Virtual desktops, real security

feature Deep inside a nameless government department — you will probably guess its identity, but nobody can say it officially — a Linux desktop revolution has taken hold. For this particular organisation, however, the big deal is not the fact that Linux is involved, but the way in which it is being used.

(Credit: Larry Ewing and The GIMP, Free to use)

Because information is classified according to security level — and can only be accessed by networked devices cleared for each security level — the department had to give many users two, three, or more individual desktop PCs of varying security levels.

The result was an administrative and productivity nightmare that not only ate up desk space for paperwork and family happy snaps, but kept users jumping between PCs depending on the task at hand.

It also posed problems for software developers, who have embraced the idea of a virtual desktop infrastructure (VDI) for testing new applications because it restricts each application to its own "sandbox" where it can't harm anything else.

Well, almost anything else. In an environment where guarantees of security are essential, the organisation couldn't run the risk that flaws in the virtualisation engine could allow a test application to sneak out of its sandbox and onto a network above its pay scale — so it began exploring more secure alternatives.

This agency wanted to do testing of various systems on controlled networks, and use multiple virtual machines [for testing new applications], explains Frank Mayer, president and chief technology officer with Tresys, the Linux security specialist firm that implemented the solution.

"But they needed stronger security to go the virtualisation route. They needed a way to ensure any hostile code [on the virtual desktops] couldn't branch back to interfere with their network," he says.

By capitalising upon SELinux (Security-Enhanced Linux), a component of the Linux kernel that provides highly granular security and access control, the department has been able to replace the multiple-PCs approach.

Instead, certain users now run a single physical system that uses Red Hat Linux to manage multiple virtual desktops, each running in its own virtual machine and tied to resources of a particular classification level.

Most virtualisation systems allow their virtual machines — whether running Windows, Linux, or another operating system — to share the machine's physical ports and connections, such as network ports and hard drives.

The risk of this approach is that malicious code in one VM could snake its way into the shared system and sneak back into a different VM, with worrying results.

SELinux, however, allows system administrators to impose mandatory access controls — low-level restrictions that prevent VMs from accessing certain system and network resources no matter how the VMs are configured by users. "These are stronger, more secure sandboxes" than conventional virtualisation provides, Mayer explains.

In other words, you may find out the hard way the cage you've built to hold King Kong isn't strong enough — but if you put him at the bottom of a 200m pit, the cage becomes redundant.

Securing the virtual world
The demands of that government roll-out eventually led Tresys, a specialist in secure Linux implementations, to productise the offering. Recently released as VM Fortress, that tool joins a growing body of tools that are bolstering the case for virtual desktops by improving the security, consistency and manageability issues that have long made physical desktops such a pain for system administrators. Because information is classified according to security level the department had to give many users two, three, or more individual desktop PCs of varying security levels.

Tresys isn't alone: Citrix Systems, long the dominant provider of thin-client desktops, recently upgraded its Citrix Access Gateway with features that let companies deliver XenDesktop virtual desktops with end-to-end security and access control not unlike that provided by SELinux.

Virtualisation leader VMware also offers secure options for its VMware VDI and VMware ACE (assured computing environments) solutions, which allow administrators to encrypt the virtual machines and explicitly control what each one can access.

This type of control is essential for government departments dealing with classified information, but it also resonates with private-sector companies such as financial institutions and large contractors, which regularly deal with all manner of sensitive information that needs to be kept under wraps.

Because information is classified according to security level the department had to give many users two, three, or more individual desktop PCs of varying security levels.

Because security is controlled by administrators, they can enforce security restrictions that users — or systems infected by malware — might otherwise be able to circumvent.

These new ways of managing virtual machines have become essential in convincing the corporate world that the one-desktop, one-PC rule no longer applies. These days, desktops can just as easily be accessed while running as virtual machines on a datacentre server; stored on a USB drive to be run and used on nearly any computer using VMware ACE or similar technology from start-ups like MokaFive; or hired from firms like BlueFire and Nasstar, which run desktops in their own datacentres and lease companies access to VDIs on a per-desktop, per-month basis.

While this innovation has provided new ways of delivering desktops — even enabling such seeming contradictions as access to a Windows XP desktop from an Apple iPhone, with its finger-friendly user interface.

"What matters is that, as we move to this highly virtualised environment — and we are, over time, decomposing [the client/server environment] we spent decades building — it's management that's key," says Rosemary Stark, product manager with Microsoft.

"We want to be able to create an application resource pool, and create a composite environment where we are able to compose the physical resources as well as the application logic resources in the way we need to do business." Microsoft has worked closely with Citrix to complement the VDI philosophy with appropriate management tools for virtual desktops.

Microsoft's Desktop Optimization Pack, for example, includes technology such as Microsoft Enterprise Desktop Virtualization and Microsoft Application Virtualization, which work with Microsoft's Systems Management Server (SMS) desktop administration tool to deliver applications and desktops in tightly controlled bundles.

VMware's Virtual Desktop Manager offers similar functionality as an add-on to VMware VDI, and its upcoming VMware ThinApp will offer application virtualisation to sit side by side with virtual desktops. Desktop management provider Managesoft has tackled a different angle by streamlining management of desktop licensing issues that are created by virtualisation's unchecked desktop proliferation, while Sun Microsystems recently tackled VDI administration with its own Virtual Desktop Connector.

These tools, and others that are emerging, allow desktop administrators to do many of the same things with virtual desktops that they have previously done using physical desktops — for example, adding and removing applications, locking down system settings, virus scanning, and the like.

They also need coherent frameworks for taking advantage of VDI's unique characteristics — for example, the ability to improve business continuity by being able to seamlessly shift a desktop image from a failed server to another one.

As the gaps between virtual and physical desktops are rapidly eroded, the result can only be further legitimacy for VDI-related approaches to simplifying desktop management. With companies more eager than ever to find new ways of keeping the cost of their desktops under control, the formalisation of VDI frameworks — and heavy investment in new products to support them — will soon provide a much-needed tool in the dismantling of the desktop as we know it.