In the May 10, 2010 issue of Newsweek magazine senior editor Daniel Lyons published an article entitled “The PC Counterrevolution”. In this article he describes how today’s corporations are moving computer infrastructures on the desktop from PCs to desktop virtualization – primarily due to attempts to standardize and control the applications running on the desktops. Lyons cites a Microsoft study stating an annual savings of $81 per PC per year. So far so good, yes? Well, what is not discussed (and usually isn’t) are the security vulnerabilities introduced by this approach.
Lyons mentions pilot program at a Canadian telecom company that delivered virtual desktops to remote workers. The IT department now “installs patches and updates in the data center, rather than on all those separate machines.” This description is common, as is the comparison of virtualized desktops to the use of dumb terminals. But are these really dumb terminals? Is it really safe to abandon patching of the clients because the desktop is now running in the data center?
Typically the answer is no. The clients are usually still PCs running Windows or some other full desktop operating system and it’s not safe to ignore securing and patching those systems. These clients typically handling removable media, provide USB “pass-through” back to the virtualized desktops, and handle the complex graphics rendering of modern desktop applications. The end result is that there is much that can still go wrong on the client. Anything that goes wrong is a potential security impact.
The situation is still worse when you consider the growing number of corporate network infrastructures that rely on physically separated networks for security (this is common in organizations that are complying the credit card processing PCI security standards for example). A user’s desk may have a primary PC on one network, another PC (or a dumb terminal) connected to another network, and perhaps even more desktops and networks. Great…no problem. But companies or users may desire to migrate to a new operating system on the local PCs or even consolidate these separate desktops to a single system. This may be the case for many reasons:
· Windows 7 on their desktop may offer better reliability and support (but their Windows XP applications won’t run on it);
· The System administrators do not want to support so many desktop PCs (but regulatory mandates make it tough to implement a better solution); or
· The company has studied the costs to provide power to all of these PCs and determined that it is not cost effective and should consolidate (but security restrictions limit the consolidation of PCs).
So what we have here is a combined environment where user functionality, corporate desires to efficiently support and control the growing PC environment, and security all must be addressed –while maximizing user productivity. As we have discussed addressing user functionality and corporate control of the desktop can be done via desktop virtualization. It is a great way to achieve these ends. All of a sudden the user may have one client on their desktop – and again it is likely to be a full PC.
However, in this scenario the risk at the client is even greater. Removable devices and graphics processing are still a risk, but now seemingly mundane features such as copy-and-paste become a security risk. Desktop PCs are just not designed to maintain separation. So are there good ways to control this? Not with the desktop virtualization software or operating system software commonly available.
So what to do? This is the exact reason Tresys developed VM Fortress. VM Fortress runs on Red Hat Enterprise Linux and uses VM Ware Workstation to provide desktop virtualization capabilities. Users may run Windows 7 or Windows XP on different networks in individual virtualization sessions and the functionality and centralized control is there as before. That’s great! But…what about security? VM Fortress provides the capability to lock down the base operating system on which the virtualization sessions are running and enable administrators to configure, manage, and control the local PC, data transfer between virtualization sessions, local devices such as USB drives, and more. All while running on an operating system and security controls that enable mandatory access controls and allow compliance with some of the most stringent operating environments in the world. Basically we get real local PC security along with the user functionality and centralized support and control.