Securing Virtual Desktops Against East-West Threats in the Data Center
This blog is first in a series where we’ll explore the considerations for building a more holistic approach to securing desktops in the data center.
If you’re in an industry that’s got a mandate around regulatory compliancy and risk mitigation, then the ongoing headlines around recent high-profile security breaches isn’t news to you. A recent study from PWC reveals that security incidents are growing at an alarming 66% each year, with an average $5.9M financial impact per breach (for large enterprises). What’s probably more surprising is that the same study points to insiders (current and former employees) as contributing to 65% of such crimes.
Completing the security puzzle for virtual desktops
Many organizations consider security of mission-critical data as a key imperative for implementing desktop and app virtualization. While this offers better protection of data “at rest” (ex: sitting on a laptop hard-drive), as well as an improved operations model for desktop IT (ex: patching of centralized desktop image), does it complete the entire security picture/puzzle? What happens when hundreds or thousands of user desktops now exist as virtual machines inside the data center, adjacent to other mission critical assets? The new reality is that the trusted side of the data center firewall can present a much larger attack surface for desktop VM’s, which network admins must now secure.
Therein lies the challenge. If you’re in healthcare, finance, retail, federal government or a similar industry that’s trying to keep your IT operation out of the headlines, what do you do? Intra-data center firewalling can help you establish zones of trust, but requires a significant hardware investment, plus you’re dealing with a dynamic environment – physical infrastructure changes continually, workloads move across the data center, and administration of policy done through traditional physical networks relying on expertise in hardware configuration syntax, addressing, application ports and protocols can become a bottleneck.
VMware NSX with Horizon
VMware NSX, deployed with Horizon, offers a better alternative to securing east-west traffic between VMs, turning data center security from a perimeter-centric view to one that gives each individual desktop VM it’s own virtual network container – creating if you will, a network of “one.” This approach, also known as micro-segmentation, has been an ideal for network teams, but traditionally unachievable due to the cost, and the operational complexity involved. With the number of user VM’s introduced by desktop virtualization, and the sprawl of firewall rules needing to be manually added, deleted or modified every time a new VM is introduced, this has been untenable in the past. With VMware NSX, we have a completely new model for networking and security, delivering virtualization of the network, much as we did for server virtualization – reproducing it in software, with a logical library of networking elements and services including switches, routers, firewalls, load-balancers and more, that can be deployed over any existing network.
VDI Networking and Security That’s Fast, Easy, and Extensible
Combining VMware NSX with Horizon offers VDI implementers new simplicity, speed, and ease with which they can achieve a more secure environment for their desktops and apps running in the data center. Some immediate benefits include:
- The ability to create, change and manage security policies across all of your virtual desktops with push-button, point-and-click simplicity, accessing a library of virtualized networking functions without the need for complex VLANs, ACLs or understanding of hardware configuration syntax
- Achieving a “set and forget” approach with network security policy that dynamically follows desktop VM’s from the moment they’re created, across the infrastructure, irrespective of what host they’re running on
- Implementing a more comprehensive security architecture that’s extensible, leveraging a best-in-class ecosystem of next-gen partner capabilities that secure desktop, email, browser and more, providing anti-virus, malware, and intrusion prevention services.
Secure virtual networks for VDI can now be programmatically created, provisioned and managed, using the underlying physical network as a simple packet forwarding backplane. In this series, we’ll learn more about how VMware NSX works with Horizon, and offer some insights based on validation testing our team has been working on for this mission critical use case.
Please keep an eye out for our next post, from my colleague Tristan Todd as he explores this solution further.