VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!

To preface my comments, my company is a Citrix Service Provider that specializes in the SMB market, so I'm biased.

Having said that, a typical SMB infrastructure consists of a consumer class firewall, dumb switches, an entry level server that sits in a poorly secured closet, inadequate environmental controls, no fire suppression systems, and no redundant power. The facility itself is likely a shared office space without 24x7 security monitoring or other theft deterents.

In short, SMBs typically have all of their proverbial eggs in one basket and lack the expertise and financial resources to properly safeguard their data.

By migrating their data to a cloud services provider that DOES have high availability infrastructure, adequate environmental controls, redundant power systems, 24x7 security, security card access, locked server cages, etc... they can mitigate many of the problems with DIY solutions.

Assuming that the cloud provider takes no additional measures to secure customer data, the above measures still represent a vast improvement.

Taking into account the likelyhood that the cloud provider has superior firewall and IPS/IDS systems, encrypted backups, two factor auth options, more frequent security patch rollouts, and NOC techs with superior skills (to name just a few), I would argue that an SMB that chooses to run apps and desktops from the cloud is in a much better position than if they choose the status quo and continue to run their own IT systems in-house.

I think a more pertinent question would be whether SMBs can better secure their data by migrating to the cloud VS physical desktops (or even VDI/SBC) residing in their own office.

My two cents worth...

@Alan - Spot on. However, I wouldn't restrict that philosophy to SMB, but rather expand it to include enterprise solutions that also meet this need.

When IT wants to control the data and infrastructure without providing business justification, the business loses.

I see bad IT decisions being made in SMB every week and see horrendous IT policies in enterprise companies every day.

@Shawn - thank you for continuing to poke and prod at your readers to think about change!

The old way of doing things is simply silly.

I know the study is a few years old now, but it would be crazy to ignore the fact that 12,000 laptops are lost per week at US airports with only 33% recovered.  

blogs.laweekly.com/.../airport_surprise_1200_laptops.php

If we take these numbers on face value of 8000 laptops lost (and not recovered) per week and extrapolate that out to a global footprint and beyond airports, it's a big number.  I have to believe that while some of the data on these laptops might have been shared on Dropbox and other cloud storage sites, it is highly unlikely that it all was.  

So far in 2012, there have been 36 reported incidents in the US for stolen (not lost) laptops: ten of these had an unknown number of data records and 26 of them comprised nearly 180,000 data records.

datalossdb.org/search[]=StolenLaptop&direction=desc&order=reported_date

Most of the incidents reported are government, healthcare and education which suggests that it was only reported for compliance reasons.  What I don't know obviously, is the total number of stolen laptops and what percentage of these have sensitive data, but still ... 30 weeks x 8000 laptops = 240,000 laptops so far in 2012

I wonder how many of the lost laptops had sensitive information and unencrypted hard drives?  I'd be willing to bet that it is more than 0.  Ignoring the

That said, I don't think that virtual desktops are inherently secure.  However, I do take a pragmatic approach that a) it does help with a real problem in end point security, and b) the centralized "always under IT control" model, offers the possibility for improved security that does not exist in a decentralized model.

Quoting my own tweet:

I don't think VDI is inherently more secure [than end-point computing]. I do think going VDI is an opportunity and facilitator for improved security

Also, I agree with @Alan that DaaS can be a good solution for improving security (and backups, and up-time, etc) by handing over that duty to someone who knows how to do it better, and has invested the appropriate resources in it.

@Shawn - Firstly, thanks for raising this important topic for discussion. I often refrain from posting back on BM blog articles because I run an CSP company and have biases accordingly. I took the bait late last night because I couldn't resist :) Great topic!

In a round about way, the point I was driving at is that by migrating desktops to VDI/SBC, companies often end up with better security even if that wasn't an explicit desired outcome.

Why?

