VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data! - Shawn Bass - BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.
Shawn Bass's Blog

Past Articles

VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!

Written on Aug 01 2012 14,297 views, 24 comments


by Shawn Bass

For almost 20 years now, I've been implementing Terminal Services and VDI solutions. During that time, I've spent a good deal of time speaking to people about the benefits of these solutions as well as implementing it for customers. There are numerous benefits of a centralized compute model and I'm not going to go into all of the benefits in this article. When presenting or consulting on TS/VDI I'm often telling people that centralized compute (be it Terminal Services, VDI or even a PC farm) does not implicitly provide any higher level of security than doing distributed compute model of standard desktops and laptops. This often puts me in the crosshairs of all sorts of TS/VDI related vendors who are using security as one of their main selling points of their solution. Hopefully after reading this series of articles, you will have a better understanding of where I'm coming from when I make these statements.

There's really only two forms of data

To start off, I will grossly over simplify security and focus solely on that of data security.  To me, data security is what we're ultimately concerned about. It doesn't matter how someone breaks into a system, because at the end of the day all we are concerned about is what that person (the hacker or thief) makes off with. Whether they acquire one's banking account number, passwords, social security numbers, plans to latest Air Force jet, etc it's all data. Data is important to us and should be the primary thing we are most concerned with protecting. To that end, in my oversimplified version there are only two forms of data:

1. Data at rest

Data at rest refers to data stored on some form of medium whereby the system that would access that data is currently powered off. The best way to think of data at rest is a desktop or laptop with data contained on the C: drive of the system, but that the operating system is powered off. Data at rest could also refer to data stored on removable media that is not inserted into a system, or it could refer to data stored on a centralized file server of SAN that is powered off.

NOTE: It is particularly important to focus on the fact that the system accessing this data is powered off because if it is in a sleep/hibernate state then this potentially means that disk encryption keys can be compromised on this system which ultimately will provide access to this data at rest. Centralized compute solution like Terminal Services and VDI can provide a model in which the endpoint system accessing the centralized compute has no data stored on it's local disk. If this is the case, then there is no data at rest on the endpoint and therefore VDI/TS improves data security at the endpoint by not having the data there in the first place. This is the main selling point that VDI/TS vendors make when promoting their solution. However, it's honestly the smallest piece of data security that one needs to be concerned with. It's a gross exaggeration for a few reasons:

  • Whole disk encryption products have been out for years now and given that a majority of federal, state, local governments require disk encryption on endpoint systems this is becoming less and less likely as a vehicle for loss of data when an endpoint is lost/stolen.
  • The proponents of improved security through centralized data often ignore the fact that while they *think* the users do not have any data on their endpoint, they can leverage things like Client Drive Mapping through TS/VDI, email forwarding, Dropbox like Cloud storage solutions, Evernote/OneNote, etc as a means of get data out of the central secured corporate environment and onto a platform where the end user can access it. Therefore, by *assuming* you have data security because it's centralized, you're simply living a lie. Pundits would say "You could just use firewall/proxy blocking, web filtering software, Systems Management Agents, DLP agents, and this and that ad naseum" and to those people I'll just say "Good luck with that and let me know how that works out for you" ;) Not surprisingly the people advocating this approach probably work for one of the vendors of said "security" software/hardware.

2. Live data

Live data refers to data stored on some form of medium whereby the system that would access that data is currently powered on. Given the scenario that we're talking about a VDI or TS desktop that is powered on with a user connected to it, then everything on the C: drive of that system as well as anything that system has access to on the network becomes Live Data. The data is called live because even if you have a whole disk encryption solution active on the disk volume that system is using, the data must be live unencrypted in order for the operating system to access it. There are ways of having separate data encryption that protects file systems after the operating system is booted, but again once I decrypt the data volume to read or write data to it, then the data becomes live data and can be compromised by anyone who controls my operating system.  Compromise of live data security is the biggest information security risk that we face today.

