This week’s post comes from Eric Hanselman. Eric has an uncommon, common sense. Eric tried to leave Security two years ago after the RSA conference – bound for Virtualization-land. Alas, security pulls you back in and he was right back at RSA 2009. We always say “we’ll do better at security the next time.” “We’ll bake security in.” There were a lot of promises and claims made about how much better virtualization security would be. Here is sort of a “state of the union” from Eric.
by Eric Hanselman (@e_hanselman)
We’re heading in to a brave new world of desktop security and we need to do it with our eyes open. There’s a lot of potential benefit that desktop virtualization can bring to an organization. Like any new technology, though, there’s a lot of misunderstanding of the change in risk dynamics and how to deal with them. In recent weeks there have been announcements and discussions that bear some analysis.
Hosted and Virtual desktops (HVD is the Gartner term) deliver awesome mitigation for data loss. The desktop is back in the data center and the only the screen image makes it back to the user. There are also all of these really great operational expense savings. It’s easy to think that it resolves some of our biggest endpoint protection headaches. There’s an air of irrational exuberance out there, that’s a little disturbing.
There are two big concerns:
· Users think that desktops in datacenters are wicked safe.
· Vendors aren’t disabusing them of this delusion.
At RSA this year, in two different virtualization security sessions, I heard attendees ask if anti-virus software was still needed with virtual desktops. Lest you think that these were aberrations, industry analysts are posing the question, as well.
Forget about all of the Blue/Red Pill hysteria. There’s a much more fundamental issue that we need to address. Yes, the desktops are now in the datacenter, but there are still a whole set of security issues that have to be handled. We’ve made a big jump forward with physical security. It’s now a lot harder for random people to plug USB devices in to desktops or walk off with the thing that holds all that local data. We’ve paid for this by turning every user in to a remote user. Remote access security is something that we should have a good handle on, but now every user needs it. IAM capabilities take a big step forward.
Securing the desktop is where real work still needs to be done and that falls to the traditional tools of endpoint defense. The hitch is that our existing tools don’t play well with the virtual world. For the security conscious, the virtual desktop gets built like the physical desktop. Tried and true desktop suites can be managed in the virtual world alongside the physical desktops. This works.
There’s a danger lurking here, if we don’t understand the impact in the virtual world. There are a number of horror stories of a newly minted virtual installation being brought to its knees when every one of the virtual desktops was scheduled to do system scans at the same time. Even if our suite supports flexible scheduling, those compute and I/O intensive tasks that worked so well when distributed across bunches of under-utilized systems are a huge load when brought back to a shared set of servers.
This is a problem that has many people considering turning off traditional protections. A big difference between server and desktop virtualization is the concern about scale. Running endpoint protection on virtual desktops reduces the number of desktops that can be hosted on a given set of hardware. There are virtualization vendor claims that, by destroying each desktop after use, we eliminate infection. This is the first vendor complicity issue.
What about all of that user data? Aren’t there a lot of PDF’s full of APT’s out there? Fortunately, virtualization can address a part of this. But only part.
One big benefit of desktop virtualization is that I’ve got all of my users’ disks in the datacenter. They’re available all of the time. If I’ve got enough disk I/O capacity, I can scan all of those disks any time with minimal user impact. I’ve also got the potential to remediate issues centrally. A big win. Some traditional AV vendors pitch this as their “virtual” solution today.
The piece that isn’t covered is execution monitoring. The virtual environment still doesn’t have a way to keep tabs on live processes. There are good signs, but they’re not complete. VMware’s VMSafe opens memory pages for inspection, but, again, we’re back to static signature scans and advanced threats have proven that they’re pretty good at obfuscation. And only VMware offers this today. And only a few security vendors are doing anything with VMsafe. This is a missed opportunity.
We now come to the recent announcement by Citrix and McAfee of their partnership for virtual desktop security, the MOVE platform. This sounds like it’s going on the right direction. It makes the agent functions more granular and allows processing to be split between the desktop and the virtual environment.
How will this fare when put under the scrutiny of the recently developed SCSOVLF metric? Not well, unfortunately. To begin with, it’s still a “concept” with delivery some months off. Details are still emerging, but the first stage seems to move some analysis parts to a separate VM and leans heavily on virtualization being a great way to improve configuration management. Points off for relabeling something that we should have been doing already.
There is a second phase to MOVE, native hypervisor inspection. My heart leapt! Until I realized that it’s application and process whitelisting. This is desktop security, not server, right? There are a lot people who’ve been burned out there by the twin issues of manageability and effectiveness for whitelisting. It puts us right back to manually locking down users’ desktops. While this is a step in the right direction, it comes with a high cost. And more sophisticated threats already know how to beat it (DLL injection anyone?).
What we really need is endpoint protection that can rely on sophisticated techniques in the hypervisor. Have per instance execution monitoring for the desktop, and leave the signature scans to a storage analysis piece. And correlate the two, please.
And wouldn’t it be even better if, while providing virtual execution cycles, the virtualization layer was doing some effective protection, as well. A guy can dream, right?
Great piece Eric! I find it curious that after all this time, people still want to ignore the dangers associated with the end point regardless of what the end point is (laptop, tablet, handheld, desktop etc.) or if it is virtualized or not. The fact that analysts and others are actually questioning the need for protection of virtualized hosts troubles me however it does represent an opportunity for further education.
I got a bit excited to start reading this piece. My environment is about 60% virtual for servers (~150) and we’re moving forward with desktop virtualization (about 30 users out of 500 so far). We’ve made collective decisions about removing desktop security because these virtual systems are now temporary and get rebuilt regularly from a known-good image. I was hoping to read about some ammunition on why this is a bad idea. I also avoid the red pill/blue pill issue, as it is a pretty tough largely theoretical position to present.While your article didn’t give me much, I’ll admit there may not be any real good reasons. The disk i/o, non-admin privs, and ephemeral nature of the systems are still pretty hefty.One issue I have with the current movements of virtual security is similar to moving the network into the virtual space, and even moving apps into the cloud: we’re making things very, very difficult for people to grasp and understand and thus support or defend. Today’s desktop admins and security folks will and are having a hard time just understand the concepts of how all these technologies work together on this strange virtual layer. And if security can’t be easily conveyed and digested, those recommendations just simply never get passed.So we move more instrumentation into the hypervisor…how long will it take for the techs to relearn how to be effective on that layer?(I know, much of this is about moving my cheese or simply dealing with inevitable ‘advancement’ of technology that we all just have to buckle down and learn, but it still should be a valid discussion.)
I believe the answer to security lies in authentication users better.