An emerging technology is helping to solve security issues within the financial industry: virtual desktop infrastructures.
With a virtual desktop infrastructure, an organization actually executes desktop applications on servers in the data center, relying on remote display protocols to give the user a localized look and feel. The security benefits of VDI in the data center are clear: IT controls software configurations, assuring that users execute software with the latest patches and upgrades applied; sensitive data remains in the data center where security teams can protect against theft and easily audit the infrastructure; and operations can more easily control a security incident. Operating in a highly regulated industry that requires a high level of security, a number of financial-services firms are initiating virtualized desktop projects for office workers and virtual workspace projects for remote users. A virtual workspace isolates business software from the host operating environment, enabling a higher degree of protected remote access from an otherwise untrusted host.
While the cost savings of increasing the density of virtualized applications on fewer servers in the data center are understood, VDI programs require additional servers to run desktop applications and additional virtual desktop software to manage the new infrastructure. Vendors promise operational savings derived from enhanced centralization, but to date the case history is emerging and isn't ready
Here are four major security benefits of virtual desktop infrastructures:
- Virtual desktops and virtual workspaces are dynamically created from compliant copies of operating systems, applications and user profiles. IT is assured that end users execute the latest approved software when conducting business on the network as the virtualized desktop package is created from IT software libraries. Audit teams can readily validate end-user activity within the data center and evaluate the effectiveness of security controls for regulatory compliance; security can control configuration drift within endpoints, even to the point of refreshing a virtual desktop that is exhibiting signs of an infection. Shifting the responsibility for software configurations from end users to IT will help financial organizations meet compliance demands for endpoints. For instance, a virtualized desktop infrastructure helps meet the PCI Data Security Standards Council's top four milestones for prioritizing PCI DSS compliance efforts by removing sensitive authentication and cardholder data, protecting the internal network, securing payment card applications, and monitoring and controlling access to systems.
- Virtualized desktops help lower the costs of disaster recovery and business continuity processes. Financial enterprises cannot afford significant business disruptions due to office infrastructure unavailability, drops in employee productivity caused by security incidents, or even the need to securely support working from home in the event of an H1N1 flu outbreak. Virtual desktops can be dynamically hosted in any corporate data center based on performance and availability to support users in offices and remote locations to meet user needs during a disaster.
- Sensitive data remains in the data center where security can protect against leaks. Centralizing desktop execution in the data center reduces the number of data paths that security must inspect and streamlines compliance with audit reporting requirements for use of personally identifiable information and other regulated data. Since the data never appears on the endpoint other than being rendered on the screen, the need for endpoint data protection is lessened.
- Virtual workspaces secure remote user access to the network by isolating VPN clients and browsers on the endpoint. Some financial institutions are turning to virtual workspaces to ensure remote users run an IT-configured browser and VPN client while conducting business from their home computer. Virtual workspaces layer on top of the local operating system, but use sandbox techniques to protect against such threats as keystroke loggers and memory mappers, application and operating system infections, and end-user reconfiguration of security settings. IT typically distributes virtual workspaces to qualified employees via a custom USB device that may include remote access authentication credentials.
Most enterprises are turning to Citrix Systems Inc., Microsoft Corp., and VMware Inc. for their virtual desktop software. Interesting complementary vendors include AppSense Inc. for user profile management; IGEL Technology Inc. and Wyse Technology Inc. for turning desktop PCs into manageable thin clients; NComputing Inc. and Pano Logic Inc. for cost effectively virtualizing small offices, and Check Point Software Technologies Ltd., Quest Software Inc. and RingCube Technologies Inc. for virtual workspaces.
Virtual desktop infrastructure deployments are strategic and often complicated efforts involving end users, networks, data centers and applications. Early stages of VDI projects should focus on demonstrating performance for end users and operational savings with a new architecture for executing desktops in the data center. While the startup hurdles may be higher than expected, the payoff in enhanced security and data protection is worth it.
About the author:
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.
This was first published in November 2009