The data loss that happens from the "data at rest" scenario above is just due to people doing stupid things like not putting whole disk encryption on their laptops. When it comes to live data security compromises, it becomes a much more difficult thing to protect against.  Look at any of the recent high profile compromises in recent years and they are all being identified as an "Advanced Persistent Threat" or APT. APT isn't a new concept necessarily, it's simply a new term to describe a high level of sophistication of attacks.

Years ago, the biggest threat that the virus/malware companies were protecting us against were things like Internet worms, mass mailers, trojans, etc. There's still tons of that going on today, but the A/V companies have a good handle on this for the most part. If, however, you are a financial services firm, a Government Defense contractor, etc you have something more valuable than a bunch of zombie PCs. You have data that worth a lot of money to thieves, competitors or even foreign nation states. Live data compromise is without a doubt the biggest information security risk we face today. Deploying VDI/TS in your own data center, doesn't provide any innate benefit that addresses this particular threat. A Windows PC can be compromised in a data center just as easily as it can be compromised in the field.

At best, VDI/TS provides additional places where security *may* be able to be improved. But again, centralizing the data doesn't bring those benefits. Only after applying several defense in depth measures will you reach any higher level of detection/response capabilities. Let me very clear too that all these measures do is provide detection/response. They don't prevent the security risk, they only help you assess and respond faster.

Check out part 2 of this article where I'll discuss what benefits VDI/TS does provide

 
 




Our Books


Comments

Alan Osborne wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Wed, Aug 1 2012 1:35 AM Link To This Comment

To preface my comments, my company is a Citrix Service Provider that specializes in the SMB market, so I'm biased.

Having said that, a typical SMB infrastructure consists of a consumer class firewall, dumb switches, an entry level server that sits in a poorly secured closet, inadequate environmental controls, no fire suppression systems, and no redundant power. The facility itself is likely a shared office space without 24x7 security monitoring or other theft deterents.

In short, SMBs typically have all of their proverbial eggs in one basket and lack the expertise and financial resources to properly safeguard their data.

By migrating their data to a cloud services provider that DOES have high availability infrastructure, adequate environmental controls, redundant power systems, 24x7 security, security card access, locked server cages, etc... they can mitigate many of the problems with DIY solutions.

Assuming that the cloud provider takes no additional measures to secure customer data, the above measures still represent a vast improvement.

Taking into account the likelyhood that the cloud provider has superior firewall and IPS/IDS systems, encrypted backups, two factor auth options, more frequent security patch rollouts, and NOC techs with superior skills (to name just a few), I would argue that an SMB that chooses to run apps and desktops from the cloud is in a much better position than if they choose the status quo and continue to run their own IT systems in-house.

I think a more pertinent question would be whether SMBs can better secure their data by migrating to the cloud VS physical desktops (or even VDI/SBC) residing in their own office.

My two cents worth...

SillyRabbit wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Wed, Aug 1 2012 7:17 AM Link To This Comment

@Alan - Spot on. However, I wouldn't restrict that philosophy to SMB, but rather expand it to include enterprise solutions that also meet this need.

When IT wants to control the data and infrastructure without providing business justification, the business loses.

I see bad IT decisions being made in SMB every week and see horrendous IT policies in enterprise companies every day.

@Shawn - thank you for continuing to poke and prod at your readers to think about change!

The old way of doing things is simply silly.

Danny Allan wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Wed, Aug 1 2012 9:08 AM Link To This Comment

I know the study is a few years old now, but it would be crazy to ignore the fact that 12,000 laptops are lost per week at US airports with only 33% recovered.  

blogs.laweekly.com/.../airport_surprise_1200_laptops.php

If we take these numbers on face value of 8000 laptops lost (and not recovered) per week and extrapolate that out to a global footprint and beyond airports, it's a big number.  I have to believe that while some of the data on these laptops might have been shared on Dropbox and other cloud storage sites, it is highly unlikely that it all was.  

