Securing Desktop VMs: First, Do No Harm

By Bob Scheier
published: Monday, August 18 2008

First, ask yourself how eager IT managers will be to virtualize hundreds, thousands or tens of thousands of desktops when they're still working on managing and securing the virtual servers in their data center. By abstracting logical servers from physical hardware, virtualization makes it possible to create pools of computing resources that can (supposedly) be easily shifted among applications as needed. But it can also make it a lot harder to ensure that virtual servers that can't be tracked to a specific rack can only access the right storage or network resources. (Recognizing these concerns, VMware recently announced its VMsafe APIs to encourage partners to develop virtual security tools for VMware environments.)

Second, remember that in the data center, all the virtual machines are under tight control where security experts can monitor and manage security policies. Out in user-land, it's hard enough to get Joe Knowledge Worker to update his password, much less think about managing security on multiple virtual machines on his laptop.

Still, some organizations will have valid needs to split their users' desktops or notebooks into multiple VMs. One example is financial services, which give some users two physical desktops, one for sensitive financial data, the other for everyday business communications. Collapse those into one physical machine through virtualization, and you've saved a lot of expensive physical space, power and cooling.  Tresys, for example, is targeting the very high end of the market, for which the security inherent in today's hypervisors isn't strong enough.

Third, think about how complex and fragile most users' desktops are, even without virtualization, and how much time IT spends untangling crashes and slowdowns. Virtualization means fiddling with the very guts of how computer hardware and software interact, and if you don't do it right, you can quickly cause a lot of harm.  

I and other early reviewers of ZoneAlarm ForceField have already learned that. ZoneAlarm ForceField uses virtualization not as an end unto itself, but as a way to protect existing Windows clients by virtualizing the browser from the rest of the OS. But after installing it, I began suffering mysterious slowdowns and crashes. eWeek found many of the same instability problems and, to boot, that ForceField didn't provide some of the protection it promised.

Tresys takes a different approach, aiming to better secure desktops that have already been virtualized. Its VM Fortress Desktop uses the Mandatory Access Controls of SELinux (sitting between the physical processor and Windows) to limit which network and file system resources each VM can access. Putting security controls as close to the hardware as possible, in order to protect the operating system from the outside (rather than the inside) is a tack being taken by other vendors as well, such as Neocleus.

More power to everyone who's trying to noodle this out, as eventually all our desktops and notebooks have so much horsepower it won't make sense not to virtualize them, and all those VMs will need security. But to get on this user's machine, vendor will first have to prove the virtualization itself is worth the hassle - and that virtual security doesn't cause more problems than it solves.