Because if you are building out a new VDI/SBC infrastructure today then chances are you going to virtualize those workloads. In the course of doing that, you will likely end up cleaning up data sprawl and centralizing everything on a SAN that's on a physically separate LAN - that adds some physical security via isolation (although it does nothing to secure remote SMB connections).

You will likely also migrate to Windows Server 2008 R2 and revisit NTFS permissions while doing so, which adds some additional security. So does leaving the Windows firewall turned on.

If you get the data off of endpoints too and centralize it on a SAN, then the operational scope of managing the data at rest and live data is drastically reduced. IT admins are more likely to stay on top of data security as a result, as there are fewer touch points.

Finally, after making a huge investment in new hardware to run the VDI/SBC stuff, you will hopefully find money in the budget to tighten up physical security in order to better protect from theft those shiny new servers you paid so much for.

You will likely also consider relocating everything to a colo and in essence create your own private cloud in the process. A typical colo will provide far better physical security than a typical office space.

So, while implementing VDI/SBC doesn't inherently provide better security, in a round about way it does because of the infrastructure and architecture changes that typically result from these types of projects.

With respect to hiring more skilled workers to tighten up physical desktop security, that's an unlikely scenario due to people's expectations around billing rates. For years, as an industry, we've had support tiers and people expect to pay "the going rate". It's a really hard sell to convince people to shell out more money for "desktop" support, but they will shell out more for a VDI/SBC/virtualization guru who will hopefully implement security more effectively.

Hopefully I've managed to steer my comments back on topic now :)

Yes, I absolutely agree Shawn (to a point), those benefits do come from leveraging someone with more expertise. Whether that's a cloud provider, MSP, or consultant is irrelevant.

Having said that, I would argue that anyone looking to build out a new VDI/SBC infrastructure would unavoidably gain those hidden security benefits because they will, by necessity, engage VDI/SBC experts to ensure success.

They will likewise, by necessity, be faced with hardware refresh, shared storage (SAN), and likely new OS rollouts too. Again, those additions typically add inherent security if executed properly.

In cases where in-house IT blunders into a VDI/SBC project without the expertise to execute it properly, I totally agree with your argument that security could end up being no better (or even worse) than with physical Desktops (which the in-house IT understood pretty well).

I'll stop ranting now :)

Shawn you are a tease. Part 1 of 5? Jeez..

Alan - Yours is the same argument vendors are making, that VDI is an opportunity to do everything over and do it right. That is a bunch of BS wrapped up in a SOW. VDI does not make a venn diagram out of protection and productivity. Shawn's Johnny Appleseed example should be regarded as the standard rather than the stand-out. The instant your solution stands in the way of productivity, the end-user will find a way around it and let the bad guys in (not by intent, it's collateral damage).

Specifically, Alan, let me ask you this question: If I am your customer and buy your services, do you provide me with insurance for financial loss I may incur through a security breach on your watch? (credits against some SLA don't count). Are you willing to put your wallet where your mouth is?

Very nice article Shawn.

However a "one size fits all analysis" can't apply because everyone's situation is different, the use cases dictate whether you are right or completely off on left field.

If you provide your users with everything that they need to be productive then it is unnecessary to break protocols.

Also, when thinking about the security of the data you must also think about the security of the application architecture that accesses the data. If the use case requires for remote access, do you spend the time and cost to re-architecture the application so it is web based, and how many applications do you do this for? where does it end? Now you have X number of web apps that need to be managed and secured in their own context.

"Whole is greater than the sum of its parts"

Either make the entire Desktop web based with legacy apps or make each legacy app web based with a legacy desktop. They each have their own positives and negatives.

Also, in many use cases offline access is such a small percentage because the useful data is centralized in databases and you have to be online to access them anyway.

Take this scenario as an example:

- Government SMB entity with a very small and lean IT department

- IT must focus on core services and let users do what they want

- Lots of Macs with local Windows VMs

- Remote access required

- multiple end-point form factors

- limited desk space

Securing data is a question about how you manage your IT system: Device management or Service management.