So far in 2012, there have been 36 reported incidents in the US for stolen (not lost) laptops: ten of these had an unknown number of data records and 26 of them comprised nearly 180,000 data records.

datalossdb.org/search[]=StolenLaptop&direction=desc&order=reported_date

Most of the incidents reported are government, healthcare and education which suggests that it was only reported for compliance reasons.  What I don't know obviously, is the total number of stolen laptops and what percentage of these have sensitive data, but still ... 30 weeks x 8000 laptops = 240,000 laptops so far in 2012

I wonder how many of the lost laptops had sensitive information and unencrypted hard drives?  I'd be willing to bet that it is more than 0.  Ignoring the

That said, I don't think that virtual desktops are inherently secure.  However, I do take a pragmatic approach that a) it does help with a real problem in end point security, and b) the centralized "always under IT control" model, offers the possibility for improved security that does not exist in a decentralized model.

Shawn Bass wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Wed, Aug 1 2012 11:43 AM Link To This Comment

@Alan - I completely agree with what you are saying, but it's somewhat off topic for this part of the discussion.  Your argument could equally apply for any project comparing a DIY to a managed service provider, outside consulting firm, cloud provider discussion.  For some SMB organizations you could easily argue the same thing vs running entirely in Google Apps.  That's not the point of this discussion though.  The point of this discussion is if an organization uses VDI vs using Physical Desktops, does VDI offer any better level of data protection.  And for that conversation, you need to ignore the fact that the client may end up higher better skilled workers in the VDI scenario, because they could easily higher better skilled workers to implement improvements on the physical desktop security side that would equal the improvements that your managed VDI model is advocating.

Shawn

Dan Shappir wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Wed, Aug 1 2012 11:49 AM Link To This Comment

Quoting my own tweet:

I don't think VDI is inherently more secure [than end-point computing]. I do think going VDI is an opportunity and facilitator for improved security

Also, I agree with @Alan that DaaS can be a good solution for improving security (and backups, and up-time, etc) by handing over that duty to someone who knows how to do it better, and has invested the appropriate resources in it.

Shawn Bass wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Wed, Aug 1 2012 11:50 AM Link To This Comment

@Danny - I think we are in violent agreement here.  Yes, laptops that are lost/stolen is a huge data breach issue.  However, for those systems that continue to be lost/stolen that do not have whole disk encryption are simply customers that are asleep at the wheel.  If you are deploying ANY endpoint device for your employees (Laptops, Ultrabooks, tablets, smartphones, etc) without encryption then you run this risk.  Given that over 40 US states have consumer data protection laws there are some severe reputation (and in some cases financial) impact of continuing to do so.  For example the FSA-UK organization has levied a few 7 figure fines for data breaches in the last few years.  Having the discussion around whether or not to do disk encryption was valid 5 years ago.  Today it's not up for discussion.  It's a must.

Separately while I completely agree with you that VDI/TS does eliminate the data at rest problem at the endpoint (assuming the user hasn't played Johnny Appleseed with your data everywhere else) then you and I are in agreement.  But as usual, there are two sides to this coin.  The question that needs to be asked is "Why does the user have a laptop in the first place?"  If they have a laptop because they require the ability to work offline (such as on an airplane, etc) then there is no discussion since VDI is a non-starter for these people.  Even if you go off claiming that some airplanes have WiFi so I could use a thin client laptop, I'd be hard presssed to recommend this to anyone unless I really hated them.  I mean a Virtual Desktop over satellite latency?  No thanks.  Remoting Protocols have improved leaps and bounds over the last few years, but using one over Airplane WiFi does not make a user experience.

Shawn

Alan Osborne wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Wed, Aug 1 2012 1:10 PM Link To This Comment

@Shawn - Firstly, thanks for raising this important topic for discussion. I often refrain from posting back on BM blog articles because I run an CSP company and have biases accordingly. I took the bait late last night because I couldn't resist :) Great topic!

