Some security questions around VMware View and VDI
After working on a bunch or larger VDI projects last year there was usually several conversations with the security teams of these enterprises that don’t seem to get much press in the VDI world. Lets face it, VDI is new for most of us but it is a total shift for your security team to wrap their heads around this new portable desktop idea. In today’s world the security team is used to their being a hard drive in a PC that captures the activities of the employee for the life of that computer. So if some event takes place and they need to investigate or do forensics on the PC all is there, even if someone tried to cover their tracks.
So the default response of these security team members when you talk VDI and ask what do they need kept from a Windows desktop to be able to do their work? Is they need everything!! Well that does not mesh up with the idea of linked clones, floating pools and the idea of a layered desktop image.
When VDI is done right you are separating the images into layers that include the operating system, applications and user profiles. These layers are then presented back to a user upon login and looks like a personalized desktop for them. But with this method the actual operating system (OS) is some what disposable, meaning that you are reading from a master copy or golden image that is read only. This golden image is shared by all of the users and allows for the desktop to be refreshed at each logoff or on a regular basis keeping the desktops clean. This also allows for easy patching of your virtual desktops, but that is enough of a VDI lesson.
The really fun conversations happen with security when they find out that desktops are created and destroyed automatically and things like page files and temp folders that they are used to have around for the lifetime of the PC are being trashed and recreated on a regular basis. But if you work closely with your security team and find out how their tools work and what parts of an OS or user profile need to be preserved a plan can be formulated and factored in when creating your VDI design.
There are other factors and processes that security is concerned about besides forensics. They will need to adapt the process that cover what is done when an employee is let go for example. Since there is not a desktop that can be held until the process is complete, you will need a method to freeze their VM in time and not allow it to be used by others.
These are all very important conversations and processes to be considered when creating your enterprise virtual desktop design. Make sure to include all necessary teams that will have a stake in your new environment and invite the security team to the table earlier rather than at the last minute. I know nobody likes to talk to those security guys but addressing their questions and concerns earlier will prevent them from putting the breaks on your project in the final stages, until you are able to adapt and meet their demands.
About Brian Suhr
Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design