RSS Alerts
Virtualization provides users with a personal workspace that is located and managed from within a central data center

Related Links

  • RES Software
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Core Security finds Microsoft virtualization flaw
    Security research company Core Security says that it has found a security flaw in Microsoft's Virtual PC hypervisor that could undermine fundamental security measures included in the Vista and Windows 7 operating systems.
  • Virtualization could double in 2010, but what about security?
    The number of organizations with at least half of their servers virtualized is expected to double in 2010 to 51%, according to a survey of 480 IT professionals about virtualization conducted by identity and access management vendor Centrify Corporation.
  • Virtualization: virtually a commodity
    Virtualization is a welcome medicine for many of IT's irritating symptoms. But is there a risk that basic information security hygiene will suffer as a result? William Knight investigates
  • A Clear Future for a Cloudy Concept
    Cloud computing – it’s an industry buzz word that is all the rage. The concept is hardly new, and many companies and organizations embraced cloud computing services long ago. However, as budgets remain strained, the push toward more economical cloud services remains ever-present. Stephen Pritchard asks the questions every enterprise needs to know about security when transitioning to the cloud
    Members' Content
  • Comment: Black Swans, Secure Access and Business Continuity
    How can businesses deliver flexible, scalable and secure remote access to staff during contingencies, while controlling costs? Check Point’s Nick Lowe describes a new approach to the problem

Feature

Comment: Context-aware security in VDI implementations

20 May 2010
Bob Janssen, RES Software

Bob Janssen of RES Software examines how secure desktop virtualization can be achieved using a context-centric approach

The ISO 17799 standard defines an asset as something that has value to an organization and that it may exist in many forms: from company records and data through to physical devices such as PCs or laptops. The goal of IT security is to protect these assets against loss, corruption or theft, and to preserve the integrity, availability and confidentiality of company data. Currently, there are two main approaches to consider: the security of the asset itself, and the security of the user.

The asset-centric approach ensures that the infrastructure is available, and helps protect this network of systems against external threats. The user-centric approach, on the other hand, concentrates on the individual, how to protect them and what assets they are authorized to access. However, when your asset can be both a piece of data and a device, what is the best approach to take? This is the challenge that desktop virtualization is creating.

Desktop virtualization aims to solve the problem of managing huge numbers of traditional PCs, replacing them with virtual machines that can be controlled and hosted centrally. Instead of a beige box on each and every desk, users have a personal workspace that is located and managed from within a central data centre.

Users can login to their virtual machine from anywhere and have the same user experience and set of applications available. From an IT perspective, the amount of time spent on management is reduced, while users are happier and more productive.

That is the theory. However, the traditional approaches of asset-centric and user-centric security do not keep up well with virtualized environments, where the assets themselves are fluid and can be accessed from multiple locations. Because a user can work from numerous desktops both within and outside the corporate network, a new strategy is required, based on the context of a user.

Context-centric security is based on knowing the status of the asset and user in real-time. Using this information, the right level of security policy can be applied to that user as part of the session. In desktop virtualization deployments, where the user can access their virtual machine session from multiple locations and devices – and still get the same session experience – this ability to allow or restrict access is particularly important.

For example, a user in the office may be allowed access to the full standard corporate desktop, including all the applications they need. If a user is out of the office, the IT security team can decide whether a user requires access to all the applications, and lock down the user’s workspace accordingly. So when the user remotely dials into their virtual machine from home, or from a laptop in a hotel room, the number of applications available can be limited depending on the work they will be carrying out, and their level of authorization.

This user workspace management approach involves splitting the personalized elements of the desktop away from the underlying operating system. These can then be automatically applied – depending on the user’s context – when they open the image, giving them access to the right applications, printer settings and desktop setup. This not only improves the end-user experience when the desktop session has been virtualized, but it also makes applying the right context-centric approach to security simpler.

Context-aware security has to be dynamic in its approach, so when a user requests to login to their virtual machine image, they would go through the following checklist:

  • Who is the user? Based on the username and password entered, the user’s identity and profile within Microsoft Active Directory is used to provide the right level of application access and personal settings within their virtual machine image.
  • Does the user have all the necessary credentials? Is a username and password enough for access to be granted, or are additional factors such as one-time password (OTP) tokens required?
  • Where is the user? This is important because where a user starts a service can determine whether that service should be available. If a user is on the corporate LAN, then they may have access to more services than if they are working remotely.
  • What time is it? Some services may have scheduled maintenance windows during which they are not available.

By applying this context-aware approach, the right security settings and procedures can be enforced without requiring each user to have a unique virtual machine image on the back-end infrastructure. This enables organizations to improve the overall end-user experience, an important element within VDI that is often overlooked.

Taking both the user and asset into account when thinking about security is important, particularly when embarking on a new project such as desktop virtualization. The fundamental change in how desktop services can be provided to users requires a similar shift in how to keep sessions secure. By looking at the context as well as the asset and user, desktop virtualization can be made secure.

Bob Janssen is the co-founder and chief technical officer of RES Software. He has been responsible for product vision, strategy and development since co-founding the company in 1999, and was instrumental in the creation of RES Software’s flagship products. Janssen attended the Technical University of Eindhoven and has a business computing degree from the Fontys University of Applied Sciences.

 

This article is featured in:
Cloud Computing Compliance and Policy Identity and Access Management

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water