In a round about way, the point I was driving at is that by migrating desktops to VDI/SBC, companies often end up with better security even if that wasn't an explicit desired outcome.

Why?

Because if you are building out a new VDI/SBC infrastructure today then chances are you going to virtualize those workloads. In the course of doing that, you will likely end up cleaning up data sprawl and centralizing everything on a SAN that's on a physically separate LAN - that adds some physical security via isolation (although it does nothing to secure remote SMB connections).

You will likely also migrate to Windows Server 2008 R2 and revisit NTFS permissions while doing so, which adds some additional security. So does leaving the Windows firewall turned on.

If you get the data off of endpoints too and centralize it on a SAN, then the operational scope of managing the data at rest and live data is drastically reduced. IT admins are more likely to stay on top of data security as a result, as there are fewer touch points.

Finally, after making a huge investment in new hardware to run the VDI/SBC stuff, you will hopefully find money in the budget to tighten up physical security in order to better protect from theft those shiny new servers you paid so much for.

You will likely also consider relocating everything to a colo and in essence create your own private cloud in the process. A typical colo will provide far better physical security than a typical office space.

So, while implementing VDI/SBC doesn't inherently provide better security, in a round about way it does because of the infrastructure and architecture changes that typically result from these types of projects.

With respect to hiring more skilled workers to tighten up physical desktop security, that's an unlikely scenario due to people's expectations around billing rates. For years, as an industry, we've had support tiers and people expect to pay "the going rate". It's a really hard sell to convince people to shell out more money for "desktop" support, but they will shell out more for a VDI/SBC/virtualization guru who will hopefully implement security more effectively.

Hopefully I've managed to steer my comments back on topic now :)

Shawn Bass wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Wed, Aug 1 2012 3:56 PM Link To This Comment

Alan,

I hear exactly what you're saying and I would generally agree with you that when you take a greenfield approach to implementing any new IT project you can take opportunities to improve the security of that operating model.  But in this circumstance I still think you're bluring the lines between security differences between VDI and Physical systems and someone spending the money for someone else to do a better job at architecting their infrastructure than what they were previously capable of.  Again, simply making the move to a managed services provider you could turn around NTFS security permissions and software patching intervals and locking down firewall rules, etc etc.  You could even leverage the MSP to host your servers in their data center or colo or whatever.  But all of those benefits simply come from paying someone to do something better than what you would otherwise do a poorer job at yourself.  Again, I think the improvements here are coming from leveraging someone with more expertise than they are coming from inherent improvements in the use case.

Shawn

Alan Osborne wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Wed, Aug 1 2012 6:43 PM Link To This Comment

Yes, I absolutely agree Shawn (to a point), those benefits do come from leveraging someone with more expertise. Whether that's a cloud provider, MSP, or consultant is irrelevant.

Having said that, I would argue that anyone looking to build out a new VDI/SBC infrastructure would unavoidably gain those hidden security benefits because they will, by necessity, engage VDI/SBC experts to ensure success.

They will likewise, by necessity, be faced with hardware refresh, shared storage (SAN), and likely new OS rollouts too. Again, those additions typically add inherent security if executed properly.

In cases where in-house IT blunders into a VDI/SBC project without the expertise to execute it properly, I totally agree with your argument that security could end up being no better (or even worse) than with physical Desktops (which the in-house IT understood pretty well).

I'll stop ranting now :)

Tal Klein wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Thu, Aug 2 2012 9:34 AM Link To This Comment

Shawn you are a tease. Part 1 of 5? Jeez..

Alan - Yours is the same argument vendors are making, that VDI is an opportunity to do everything over and do it right. That is a bunch of BS wrapped up in a SOW. VDI does not make a venn diagram out of protection and productivity. Shawn's Johnny Appleseed example should be regarded as the standard rather than the stand-out. The instant your solution stands in the way of productivity, the end-user will find a way around it and let the bad guys in (not by intent, it's collateral damage).

