Home > Blogs > VMware Accelerate Advisory Services

Virtual Desktops…A Dead-end Solution? (Part 2)

by Christopher Janoch

In my previous blog post, I stated my opinion that a virtual desktop system was not an ideal future computing environment:

“The thing that our IT departments and service centers need to realize is that the desired destination is access to applications and data, not Microsoft operating systems. A Windows desktop environment is nothing more than an application delivery system. The true workspace of the future involves the decoupling of applications and data from the device environment, and we are already seeing it in action, TODAY.”

For the majority of my clients, this shift in focus has dramatic ramifications for strategies of security, access and compliance. New strategies are needed to ensure security and compliance in the modern virtual workplace.

User Access and Controls
With the universal acceptance of the Microsoft desktop environment came the strategy of treating this access point as the only secure gateway into the corporate systems. Security solutions for identity authentication, anti-virus/malware protection, intrusion detection and data security were based upon the lockdown, monitoring and control of the Microsoft OS. The shift of user behavior away from the desktop environment is quickly rendering these systems obsolete and ineffective. To secure a virtual workplace environment, access controls must be policy-based and tied to the identity verification of the end user regardless of device, access point or operating environment.

In addition, most end user environments are inadvertently compromised by bad behavior on the part of the user:
• Downloading software that contains a virus or Trojan horse
• Inserting a removable storage device that contains a virus or Trojan horse
• Opening a document infected with a virus
• Visiting a compromised Web site or running a compromised SaaS application

For many of these situations, isolation from a desktop environment or the implementation of a disposable, stateless desktop environment can render this vector harmless. In the event of an infection, the user simply has to disconnect and the compromised environment can be discarded.

Security Agents
Security strategies for virtual end user environments are often at odds with performance and capacity management strategies. Locally installed and operating agents generally increase security, but can adversely affect the performance of each individual virtual desktop or application. In a pooled resource environment, this will greatly affect performance of the platform overall. Wherever possible, the preferred strategy should be to use network-level or hypervisor-level agents in place of locally installed agents. If that cannot be achieved, then at a minimum agent scans, updates, and other operations should be staggered to decrease the additive performance impact on the service delivery system.

Remote Access
Today, nearly all of my clients have an extensive system of external firewalls in place, and rely upon secure VPN tunnels to remotely access internal infrastructure. While this traditional method is secure and reliable, it can be very costly to scale and tedious to coordinate client installation and configurations when used in a hosted or extranet environment. Also, with VPN technology, if the user’s end point device becomes infected, then the corporate LAN can be exposed to whatever malware has compromised the user’s device. External access through a secure remoting protocol from a desktop or tablet can be far more secure than putting that same device on the corporate LAN via VPN technology. With the PCoIP technology in VMware Horizon View for example, the risk and attack surface is greatly minimized, since access is limited to a remote graphics protocol over a dedicated, signed and secured channel.

Secured Access through Security Server Proxy (VMware Horizon View)

External access can also be offered and secured in a similar way by connecting through a secured tunnel to an end user access portal for direct access to streamed, packaged and SaaS-based applications and services. Two-factor authentication using a service such as RADIUS should also be employed as an additional layer of security. Relying on both a password and a unique token code can prevent intrusions should the password be compromised (and can offer a secure method allowing the user to change or reset a forgotten password).

Secured User Portal (VMware Horizon Workspace)

Today, many traditional security policies are created and enforced at the operating system layer, which confines an end user’s access of services and applications to the Windows desktop. By beginning today to shift the compliance and security policies away from the desktop environment, environments will be better prepared for alternate types of end user access. The VMware Horizon suite of products can streamline and simplify operations by turning disparate operating systems, applications and data into centralized services that can be easily provisioned, managed and delivered to end-users with policy-driven access and delivery safeguards vital data and ensures compliance.

Christopher Janoch is a business solutions architect for VMware Accelerate Advisory Services. Follow him on Twitter @cjanoch

VMware Accelerate Advisory Services can help you define your end user computing strategy through balanced transformation plans across people, process and technology. Visit our Web site to learn more about our offerings, or reach out to us today at: accelerate@vmware.com for more information.

Would you like to continue this conversation with your C-level executive peers? Join our exclusive CxO Corner Facebook page for access to hundreds of verified CxOs sharing ideas around IT Transformation right now by going to CxO Corner and clicking “ask to join group.”