Virtualisation an issue for endpoint security

Endpoint security software is not built with desktop virtualisation in mind and this is proving to be one of the biggest management challenges in virtual desktop infrastructure (VDI) environments today.

Endpoint security software is not built with desktop virtualisation in mind and this is proving to be one of the biggest management challenges in virtual desktop infrastructure (VDI) environments today.

According to Richard Sheng, Trend Micro's Asia-Pacific regional director for business development and product marketing, because existing endpoint security tools are unable to recognise the presence of virtual machines, they contend for resources at the CPU, storage and network levels.

On physical machines, such utilisation of resources would not be significant, but in desktop virtualisation (where multiple desktops are co-located on one physical server) the base load on that machine is considerably more strenuous.

Sheng explained in an email: "Take the so-called '9am problem' when workers come to their desk in the morning and start up their virtual image. Immediately the images would reach out to download the latest security updates, like filters and scan-engine updates. This leads to serious contention on the CPU and the storage side."

Similarly, when a scheduled malware scan runs on a VDI system, it overloads the CPU and storage capacity, causing all task sessions to slow down. Sometimes, users are unable to even log in and virtual sessions get dropped, he noted, adding that the entire VDI host may even come to a complete halt.

As a result, Sheng warned that customers may resort to removing security completely from their VDI installations, exposing their desktops to significant risk.

Trend Micro last month announced OfficeScan 10.5, which the company touts can decrease scan time as well as memory consumption and CPU utilisation by up to 80 per cent in a VDI environment. "Customers no longer have to choose between security and VDI returns on investment," said Sheng.

Security inherent, but still a must in desktop virtualisation

Martin Duursma, vice president of Citrix Labs and chair of the CTO Office, noted that security is one of the inherent capabilities of a VDI offering as data and applications are under the control of the datacentre, not the endpoint.

"As soon as you can start to centralise information, it has to be a more secure solution than when you move files, presentations, content down to a laptop," Duursma said in an interview at the Citrix iForum 2010 held in Singapore earlier this month.

"Today when organisations have PCs or laptops, they lose control of their corporate information — people are downloading corporate spreadsheets and files onto machines," he noted. "There's a spread of information and the IT [department] has really little knowledge of where it's all going. When you use a VDI, that spread doesn't occur."

Neville Burdan, Datacraft Asia's general manager for Microsoft solutions, concurred. However, he pointed out that the enhanced security does not remove the "need for good security practices on the desktop", such as putting in place virus protection and encryption technologies.

"Many people think that because [management of] the desktop is now placed in the datacentre, they do not need to do this. However, this is not true," Burdan said.

"Secure your desktop just as you would with your laptop, then you will have new tools and benefits of backing data and managing the image in the datacentre but remember to secure those desktops," he said.

Trend Micro's Sheng also advised companies to, from a risk management perspective, treat a VDI desktop like any other desktop. "We acknowledge that VDI desktops are easier to revert to a clean state if infected, but the risk of getting infected is the same as with a physical desktop.

"[This means] the risk of spreading malware and exposing corporate or sensitive personal information is the same," he said.

Via ZDNet Asia


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All