You're saying that Device Management is more secure, but I'm saying that you're wrong. It really depends on what use cases IT can handle with either approach. If IT doesn't have the resources for Device Management then I can guarantee that the devices are not secure.

Tal,

Your profile on BM states that you are (were) the Director of Technical Marketing in the Desktop Division at Citrix. You seem to be arguing that VDI/SBC offers nothing in the way of security improvements and that the tried and true traditional desktop is the better option. Interesting opinion given your background...

I don't know how you could infer from my comments that I was suggesting that VDI/SBC is some kind of security panacea. The article topic is "VDI and TS are not more secure than physical desktops" and I provided several examples of why implementing SBC/VDI could in fact provide better security than a typical office PC environment.

I'm pretty sure you now work for Bromium and if so it's pretty obvious why you would take aim at VDI/SBC. That's because Bromium appears to use "micro-virtualization" to isolate processes in their own execution bubble using a flavor of type-2, client based hypervisor.

So, your target market would seem to be enterprises who want to use client hypervisor technology on existing PCs to better isolate, secure, and manage them. In other words, your in direct competition with VDI/SBC advocates.

Why don't you disclose who you represent, like I did, and then state why you think traditional desktops can offer better security than SBC/VDI, rather than ranting that VDI/SBC is "a bunch of BS wrapped up in a SOW".

Also, your comment:

"The instant your solution stands in the way of productivity, the end-user will find a way around it and let the bad guys in (not by intent, it's collateral damage)"

There are a myriad of FUIT methods that Brian Madden and Gabe Knuth have discussed in a whole series of blog articles. Which of these, and other you have in mind, are specific to VDI/SBC environments?

Alan: I've tried to reset my profile here a billion times, I think this site just refuses to believe I left Citrix :) I did a whole session on this very topic at BriForum and I'm writing a blog that will reiterate the points I made there as well as discuss the points raised by the audience during our over 30 minutes of post-presentation discussion.

Bromium has nothing to sell, so you can't accuse me of making a vendor pitch. There's a reason I joined Bromium after spending so many years at Citrix. It's not the Citrix is doing anything wrong, mind, it's just that I kept seeing people implement VDI for the wrong reasons because of the sort of nonsense vendors like you are feeding them.

I am NOT in direct competition with TS/VDI vendors. We're going to be working with Citrix on building a Bromium plug-in for Receiver. We are in direct OPPOSITION to TS/VDI vendors making asinine claims about TS/VDI as a security solution. It is not.

1. Taking a Windows desktop and putting it in the datacenter does not make it more secure. Period.

2. Most end-users in VDI environments connect to their VDI desktops on Windows laptops. For each of those users IT now has two desktops to secure. You've now increased your attack surface.

3. I have yet to see a VDI desktop implementation where VM's that share a blade don't share the same subnet. This makes it easier for APT to propagate.

4. Putting your desktops in the datacenter brings them one OSI layer closer to your most sensitive assets. Most VDI implementations let the bad guys directly into the DMZ.

5. Even if you do VDI right, then there's a likelihood of application virtualization becoming the attack vector. Most APT's exploit zero day vulnerabilities on whitelisted apps.

6. I don't care how good your remoting protocol is, it's not as good as local, and it most certainly doesn't work offline, and..

7. I have yet to see a decent online/offline sync'd VDI solution actually implemented in the wild. Bad EUX drives FUIT which will let the bad guys in.

There's more, but I'll save it for the blog which I'll post once the BriForum sessions are online, I want to link to my session from it.

Pretty clear from your statements that you are not an advocate of either VDI or SBC. That really only leaves the traditional desktop model and/or client hypervisors as an alternative, given your arguments about offline use. Neither is an attractive option for any of my customers, given that having to deal with their in-house IT headaches was one of the reasons why they looked elsewhere in the first place.