Specifically, Alan, let me ask you this question: If I am your customer and buy your services, do you provide me with insurance for financial loss I may incur through a security breach on your watch? (credits against some SLA don't count). Are you willing to put your wallet where your mouth is?

Shawn Bass wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Thu, Aug 2 2012 10:07 AM Link To This Comment

@Tal - I had to put the article in 5 parts.  No one in their right mind would sit down to read an 8k word blog.  That's too much at one time.  The other parts are already written, they are just awaiting editorial scheduling and such.

Regarding your comment to Alan with regards to insurance for financial loss, etc. I doubt Alan or any other company in their right mind would provide such insurance.  There's absolutely no way you can guarantee against such things.  It doesn't matter how many security walls you put into place, where there is a will there is a way.

Shawn

Shawn Bass wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Thu, Aug 2 2012 10:08 AM Link To This Comment

Oh and thanks for commenting Tal.  Commencing Guise Bule's comment war in 3....2....1..... ;)

Icelus wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Thu, Aug 2 2012 1:24 PM Link To This Comment

Very nice article Shawn.

However a "one size fits all analysis" can't apply because everyone's situation is different, the use cases dictate whether you are right or completely off on left field.

If you provide your users with everything that they need to be productive then it is unnecessary to break protocols.

Also, when thinking about the security of the data you must also think about the security of the application architecture that accesses the data. If the use case requires for remote access, do you spend the time and cost to re-architecture the application so it is web based, and how many applications do you do this for? where does it end? Now you have X number of web apps that need to be managed and secured in their own context.

"Whole is greater than the sum of its parts"

Either make the entire Desktop web based with legacy apps or make each legacy app web based with a legacy desktop. They each have their own positives and negatives.

Also, in many use cases offline access is such a small percentage because the useful data is centralized in databases and you have to be online to access them anyway.

Take this scenario as an example:

- Government SMB entity with a very small and lean IT department

- IT must focus on core services and let users do what they want

- Lots of Macs with local Windows VMs

- Remote access required

- multiple end-point form factors

- limited desk space

Securing data is a question about how you manage your IT system: Device management or Service management.

You're saying that Device Management is more secure, but I'm saying that you're wrong. It really depends on what use cases IT can handle with either approach. If IT doesn't have the resources for Device Management then I can guarantee that the devices are not secure.

Shawn Bass wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Thu, Aug 2 2012 2:26 PM Link To This Comment

@Icelus,

Thanks for your comments, but I think you may have misunderstood the article.  I am not suggesting that you should use Physical distributed desktops instead of central VSI/TS.  If you have a use case that dictates central compute then you should absolutely use it.  The purpose of this series of articles is to dispel the myths that centralization of data automically implies improved security.  I have started the explanation of why this isn't true by focusing on the data at rest vs live data discussion.  Subsequent articles will discuss additional topics related to what things VDI / TS does bring as benefits and the different security models that can be used to make the security situation better.  Hang tight before drawing too many conclusions here.  

Just to reiterate, I am NOT saying physical device security is better than central TS/VDI.  I'm merely saying that TS/VDI central compute/data is not inherently more secure than distributed compute.

Also I would not discount the need for offline access to resources.  I hear what you're saying about back end databases and such, but offline is a real big need to lots of organizations.  It is not marginal by any stretch.

Shawn

Alan Osborne wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Thu, Aug 2 2012 2:35 PM Link To This Comment

Tal,

Your profile on BM states that you are (were) the Director of Technical Marketing in the Desktop Division at Citrix. You seem to be arguing that VDI/SBC offers nothing in the way of security improvements and that the tried and true traditional desktop is the better option. Interesting opinion given your background...

I don't know how you could infer from my comments that I was suggesting that VDI/SBC is some kind of security panacea. The article topic is "VDI and TS are not more secure than physical desktops" and I provided several examples of why implementing SBC/VDI could in fact provide better security than a typical office PC environment.

