The ISO 17799 standard defines an asset as something that has value to an organization and that it may exist in many forms: from company records and data through to physical devices such as PCs or laptops. The goal of IT security is to protect these assets against loss, corruption or theft, and to preserve the integrity, availability and confidentiality of company data. Currently, there are two main approaches to consider: the security of the asset itself, and the security of the user.
The asset-centric approach ensures that the infrastructure is available, and helps protect this network of systems against external threats. The user-centric approach, on the other hand, concentrates on the individual, how to protect them and what assets they are authorized to access. However, when your asset can be both a piece of data and a device, what is the best approach to take? This is the challenge that desktop virtualization is creating.
Desktop virtualization aims to solve the problem of managing huge numbers of traditional PCs, replacing them with virtual machines that can be controlled and hosted centrally. Instead of a beige box on each and every desk, users have a personal workspace that is located and managed from within a central data centre.
Users can login to their virtual machine from anywhere and have the same user experience and set of applications available. From an IT perspective, the amount of time spent on management is reduced, while users are happier and more productive.
That is the theory. However, the traditional approaches of asset-centric and user-centric security do not keep up well with virtualized environments, where the assets themselves are fluid and can be accessed from multiple locations. Because a user can work from numerous desktops both within and outside the corporate network, a new strategy is required, based on the context of a user.
Context-centric security is based on knowing the status of the asset and user in real-time. Using this information, the right level of security policy can be applied to that user as part of the session. In desktop virtualization deployments, where the user can access their virtual machine session from multiple locations and devices – and still get the same session experience – this ability to allow or restrict access is particularly important.
For example, a user in the office may be allowed access to the full standard corporate desktop, including all the applications they need. If a user is out of the office, the IT security team can decide whether a user requires access to all the applications, and lock down the user’s workspace accordingly. So when the user remotely dials into their virtual machine from home, or from a laptop in a hotel room, the number of applications available can be limited depending on the work they will be carrying out, and their level of authorization.
This user workspace management approach involves splitting the personalized elements of the desktop away from the underlying operating system. These can then be automatically applied – depending on the user’s context – when they open the image, giving them access to the right applications, printer settings and desktop setup. This not only improves the end-user experience when the desktop session has been virtualized, but it also makes applying the right context-centric approach to security simpler.
Context-aware security has to be dynamic in its approach, so when a user requests to login to their virtual machine image, they would go through the following checklist:
- Who is the user? Based on the username and password entered, the user’s identity and profile within Microsoft Active Directory is used to provide the right level of application access and personal settings within their virtual machine image.
- Does the user have all the necessary credentials? Is a username and password enough for access to be granted, or are additional factors such as one-time password (OTP) tokens required?
- Where is the user? This is important because where a user starts a service can determine whether that service should be available. If a user is on the corporate LAN, then they may have access to more services than if they are working remotely.
- What time is it? Some services may have scheduled maintenance windows during which they are not available.
By applying this context-aware approach, the right security settings and procedures can be enforced without requiring each user to have a unique virtual machine image on the back-end infrastructure. This enables organizations to improve the overall end-user experience, an important element within VDI that is often overlooked.
Taking both the user and asset into account when thinking about security is important, particularly when embarking on a new project such as desktop virtualization. The fundamental change in how desktop services can be provided to users requires a similar shift in how to keep sessions secure. By looking at the context as well as the asset and user, desktop virtualization can be made secure.
Bob Janssen is the co-founder and chief technical officer of RES Software. He has been responsible for product vision, strategy and development since co-founding the company in 1999, and was instrumental in the creation of RES Software’s flagship products. Janssen attended the Technical University of Eindhoven and has a business computing degree from the Fontys University of Applied Sciences.