You said:

"... it's just that I kept seeing people implement VDI for the wrong reasons because of the sort of nonsense vendors like you are feeding them..."

For the record, we don't provide VDI desktops, we use Citrix Xenapp only. I'm not a proponent of VDI and never have been. I've read "The VDI Delusion" and agree with almost all of it.

Neither do we upsell customers with a ton of hardware and software they don't need to justify the cost of a VDI/SBC implementation - we offer hosted Cloud Desktops and Apps as a subscription service.

Economies of scale allow us to offer this service to SMBs as they wouldn't otherwise be able to afford any of it. I'm confident that in every case, the security and reliability we offer our customers is far better than what they had before.

Like Shawn said: "...It doesn't matter how many security walls you put into place, where there is a will there is a way..." No security solution is perfect, but I'm confident our data center is far more secure than a typical SMB office deployment.

So, let's agree to disagree as I don't think our continued arguing is adding value to the discussion...

Alan - I've been thinking about this and I'm not comfortable agreeing to disagree. Your point is that you are better at securing IT infrastructure than your customers' IT teams, and because you choose to implement SBC rather than physical desktops then that makes it secure. My point is the same could be accomplished with Microsoft's Intune service on physical hosts without bothering with the hosted component. In no way have you spelled out how SBC is more any more secure than physical desktops.

Can we as a community NOT simplify data security on such important topics?  Especially when they're critical to making or breaking the very blog posting in which it's being referenced?  Why are we trying to simplify 'data security'?  It's not difficult to understand.

For that matter, data at rest is far more than you describe. Any file sitting on PC regardless of whether or not it's powered on is 'data at rest'.  To be more specific, there are 3 types of data.  Data at rest, data in motion, and data in use.  With how ingrained regulatory compliance is now, 'as you see it' doesn't cut it when you're speaking to efforts around better securing information.

By not speaking to these 3 areas independently, you cannot account for all areas of data access and thus how can you truly understand data security in the first place?  You're also breaking this up into 5 parts.  Certainly you don't need to simplify anything.  When looking at VDI from a security standpoint, your assessment should start with CIA which fully encompasses the three types of data and much more.    

VDI does not belong in every company or even in every single location of a single company.  That being said, VDI has its place and it can bring with it a more secure environment provided you understand your own security challenges  

I''ll give you one example.  Tell me how this VDI environment is no more secure than a PC environment with the same amount of support staff.  I'll even cut you some slack and just ask the question from a data security point of view even there there's a whole lot more to data security from a user access standpoint.

A call center with 1,000 agents and 4 IT techs across the entire USA.  This environment used to be a PC environment with the same 4 IT techs.

*1,000 virtual desktops all centrally located in two data centers (production and DR).  

*Agents machines rebuild themselves from gold image upon logout

*Agents machines rebuild themselves from gold image after 30 minutes of inactivity

*All end user agents use zero clients

*Network isolation is implemented based on project, client, or contract both at the server and end user level.

As I see it, I just did the following:

*I now only manage 20 gold images instead of 1,000 PC's

*Patching just became less complicated

*Removable media is of little or no concern

*99% of the most common infections are a reboot/rebuild away from being vaporized

*Machines at long distance locations now have ALL data in motion and data in use fully encrypted over the wire

*The security footprint of a branch office just became a lot smaller.

*Manageability of assets just became a lot easier.

Do you see differently?

Meko_Siluka  - you've got an environment that can be changed quickly & manage centrally for sure - but it is not inherently more secure.

End of.

*I now only manage 20 gold images instead of 1,000 PC's

>> Yes - but they are not "more secure" - there are just fewer of them.

*Patching just became less complicated

>> but that process still needs to be done - a well managed desktop environment would operate in the same way.