I'm pretty sure you now work for Bromium and if so it's pretty obvious why you would take aim at VDI/SBC. That's because Bromium appears to use "micro-virtualization" to isolate processes in their own execution bubble using a flavor of type-2, client based hypervisor.

So, your target market would seem to be enterprises who want to use client hypervisor technology on existing PCs to better isolate, secure, and manage them. In other words, your in direct competition with VDI/SBC advocates.

Why don't you disclose who you represent, like I did, and then state why you think traditional desktops can offer better security than SBC/VDI, rather than ranting that VDI/SBC is "a bunch of BS wrapped up in a SOW".

Also, your comment:

"The instant your solution stands in the way of productivity, the end-user will find a way around it and let the bad guys in (not by intent, it's collateral damage)"

There are a myriad of FUIT methods that Brian Madden and Gabe Knuth have discussed in a whole series of blog articles. Which of these, and other you have in mind, are specific to VDI/SBC environments?

Tal Klein wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Thu, Aug 2 2012 5:07 PM Link To This Comment

Alan: I've tried to reset my profile here a billion times, I think this site just refuses to believe I left Citrix :) I did a whole session on this very topic at BriForum and I'm writing a blog that will reiterate the points I made there as well as discuss the points raised by the audience during our over 30 minutes of post-presentation discussion.

Bromium has nothing to sell, so you can't accuse me of making a vendor pitch. There's a reason I joined Bromium after spending so many years at Citrix. It's not the Citrix is doing anything wrong, mind, it's just that I kept seeing people implement VDI for the wrong reasons because of the sort of nonsense vendors like you are feeding them.

I am NOT in direct competition with TS/VDI vendors. We're going to be working with Citrix on building a Bromium plug-in for Receiver. We are in direct OPPOSITION to TS/VDI vendors making asinine claims about TS/VDI as a security solution. It is not.

1. Taking a Windows desktop and putting it in the datacenter does not make it more secure. Period.

2. Most end-users in VDI environments connect to their VDI desktops on Windows laptops. For each of those users IT now has two desktops to secure. You've now increased your attack surface.

3. I have yet to see a VDI desktop implementation where VM's that share a blade don't share the same subnet. This makes it easier for APT to propagate.

4. Putting your desktops in the datacenter brings them one OSI layer closer to your most sensitive assets. Most VDI implementations let the bad guys directly into the DMZ.

5. Even if you do VDI right, then there's a likelihood of application virtualization becoming the attack vector. Most APT's exploit zero day vulnerabilities on whitelisted apps.

6. I don't care how good your remoting protocol is, it's not as good as local, and it most certainly doesn't work offline, and..

7. I have yet to see a decent online/offline sync'd VDI solution actually implemented in the wild. Bad EUX drives FUIT which will let the bad guys in.

There's more, but I'll save it for the blog which I'll post once the BriForum sessions are online, I want to link to my session from it.

Alan Osborne wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Thu, Aug 2 2012 6:21 PM Link To This Comment

Pretty clear from your statements that you are not an advocate of either VDI or SBC. That really only leaves the traditional desktop model and/or client hypervisors as an alternative, given your arguments about offline use. Neither is an attractive option for any of my customers, given that having to deal with their in-house IT headaches was one of the reasons why they looked elsewhere in the first place.

You said:

"... it's just that I kept seeing people implement VDI for the wrong reasons because of the sort of nonsense vendors like you are feeding them..."

For the record, we don't provide VDI desktops, we use Citrix Xenapp only. I'm not a proponent of VDI and never have been. I've read "The VDI Delusion" and agree with almost all of it.

Neither do we upsell customers with a ton of hardware and software they don't need to justify the cost of a VDI/SBC implementation - we offer hosted Cloud Desktops and Apps as a subscription service.

Economies of scale allow us to offer this service to SMBs as they wouldn't otherwise be able to afford any of it. I'm confident that in every case, the security and reliability we offer our customers is far better than what they had before.

