Shulou(Shulou.com)06/01 Report--

1 dispute

On the issue of security, which is the better advantage between physical desktops and virtual desktops has always been debated? The main argument for many people's view that virtual desktops are only centrally deployed to the data center does not essentially change the way desktops are used, so there is no improvement in security:

Desktop OS and software remain unchanged, the two types of desktops will still encounter * *, infected with viruses and so on.

There is no difference in user behavior between the two desktops. So security threats caused by user behavior exist on all kinds of desktops. For example, VDI users can also send data through e-mail, network disk and other methods. It is still possible for users to browse the web page of the stallion and open the infected document.

Virtual desktops can guard against security threats, such as data loss caused by device loss, there have long been a large number of security solutions on physical desktops, such as Symantec's PGP encryption, Microsoft EFS, etc., and the cost is cheaper to deploy VDI.

Virtual desktops pose new security threats. Like the isolation between virtual machines on a host, the security of hypervisor itself, etc.

2 personal opinions

From my personal experience, there is no problem with the above arguments. Virtual desktops are not a panacea. Don't expect them to solve all security problems. If someone sells virtual desktops to you only for security reasons, then, the other person must be a liar. However, from my experience in managing both physical and virtual desktops, I think there are natural advantages in virtual desktop security. Let's illustrate this in a number of ways:

2.1 prevent data leakage caused by PC loss

Traditional PC can also solve this problem through encryption, but as a PC management practitioner knows, deploying encryption software has always been a coolie:

Encryption software client needs to be installed on each PC. The client may have different versions depending on the operating system version. After the OS upgrade, the encryption software may also need to be upgraded, and many exceptions may occur during the upgrade process. In addition, we also need to consider the compatibility of encryption software and other software. For example, I have encountered incompatibility between encryption software and antivirus software and backup software.

Depending on the size of the disk / data, the first full encryption may take up to 1 day. During this period, users are not available, and the PC administrator needs to check the encryption progress frequently.

The performance of PC is affected, and users complain to IT. This is obvious.

Increase in management costs. If the user forgets the password or leaves without leaving the decryption password, then the encryption software administrator needs to be involved.

What is the most painful thing after being encrypted? It can't be decrypted! Many PC administrators have had this experience: the user's PC cannot be decrypted for several reasons, the hard disk may be bad, the system cannot start, and the data must be decrypted first, but often because the decryption process of the bad track of the hard disk cannot be carried out, the data is lost in the end. There are some encryption software itself problems that can not be decrypted, the author has seen many such examples. And the problem is still the products of well-known manufacturers, such as Symantec, Checkpoint products.

Because of centralized deployment, virtual desktops will not cause data leakage because of the loss of client devices.

In general, poisoning occurs in enterprises, and there are two main scenarios:

Scene

Traditional desktop coping method

Virtual desktop coping method

The antivirus software is not installed or updated to the latest virus.

Antivirus software needs to be installed or upgraded to the latest virus detection, which usually takes several hours.

Refresh the desktop to the health image to kill user data, which is much faster than the killing system and user data. Even if only the system data is infected, the virus will be cleared immediately.

Antivirus software cannot check and kill the virus caused by the virus.

The PC can only be quarantined until the antivirus software is updated to kill the virus. PC cannot be used

Quickly generate new desktops for users to use.

2.3 Security patches and policy applications

PC administrators have this experience: some of the PC has not been updated on the patch server or antivirus server, and the physical PC is often offline due to various reasons (such as user disconnection from the network, user leave, taking PC off the corporate network, etc.) and cannot apply internal security updates or AD policies. The PC may not be able to deal with security threats after it is online. On the other hand, virtual desktops are always online, update faster and are less likely to be threatened.

2.4 Security isolation and concealment

Because of breaking away from the protection of the enterprise firewall and threat protection gateway, the security risk caused by facing the Internet threat is higher for the PC which leaves the enterprise security environment. There is always a security device between the virtual desktop and the Internet, which is relatively more secure. Furthermore, in terms of the number of finishing PC owned by the enterprise, the physical desktop deployment is more extensive than the virtual desktop deployment.

2.5 centralized management is more conducive to data backup

Even if all security policies fail and the data is corrupted, such as being infected with the blackmail virus, it can be recovered by backing up the data. Most of the user data of virtual desktops is redirected to a centralized location (such as NAS storage or file server) and is very backed up; in contrast, physical PC data backup is a complete nightmare, especially in large-scale PC environments. This also shows that although virtual desktops are not more secure at this point, they provide IT administrators with a way to get rid of security problems quickly.

2.6 centralized management reduces security management overhead

As far as security personnel are concerned, the biggest concern is the dead corner of security policy deployment. For example, there is an unregulated PC, especially when the security policy deployed on PC is bypassed or broken by "smart" users. This may be because "one piece of rat shit spoils a pot of soup", and 99% of the previous efforts are in vain.

But enterprises often have this situation, such as one day suddenly found that there is a completely unregulated PC in the network, after verification, this PC was originally idle after the departure of the department staff, during which even the OS has been reinstalled by some unverifiable former employees, may not have anti-virus software, and have even visited countless unauthorized peripherals (USB drives, SD cards, CDs, etc.), and there are a lot of viruses. This is the drawback of physical PC decentralized deployment.

Virtual desktops have natural advantages, and desktops are more under the control of IT personnel.

3 Summary

All in all, virtual desktops are not a panacea, they are not security solutions in themselves, but their deployment methods naturally have some security features compared to physical desktops. Basically, I think the deployment of the virtual desktop brings us more: it does not change the user habits, the desktop software environment, but you can apply your security policy more comprehensively, quickly and easily.

The above comparison is only from a security perspective, and there is no overall comparison between the advantages and disadvantages of deploying physical desktops and virtual desktops.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.