Three flavours affect compliance potential

Predicted to be the next big thing, even bigger than the massively hyped server virtualisation push currently sweeping the globe, desktop virtualisation actually comes in a number of flavours. Some are probably more secure, manageable and compliant that others – it might depend on who you are and what you plan to do.

For example, industry-leading virtualisation vendor VMware offers not one, not two, but three approaches to virtualisation on the desktop. In one approach the host machine is run much like a server virtualisation set-up.
VMware Workstation installs on top of the host’s operating system much like an application and orchestrates the sharing of the PC’s system resources into virtual machines. It’s pitched generally at technical users who want to run multiple operating systems for testing purposes or to demo multi-tiered environments on the one box. It is similar, but differs slightly from the MacOS version VMware Fusion which is designed to allow Windows applications to run on the MacOS running on Intel-based Apple Macs.

A second approach to desktop virtualisation is one that VMware believes can really gain momentum, though it raises a few more eyebrows amongst the security community. VMware ACE2 works slightly differently. It enables you to create a standard PC environment including operating system, data and applications and wrap it with IT policies just as you would a regular desktop.

Except then you package all that into a virtual machine which can be deployed as a standard operating environment to any PC or other appropriate device – say a USB thumb drive or an iPod. In this way a user can carry their PC in their pocket and plug it into any PC to securely access their standard corporate desktop – whether that be from home or an Internet café.

The encapsulated Virtual Machine containing their desktop is isolated from the host machine so any access to the enterprise components or the enterprise network and data itself is protected from the potentially harmful effects of running on unmanaged hardware. Combine this solution with the VMware workstation and you can create a standard, policy-controlled and locked-down desktop image for deployment on any PC with an operating system.

Back in the data centre, an ACE Management Server helps to track and control the ACE desktops. This provides centralised policy management and supports dynamic updates of IT policies, manages expiration dates, device and network access configurations and remote activation or deactivation of the ACE client images. In effect it allows security administrators to provide a tightly locked-down environment that users can run on their laptop or other machine that they manage themselves and is not locked down.

A third and final way for virtualising the desktop brings the PC closer to home is VDI Virtual Desktop Infrastructure. In this case end-users run only thin client devices (or PCs used as thin clients) to access a virtual desktop running in its own virtual machine on a centralised server platform.

The virtual desktop is a complete PC with operating system, applications and full configuration and is accessed using a remote display protocol (RDP).

Ward Nash, regional sales manager for Wyse Terminals explains how companies looking at off-shoring are attracted to the idea of VDI. “Banks for example may want to set up a call centre in India, but they don’t want the Australian personal data to reside in India where they have less control over it.

“Instead they can use VDI and give remote workers a connection and let them transact with the data, but the data and applications always reside in Australia,” said Nash.

These approaches potentially dovetail with the various compliance issues faced by corporate America and increasingly in Australia. The Payment Card Industry’s Data Security Standard, the Sarbanes-Oxley Act and HIPPA, the Health Insurance Portability and Accountability Act, all require corporations to be able to verify the security of data and the systems that are able to interact with it.

VDI assists compliance by providing a way to bring sensitive data, which typically tends to flow out to the desktop or never makes it into the data centre after being created on the desktop, back into the corporate data centre to maintain data integrity and meet regulatory compliance requirements.

In the case of Sarbanes-Oxley as an example, explained Laurie Wong, business manager software products for Sun Microsystems, companies must be able to track who was authorised to access data and who gave them that authority.

This level of policy control, regulation and audit tracking is inherently difficult in the free-flowing desktop world of user-managed PCs and corporates have already discovered that locking down and then maintaining traditional desktops is a costly and time-consuming business.

Desktop virtualisation may offer the right solutions by not only exercising greater control over the data, but by providing an environment in which patch management and policy enforcement is tightly controlled, managed and implemented from a central location.

The issue is not lost on VMware Australia’s managing director, Paul Harapin who said the company “realises that along with the benefits of virtualisation comes the responsibility to ensure that a virtualised environment is as secure as can be, while still allowing the flexibility and benefits that advanced virtualisation capabilities can provide.

“Security of IT infrastructure is not only a matter of technology but also of people and processes. Most security policies, guidelines and processes developed for the physical infrastructure can be applied to virtual infrastructure as well. The foundation for secure virtual infrastructure is the secure and robust architecture of VMware products,” said Harapin.

“The success of this architecture in providing a secure virtual infrastructure is evidenced by the fact that many large, security-conscious customers from areas such as banking and defence have chosen to trust their mission-critical services to VMware virtualisation.”

However security watches suggest that virtualising the desktop in the manner of ACE2 serves to add complexity to the system and could allow low-level malware, such as keyloggers and rootkits to still reside on the PC. As these would sit below the level of the virtual machine, there is no way to tell what exploits could be devised to circumvent the security lockdown.

Thin clients, on the other hand may provide a more secure approach as they have such a small footprint locally (just 2MB in the case of Wyse Technology’s thin Client VDE). Software on this scale is far more easily managed and kept secure than a fat client operating system such as Windows or Linux.