Like Shawn said: "...It doesn't matter how many security walls you put into place, where there is a will there is a way..." No security solution is perfect, but I'm confident our data center is far more secure than a typical SMB office deployment.

So, let's agree to disagree as I don't think our continued arguing is adding value to the discussion...

Tal Klein wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Fri, Aug 3 2012 3:19 PM Link To This Comment

Alan - I've been thinking about this and I'm not comfortable agreeing to disagree. Your point is that you are better at securing IT infrastructure than your customers' IT teams, and because you choose to implement SBC rather than physical desktops then that makes it secure. My point is the same could be accomplished with Microsoft's Intune service on physical hosts without bothering with the hosted component. In no way have you spelled out how SBC is more any more secure than physical desktops.

Meko_Siluka wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Sun, Aug 5 2012 11:54 PM Link To This Comment

Can we as a community NOT simplify data security on such important topics?  Especially when they're critical to making or breaking the very blog posting in which it's being referenced?  Why are we trying to simplify 'data security'?  It's not difficult to understand.

For that matter, data at rest is far more than you describe. Any file sitting on PC regardless of whether or not it's powered on is 'data at rest'.  To be more specific, there are 3 types of data.  Data at rest, data in motion, and data in use.  With how ingrained regulatory compliance is now, 'as you see it' doesn't cut it when you're speaking to efforts around better securing information.

By not speaking to these 3 areas independently, you cannot account for all areas of data access and thus how can you truly understand data security in the first place?  You're also breaking this up into 5 parts.  Certainly you don't need to simplify anything.  When looking at VDI from a security standpoint, your assessment should start with CIA which fully encompasses the three types of data and much more.    

VDI does not belong in every company or even in every single location of a single company.  That being said, VDI has its place and it can bring with it a more secure environment provided you understand your own security challenges  

I''ll give you one example.  Tell me how this VDI environment is no more secure than a PC environment with the same amount of support staff.  I'll even cut you some slack and just ask the question from a data security point of view even there there's a whole lot more to data security from a user access standpoint.

A call center with 1,000 agents and 4 IT techs across the entire USA.  This environment used to be a PC environment with the same 4 IT techs.

*1,000 virtual desktops all centrally located in two data centers (production and DR).  

*Agents machines rebuild themselves from gold image upon logout

*Agents machines rebuild themselves from gold image after 30 minutes of inactivity

*All end user agents use zero clients

*Network isolation is implemented based on project, client, or contract both at the server and end user level.

As I see it, I just did the following:

*I now only manage 20 gold images instead of 1,000 PC's

*Patching just became less complicated

*Removable media is of little or no concern

*99% of the most common infections are a reboot/rebuild away from being vaporized

*Machines at long distance locations now have ALL data in motion and data in use fully encrypted over the wire

*The security footprint of a branch office just became a lot smaller.

*Manageability of assets just became a lot easier.

Do you see differently?

Andy Wood wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Wed, Aug 8 2012 1:23 PM Link To This Comment

Meko_Siluka  - you've got an environment that can be changed quickly & manage centrally for sure - but it is not inherently more secure.

End of.

*I now only manage 20 gold images instead of 1,000 PC's

>> Yes - but they are not "more secure" - there are just fewer of them.

*Patching just became less complicated

>> but that process still needs to be done - a well managed desktop environment would operate in the same way.

*Removable media is of little or no concern

>> configure your pcs properly and it was of no concern to start with

*99% of the most common infections are a reboot/rebuild away from being vaporized

>> that's hiding a problem, not solving a problem. You were infected and the business impacted. Indeed there is a wider risk to be considered now the devices are in the datacentre

*Machines at long distance locations now have ALL data in motion and data in use fully encrypted over the wire

> there is indeed no data at rest at the end point: but you could have encrypted the endpoint relatively painlessly and reduced the risk accordingly.

*The security footprint of a branch office just became a lot smaller.

