The default reaction of a corporate security officer to any “cloud-based” offering can be one of horror. However, there is also a growing view that the overall risk profile of Desktops as a Service (DaaS) is substantially lower than a traditional PC estate. So which is it – a security risk or reward?
This is an article exploring attitudes toward risk around DaaS that may help you talk about it within your business. If you want to cut straight to the more weighty (in some cases literally!) security reviews and resources, skip straight to the list of references at the end of this post.
I have a strange reaction to risk and I suspect I may be in good company. I can get used the most dreadful things given time. For example I blithely bundle my beloved family into a device that has killed more people than all wars throughout history and set off expecting a nice weekend away (my car). I am also in the habit of cycling the twelve miles to work in central London, weaving in and out of buses and cars with redundant indicators. You might reasonably conclude that I am comfortable with high levels of risk, however even an infinitesimal new risk introduced into my life can cause a sort of unthinking hysteria. I stopped my young daughters from eating beef during the “mad cow disease” scare at a time when not one single person had demonstrably caught the disease and gave them flu-jabs when we were responsibly informed by the media that now was a good time for mass-panic about bird-flu. So I am comfortable with risks that I have been living with for years, while being positively obsessive-compulsive about anything new.
Logically, corporate laptops are a security nightmare. They are the IT equivalent of carrying all your worldly wealth as cash in your briefcase while picking-up strangers in bars. And yet laptops are everywhere. They are bristling with gizmos to reduce their inherent risk, but we are still assailed by the inevitable stories of sensitive data being left on trains and new killer viruses bring organisations to a standstill (and in some cases national nuclear weapons programs). The problems are fundamental. If you are carrying data with you it is at risk, whatever you do to password protect it or encrypt it. If you allow an IT asset, particularly one carrying sensitive data, to connect to an unknown network, the laptop is at risk from hackers and viruses (and the network is at risk from the laptop).
Laptops somewhat get away with it because business has grown used to the productivity gains as the risk has grown and therefore there has never been a strong enough case to get rid of them. It is a bit like evolution as the hunter and the prey evolve together so the attack and defence mechanisms develop to be formidable and remain in perfect balance. It is into this security arms race that hosted virtual desktop suppliers are tip-toeing and potentially upsetting the balance irretrievably.
Think about the concept of a PC that never leaves, indeed cannot ever leave, the safety of a tier three data-centre and likely your own corporate network. It never fails (HA combined with full data-centre level DR) and it is fully locked down. No one can leave it on the train and even the Stuxnet virus can’t get to it.
While a virtual desktop is accessible from any connected device across almost any network, it is only accessed through a remoting protocol (like RDP) which can be easily locked down to limit it’s services to keyboard inputs and mouse movements in and screen updates out. In other words. the actual PC is locked in a secure bunker and the only thing that can get through to it are the light-house style flashes of control messages.
What DaaS effectively provides is the ability to move the corporate security perimeter from the laptop back into the data-centre where it belongs. As a side product, this approach also makes business continuity substantially easier and cheaper including enabling most people to work effectively from home if there was a continuity problem.
Far from being a risky move, hosted virtual desktops move the PC back into the security of the data centre, substantially reducing risk. So why does the security officer typically react in horror? Despite the security disadvantages of the laptop, it is a known risk with a well established ecosystem of protection and support. Hosted Virtual Desktops are relatively early in the adoption curve with many different technologies and service providers, but few established standards. Like me with my children’s health, the corporate security officer understands the risks associated with laptops. She (or he) can follow industry standards and employ tools from the most respected suppliers in defence of the corporate network and then mentally put the risk to one side. Even if something goes dreadfully wrong, she has done her job as well as the industry can reasonably expect her to.
But is it the best protection for the business?
There are positive industry-led initiatives to establish clear guidleines to security best practice for virtual desktops such as the Cloud Security Alliance (CSA) and the Cloud Computing Information Assurance Framework issued by ENISA (European Network and Information Security Agency, an EU body). There are also many articles and white papers on this risk, predominantly from vendors. There is also frankly some hysteria at the risk of the unknown, driven by legitimate caution, security and VM vendors and frankly, media gaining good mileage.
Although hosted virtual desktops offer the potential for dramatic risk reduction as compared to laptops, or even desktops, only the most forward-thinking corporate security officers will welcome them with open arms because of their recency, industry hysteria and simply politics.
Useful links to informative articles and sites on security for virtual desktops:
Cloud Security Alliance
ENISA – Cloud Computing Information Assurance Framework
Desktop Virtualization: Top 10 Security and Compliance Best Practices
Macaffee on Virtual Desktop Security
How VDI can make your desktop security worse (@brianmadden)
There Is No Such Thing as Cloud Security (@lmcvittie)
Virtual Desktop Security: Best Practices (by @vPractice)