*Removable media is of little or no concern

>> configure your pcs properly and it was of no concern to start with

*99% of the most common infections are a reboot/rebuild away from being vaporized

>> that's hiding a problem, not solving a problem. You were infected and the business impacted. Indeed there is a wider risk to be considered now the devices are in the datacentre

*Machines at long distance locations now have ALL data in motion and data in use fully encrypted over the wire

> there is indeed no data at rest at the end point: but you could have encrypted the endpoint relatively painlessly and reduced the risk accordingly.

*The security footprint of a branch office just became a lot smaller.

> it is smaller if you replaced unencypted, unsecured enpoints for sure. But that's not an attribute solely of VDI

*Manageability of assets just became a lot easier.

> could have done the same with SCCM, or KACE and got to a similar place.

Just because it is "easier to manage" does not make it "more secure". As Shawn rightly points out "at best, VDI/TS provides additional places where security *may* be able to be improved."

Can you see differently?

@Andy_Wood

Yes you can make a PC just as secure and provide a $h1t set of capabilities for your business with static blocks that are hard to access, centrally manage etc. How many people manage f'ing PC's properly. Most idiots still give give admin rights, EOM. PC management is a pile of $hit business that is not improving, it's just getting slower. By having a better model to manage you become more secure and the chances of that happening on a PC are next to zero because there is no driver to change for the most part.

and how many people manage VDI properly? Those desktop admin idiots are the ones in charge of the VDI environment. You think a migration to the datacentre is going to give them some Damascus moment of security understanding?

And stil.. "manage..manage...manage" - we're talking about  security. You can tell there is a difference in the spelling.

"because it is easier to manage" will not, does not, make an environment inherently more secure. You have to do some other stuff.

I've seen, worked on, many secure environments: desktop pc based and RDS. Good management, build revision, OS patching, rigorous change control are all part of a whole host of procedures and measures that go into delivering a secure environment.

You can counter - if we only have 1 image then it will be easier to keep secure. True - *easier to keep* - how was it secure in the first place? That is just the OS environment. What Shawn is rightly talking about is the data itself: what have you done there? You might also say "well, all the data is in the centre, it is more secure" - it is now no longer on the end point for sure, but what is the impact on the business of you only allowing data access when you are connected to a VM?  "Ah..we'll allow them to upload download information..USB transfers.." ..and you're back to square 1.  

Swapping out desktops for VDI offers no additional security benefit in itself. By having a different model you don't suddenly fix a whole host of poor procedures, bad practices and loose configurations no matter how fast you drive.  

You should take that mask off every now and then, the lack of fresh air appears to be clouding your judgement.  

@ Shawn: thanks for the good read and catalyst for a lively debate.

However, re: Whole disk encryption, you may wish to reconsider some additional information. The issue is not encryption per se, but that users turn it off, or under BYOC, do not turn it on to begin with. A 2010 report from Ponemon Group highlighted that more than 80% of users turn off encryption.

Cisco recently released their 2011 Connected World Technology Report and found that IT policies do not work, and that users do not feel responsible for safeguarding corporate data.

Through this year (and the last three years) lost laptops are still the number reason for significant data breaches under the terms of HIPAA. And these are usually found to be un-encrypted devices owned by medical professionals, not surprisingly, Macs. The largest was 2.4 million public patient records. Ouch.

And I agree with your point on mobile users. VDI is not much use unless you are connected by a wire, and most mobile users work off-line. Any potential security benefit proposed by VDI is academic for off-line use.

Just something to think about.

@Andy Wood,

We're actually in more agreement that you think. Agree on idiot PC people won't just auto fix it. However those are so often the failed the VDi implementations and they deserve it.

Where we disagree is that I believe security is part of better management. VDI is a catalysts in many projects to rethink where in the desktop it is the same old way and no reasons to change. When that happens combined with the right reasons to do VDI which are about business enablement and done right, you end up with better security. Of course the argument can be made for PCs if you focus on that part, but my point is people won't in practice.

I'll reserve my Sunderland comments :-)