> it is smaller if you replaced unencypted, unsecured enpoints for sure. But that's not an attribute solely of VDI

*Manageability of assets just became a lot easier.

> could have done the same with SCCM, or KACE and got to a similar place.

Just because it is "easier to manage" does not make it "more secure". As Shawn rightly points out "at best, VDI/TS provides additional places where security *may* be able to be improved."

Can you see differently?

appdetective wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Wed, Aug 8 2012 2:03 PM Link To This Comment

@Andy_Wood

Yes you can make a PC just as secure and provide a $h1t set of capabilities for your business with static blocks that are hard to access, centrally manage etc. How many people manage f'ing PC's properly. Most idiots still give give admin rights, EOM. PC management is a pile of $hit business that is not improving, it's just getting slower. By having a better model to manage you become more secure and the chances of that happening on a PC are next to zero because there is no driver to change for the most part.

Andy Wood wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Fri, Aug 10 2012 4:08 AM Link To This Comment

and how many people manage VDI properly? Those desktop admin idiots are the ones in charge of the VDI environment. You think a migration to the datacentre is going to give them some Damascus moment of security understanding?

And stil.. "manage..manage...manage" - we're talking about  security. You can tell there is a difference in the spelling.

"because it is easier to manage" will not, does not, make an environment inherently more secure. You have to do some other stuff.

I've seen, worked on, many secure environments: desktop pc based and RDS. Good management, build revision, OS patching, rigorous change control are all part of a whole host of procedures and measures that go into delivering a secure environment.

You can counter - if we only have 1 image then it will be easier to keep secure. True - *easier to keep* - how was it secure in the first place? That is just the OS environment. What Shawn is rightly talking about is the data itself: what have you done there? You might also say "well, all the data is in the centre, it is more secure" - it is now no longer on the end point for sure, but what is the impact on the business of you only allowing data access when you are connected to a VM?  "Ah..we'll allow them to upload download information..USB transfers.." ..and you're back to square 1.  

Swapping out desktops for VDI offers no additional security benefit in itself. By having a different model you don't suddenly fix a whole host of poor procedures, bad practices and loose configurations no matter how fast you drive.  

You should take that mask off every now and then, the lack of fresh air appears to be clouding your judgement.  

Derek32smith wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Mon, Aug 13 2012 3:25 PM Link To This Comment

@ Shawn: thanks for the good read and catalyst for a lively debate.

However, re: Whole disk encryption, you may wish to reconsider some additional information. The issue is not encryption per se, but that users turn it off, or under BYOC, do not turn it on to begin with. A 2010 report from Ponemon Group highlighted that more than 80% of users turn off encryption.

Cisco recently released their 2011 Connected World Technology Report and found that IT policies do not work, and that users do not feel responsible for safeguarding corporate data.

Through this year (and the last three years) lost laptops are still the number reason for significant data breaches under the terms of HIPAA. And these are usually found to be un-encrypted devices owned by medical professionals, not surprisingly, Macs. The largest was 2.4 million public patient records. Ouch.

And I agree with your point on mobile users. VDI is not much use unless you are connected by a wire, and most mobile users work off-line. Any potential security benefit proposed by VDI is academic for off-line use.

Just something to think about.

appdetective wrote re: VDI and TS are not more secure than physical desktops, Part 1 of 5: There's only two types of data!
on Fri, Aug 17 2012 9:33 AM Link To This Comment

@Andy Wood,

We're actually in more agreement that you think. Agree on idiot PC people won't just auto fix it. However those are so often the failed the VDi implementations and they deserve it.

Where we disagree is that I believe security is part of better management. VDI is a catalysts in many projects to rethink where in the desktop it is the same old way and no reasons to change. When that happens combined with the right reasons to do VDI which are about business enablement and done right, you end up with better security. Of course the argument can be made for PCs if you focus on that part, but my point is people won't in practice.

I'll reserve my Sunderland comments :-)

(Note: You must be logged in to post a comment.)

If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.