Molten Technologies believes that Desktop as a Service (DaaS) based on Virtual Desktop Infrastructure (VDI) technology can, when done right and wrapped in the right commercial and service model, provide a different and better approach to corporate desktops.
We think VDI and DaaS should be:
We recognise that VDI might only be the right answer for a proportion of your staff and that “One size does not fit all” (see our previous DaaSler article), but it can add a great deal of value where it fits.
In this second of a series of four articles, we will pick-out some high-points of what we think customers of a good VDI or DaaS service should expect in terms of Security.
Data secure from laptop theft or loss
Data remains securely inside your corporate network in the data centre, inside your firewall rules and is not sent down to the “end-point device” which the end-user is touching (e.g. laptop, iPad or other tablet, MacBook etc). The only communication with the data centre is keystrokes and mouse data in one direction and screen updates in the other and even these can be simply encrypted. So if someone loses a laptop while traveling, they may lose their personal information, if it is their personal machine, but they will not put your corporate data at risk.
Data secure from “thumb drive” theft
It is relatively straightforward to lock-down a VDI service such that it simply does not map to any local drives and therefore when someone inserts a “thumb drive” or “memory stick” into the end-point device (e.g. PC or thin client), then only thing they have access to is the local machine which has no corporate data on it. The “PC” is now a virtual machine in the data centre where it is safe from thumb-drives and the like.
IP secure in third party or offshore teams
With data and applications residing safely in the data centre and third parties accessing locked-down desktops remotely, your IP can be managed much more securely than in a traditional PC environment. Add tools for “sniffing” data removal and key logging so that any suspected incidents can be easily followed up and you can have confidence in your IP security. Even an overseas third party can work on data while it remains locally in your data centre and never leaves your national boundaries.
Can lock out email and internet
Typically, third parties will use their own hardware and possibly even their own network connections to access the service (if they are accessing from their offices, for example), so it is sometimes possible to take the concept of desktop lockdown a stage further than usual. Not only can you remove administrator access to a third party desktop (so they can no longer install their own applications) but you can also remove a web browser from the build and even email (these being on their own physical PC through their direct employer) leaving only the bare essential applications required to do the job. Without a local drive, administrator access, internet access or email, a third party handling sensitive data is restricted to using only the applications that you have provided for them. They can do their job, but that is all.
Secure access from insecure networks
The remoting protocol associated with a virtual desktop (RDP for example, although there are more sophisticated examples) takes keyboard and mouse inputs from the end-point device (e.g. PC, Mac, Thin client or Tablet) and returns screen updates. The end-point device (which could be the users own PC, iPad or MacBook) does not need to directly access the corporate network in order to connect to a virtual desktop on that network. The remoting protocol provides a secure link or isolation layer between the two and prevents the infection of the corporate network by virus or other attack from the network local to the end-point. This has implications for travelers, home-workers, third parties working from their own offices, business continuity and even new corporate offices because it means that end-points no longer require either a corporate LAN or a Secure VPN and can therefore save costs, improve usability and increase security at the same time.
Support BYO devices securely
In the same way as virtual desktops keep the “PC” safely locked away in a data centre with the remoting protocol acting as a isolation layer so the the end-point device can be on an insecure network (see above), so the device itself can be untrusted. This is a complicated way of saying that you can access your corporate desktop securely from any machine that happens to be handy. Want to bring you MacBook to work and be able to work on it? Want to allow third parties to work on their own machines? Want to allow the senior executives to use iPads (or Android devices or frankly anything else the comes along)? You are in luck. As long as it has an Internet connection and a remoting protocol (and they pretty much all do), it can be used to access your virtual desktop (this not true of all virtual desktop products all of the time, so be careful; for example, it took 18 months for Citrix to announce it’s support for the iPad).
Supports two factor authentication
Many organizations already use two-factor authentication to require a user to remember their password and be in possession of a physical token (for example) before they gain access to the system. This capability becomes increasingly important when users can gain access from unknown devices and locations because someone could be watching them type their password either physically (by standing behind them) or electronically (using a key-logger, for example).
Supports key logging and data loss “sniffing”
There are a range of technologies available targeted at protecting an organisation’s sensitive data and IP. Think about what sort of protection you need and whether it is compatible with the desktop virtualisation or VDI technology you are considering. Most will work with a full VDI solution where each user has a dedicated VM, because most types of software will be agnostic under those circumstances as to whether it is running in a virtual environment or a physical PC. A couple of examples that we have seen are key logging and data loss “sniffing”. Key logging simply records every key-stroke and button-press made by each user and enables an extremely accurate post-event evaluation of events and, if necessary, legal investigation. While it is not actively preventative, staff and third parties who know that they are being key-logged may be more inclined to behave themselves. Data loss “sniffing” is software that is able to be “taught” what sort of data you consider sensitive (and easy example might be customer account numbers, because they are a very specific format) and it looks for such data leaving the network, raising alerts or logs as instructed.
PC remains inside corporate network
A first sight, this seems a bit obvious given that the desktops are inside the data centre, but it is worth drawing this out and thinking it through to see if there are any associated simplifications or security improvements that can be driven out from this configuration. A laptop is designed to connect to insecure networks, defend itself as best it can and then return to the host network, bringing virus risk with it. Virtual desktops never get exposed to an external network (or a thumb-drive etc as discussed above). This is an inherent benefit of the virtual desktop solution, as it will be more secure than a laptop as a result, but it could also lead to a rethink of virus protection for example (could you run virus scans at the server level rather than on each desktop?) or firewall protection (does each desktop require its own firewall?).
Secure from endpoint viruses
As discussed above under “Secure access from insecure networks” and “Support BYO devices securely” the remoting protocol acts as an isolation layer so that anything undesirable on the access device, such as a virus, remains there and unable to travel back to the desktop. In a world where Stuxnet as been defined as the world’s first weapon’s grade virus and computer viruses are allegedly being created by governments as well as their enemies, this is an extremely key capability of a virtual desktop.