar experience with a failed SQL service causing all desktops to stop) but it still reduces management (especially end point management). But to your point, it does increase risk (which is where good design comes into play).

    2) Use case is everything. I don’t advocate SHVD or SBC in every use case, in fact my research that will soon publish is all about where you use what technology. There is no perfect technology.

    3) This goes back to the point #1 above.

    As for my comments on VIIB and Nutanix. I have to point out the use of the present tense verb “working”. I have major concerns on how these solutions scale, and completely agree with you for now its SMB only. But they are “working” on it and that gives me hope, because this stuff has to get simpler and cheaper and these approaches could be the key.

  • Mike Moore says:

    One area I don’t see mention of is vulnerabilities in VDI clients. For example keyboard recording. One of the security issues I see with VDI is it assumes that just because itself is secure that the data is secure. One of the benefits of a platform that is protected from boot onwards is that trust is built on solid foundations. With VDI or any remote terminal you don’t know what is wrapped around the remote access and what it can do and that needs also needs to be considered in the arguments on security. While tactics exist to limit risk such as one time passwords you don’t mention these as additional attack vectors in VDI situation. These vulnerabilities also exist outside of VDI but solutions do exists such as locking bios and boot order, protecting USB ports, removing physical access to machines as in internet kiosk.

  • This is really interesting, You are a very
    skilled blogger. I have joined your rss feed and look forward
    to seeking more of your excellent post. Also, I have shared your site in my social networks!

  • VM does not integrate well with cyber exercises or intelligence-led cyber risk programs. The scoring systems and databases do not lead well towards the patterns and practices used by power analysts in the cyber intelligence space.