Security in a changing world – bringing security-sense to virtualized desktop environments

Dror-John Roecher

Synopsis

Server virtualization has become commonplace and even security has picked up on the subject and established a common understanding of good security practice for virtualized server environments. But a new virtualization trend rises above the horizon – so called ‘Client’ or ‘Desktop’ virtualization. Whereas the scope of server virtualization was limited to the datacenter (and in some context stretched towards the location and ownership of the datacenters, e.g. in the context of cloud-based services), these new client computing approaches easily cross all existent logical and geographical boundaries within our computing environment. They enable a whole set of new services and delivery methods, flexibility in time, location, underlying hardware, operating system and presentation format. All these changes need to be addressed and constructively accompanied by security.

The presentation will detail concepts of client/desktop virtualization for security people, enabling them to understand what the technology does, how it does it and why businesses rush to introduce it. We will go on to discuss security of different solution architectures and establish some basic guidelines on choosing ‘the right stuff for the situation’. These two parts of the presentation serve as a foundation for an abstracted discussion on how to tackle the big changes from a security perspective. How is security changing, what are we doing wrong, what are we doing right and how should we change the way we look at and apply security. Let’s call this ‘change the spirit of security’.

Where does corporate IT stand today

Our wish is to use products in a secure way, align business and IT objectives and have this all transparent to the end-user, compliant, etc….

The reality however is very different. Many security staff see security as a value in itself. They have no link to business functions and no understanding of business needs.

Broken products, run by people without proper skill-sets, overburdened with too many tasks

Clinging to the “never change a running system” paradigm – common excuse to never change, move or think and evolve

Computer budgets are out of control – value of security is not evident

CxO on IT:

• Cheap to buy and operate
• Needed for business, but no value in itself
• Should be easily exchangeable
• OPEX, not CAPEX

Users on IT:

• Corporate-provided tools often unfit for the job
• Wish for “freedom of tools”, “freedom of time and location”
• Cisco Strategy: “Anytime, Anywhere, Anydevice, Anyapp, Anydata…” moving towards collaboration

Client Virtualization 101

5 technologies at least…

• Local OS Virtualization
  • Have your local OS Virtualized
• Remote OS Virtualization
  • Move the Virtualized Guest to the DataCenter
• Application Virtualization
  • Package sandboxed applications and remove the need for local installs
  • Restrict access from the application to the OS
  • Example. Microsoft Office 2010 – Click and run version
• User Profile Virtualization
  • Decouple all users settings from the OS
  • Allows users to easily move between systems and maintain the same environment
• Presentation Virtualization
  • Run everything remotely and provide access to the remote user
  • example: Citrix

Remote OS Virtualization

Pros & Cons

• + Clients are always accessible for IT-Staff
• + Performance on demand
• – Storage needs

Security architecture depends on the protocol used (PCoIP, RDP, RGS)

Threats and Vulnerabilities –> Difficult and complex due to the architecture. Outcome is questionable

Vendors are quick to respond that their solutions are secure, however even they fail to understand the true risks present (example, use of SSL without knowing who validates who… client, server, both?)

Adapt to a changing world

Risk has failed us – We are used to trust

Risk Analysis has mostly failed –> even in finance where they have a lot of statistical information

• The question boils down to: do you trust the technology? The provider? The source of the information?

Our security concepts are based on location. With Client Virtualization, the clients are in motion. This creates a new set of problems!

Replace location-based security with content-based security

Replace prohibition with enablement

• Blocking access to things like Skype, ICQ, doesn’t help the problem
• Enable employees to use them in a secure way and within the company policies

Replace band-aids with root-cause treatment

• Many systems, such as Application Firewalls, NAC, etc.. are band-aid solutions
• Implement long-term solutions such as Secure Application Development, Innate data integrity, …

Fight operational stupidity

• Single employee responsible for high-end, high-cost systems
• Separation of duties… A and B must check…. A is holiday standing for B and vice versa !

Less is more – Focus on the basics and do this right! –> don’t build the Winchester House of Security!

Accept that business will always break security

• If there’s a good business reason, the business will do it regardless of security
  • Security can’t say no…. provide solutions

Start embracing change

• Change is a chance
• Embrace change, by starting to change your mind-set about change

Links :