Some security questions around VMware View and VDI

Posted by on March 8, 2012 in VDI, View | 1 comment

After working on a bunch or larger VDI projects last year there was usually several conversations with the security teams of these enterprises that don’t seem to get much press in the VDI world. Lets face it, VDI is new for most of us but it is a total shift for your security team to wrap their heads around this new portable desktop idea. In today’s world the security team is used to their being a hard drive in a PC that captures the activities of the employee for the life of that computer. So if some event takes place and they need to investigate or do forensics on the PC all is there, even if someone tried to cover their tracks.

So the default response of these security team members when you talk VDI and ask what do they need kept from a Windows desktop to be able to do their work? Is they need everything!! Well that does not mesh up with the idea of linked clones, floating pools and the idea of a layered desktop image.

When VDI is done right you are separating the images into layers that include the operating system, applications and user profiles. These layers are then presented back to a user upon login and looks like a personalized desktop for them. But with this method the actual operating system (OS) is some what disposable, meaning that you are reading from a master copy or golden image that is read only. This golden image is shared by all of the users and allows for the desktop to be refreshed at each logoff or on a regular basis keeping the desktops clean. This also allows for easy patching of your virtual desktops, but that is enough of a VDI lesson.

The really fun conversations happen with security when they find out that desktops are created and destroyed automatically and things like page files and temp folders that they are used to have around for the lifetime of the PC are being trashed and recreated on a regular basis. But if you work closely with your security team and find out how their tools work and what parts of an OS or user profile need to be preserved a plan can be formulated and factored in when creating your VDI design.

There are other factors and processes that security is concerned about besides forensics. They will need to adapt the process that cover what is done when an employee is let go for example. Since there is not a desktop that can be held until the process is complete, you will need a method to freeze their VM in time and not allow it to be used by others.

These are all very important conversations and processes to be considered when creating your enterprise virtual desktop design. Make sure to include all necessary teams that will have a stake in your new environment and invite the security team to the table earlier rather than at the last minute. I know nobody likes to talk to those security guys but addressing their questions and concerns earlier will prevent them from putting the breaks on your project in the final stages, until you are able to adapt and meet their demands.

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

1 Comment

  1. Good article – the security issues of disposable, non-persistent desktops are often overlooked.  The newer way many organizations are now approaching VDI is to use desktop layering technology (file system/name space virtualization, not the combination of cloning/app virt/profiles) to create persistent desktops that have all of the single image management and storage savings of the legacy non-persistent model. The gold OS layer, all Apps, and Personalization are separate layers that are dynamically combined pre-boot. The user gets the same VM every time and the desktop – like in a physical PC environment – is always available to IT for forensics, e-discovery, etc.

    Full disclosure – I work for Unidesk, one of the new layering vendors. Would love to have you take us for a test drive and see if this addresses the security questions you’re finding in your VDI projects.

    Tom Rose
    Unidesk VP Product Marketing

Leave a Comment

Your email address will not be published. Required fields are marked *