VDI in Government: Balancing security and performance

Virtual Desktop Infrastructure can help government organisations to manage data access and optimise use of resources, writes Vitaly Mzokov of Kaspersky

Tags: Kaspersky LabVirtual desktop infrastructure
  • E-Mail
VDI in Government: Balancing security and performance Virtual Desktop Infrastructure offers a number of benefits to government entities, particularly in securing data, says Mzokov.
By  Vitaly Mzokov Published  August 21, 2017

Virtual Desktop Infrastructure, or VDI, is becoming increasingly popular around the globe. More than half (63%) of companies worldwide admit that VDI is a part of their complex IT infrastructure, according to the Kaspersky IT Security Risks 2016 report. Businesses choose virtualization techniques for solid reasons.

Virtual desktop infrastructure utilizes server hardware to run desktop operating systems and application software inside a virtual machine. Users access these virtual desktops using their existing PCs or other devices. Under these scenarios, IT departments can centrally consolidate endpoint functions rather than manage each of them individually. This shift reduces service delivery and application costs, simplifies system backup, and provides users with, ideally, the usual work experience while making IT support and troubleshooting easier: when there is a problem in the system, it doesn't have to be fixed by changing the configurations on all endpoints.

Adoption of BYOD has been a major factor contributing to the growth in demand for desktop virtualization. The notion of employees using their own devices presumes that IT administrators have to oversee a wide range of devices with different operating systems, available applications and security requirements. To some businesses, VDI is a solution to this problem: turning a heterogeneous ‘zoo' of various platforms into a centralized and easy-to-maintain working environment.

In general, the advantages of VDI fall under three main categories: cost-saving potential, enhanced performance and security. However, the main controversy is that sometimes, all the three are in conflict with each other.

The Case for VDI: Public Sector

Virtual Desktop Infrastructure may be valuable for organizations where extra security requirements challenge struggle for enhanced performance and flexibility. Thus, the most frequent use cases for VDI are in finance, healthcare and the public sector - all industries that operate under strict regulatory compliance policies. The public sector's growing interest in VDI is apparent: 66% of government organizations admitted that the number of virtual desktops in their infrastructure has increased over the last three years.

The development of VDI in government seems to correlate with the BYOD trend that has made no exception even for the conservative government agencies. According to the Kaspersky IT Security Risks report, the number of smartphones used for work increased in 68% of public sector organizations 2014-2016. Some may say that VDI is not a panacea from BYOD practices, as it lacks flexibility and champions an outdated paradigm emphasizing the role of desktop applications. This may be a plausible argument in other cases, but VDI is still a way to go for government agencies. Most employees do not frequently access specific applications but rather use a standardized set of applications (Microsoft Office, for example), which makes delivering them via VDI a working paradigm.

The development of e-Government is another reason why the public sector favours desktop virtualization. Now state and local government agencies are expected to provide 24/7 availability of services while struggling with budget shortfalls. It forces them to seek ways to optimize productivity relying on limited IT resources. Virtualized desktops not only help reduce costs and improve productivity but also allow mobile public sector workers like social security and police officers to get access to necessary data when they need it.

As e-Government continues to evolve, the role of VDI in the public sector will not cease anytime soon. Growing demand for services, a reduction in budgets and a need for improved performance will define the interest in scalable and available virtual desktop infrastructure. However, we still need to consider security.

Security/Performance Dilemma

Government agencies collect and store massive amounts of sensitive information. Personal data, work orders, contracts, payment information and internal classified documents are transferred across the network in daily routine. It produces a complex dilemma of striking the right balance between productivity and security. To put it simply, employees should have full access to the data from their laptops and smartphones but the data cannot be compromised.

Virtual desktop infrastructure alone makes data protection a lot easier. Laptops and other devices do not keep critical data - it is stored in highly protected data centres and users just have access to work with it from their virtual desktops. That is why dedicated security solutions should not only focus on data protection but also provide multi-layered security from various potential threats, like ransomware, that can hit virtual desktops as well as usual workstations.

There are several myths about the security of VDI but most of the problems are caused by two general misconceptions that cloud people's minds. The first is that the virtualization of desktops means that they can no longer be targeted by infections. This is not true, as only some kinds of malware would not activate in a Virtual Machine. Moreover, in the case of infection one cannot just kill the infected VM: in a high-speed virtualized network it could spread rapidly across it until the whole network segment shuts down.

The second misconception is that virtual desktops (as their functionality is similar to ordinary desktops) need the same protection as ordinary desktops. Under this scenario, one can install a solution with full-weight agents and deliver it on every VM. These solutions designed for the protection of physical workstations with sufficient resources to run them undermine the main purpose of desktop virtualization: optimization of resources. The same software runs on every VM and the hypervisor distributes processing power and memory among them, which leads to system overload. It's the end of work, everyone can go home now.

There is no need to explain why the first misconception can lead to dramatic consequences, especially for government agencies where strict data security policies are in place. Deployment of heavy security software would eliminate all VDI benefits such as improved performance and the reduced costs of buying and maintaining additional hardware. Considering the specific trends - budget shortfalls and the increasing demand for service availability - affecting IT in the public sector, security should not undermine performance. There is a way to make sure it will not.

Addressing Security Needs: The Smart Way

Recently cybersecurity solutions providers and Kaspersky Lab have developed an alternative way to ensure the complete protection of virtual desktop infrastructure without compromising on performance. Dedicated solutions for virtualization security make it possible to combine agentless and light agent approaches. The latter deployment is especially useful in VDI as it delivers full cybersecurity functionality on every VM and helps to save critical computing resources in virtualized infrastructure.

Familiar endpoint protection agents have shortcomings when deployed in VMs. Storms of anti-malware scanning, the duplication of ‘heavy' security components, and simultaneous updates can cause RAM and processors to suffer a serious overload. Light agents help to avoid these issues.

Unlike with a purely agentless approach, light agents can effectively protect virtual machines due to their direct access to the VM's memory and core system processes. They enable advanced security technologies, such as web control,  protection from growing ransomware attacks, applications and devices control and allow the prevention of port scanning - a mainstream trick among hackers when they try to gather information about a targeted machine.

In government agencies where endpoints are particularly exposed and extra attention to security is necessary, a light agent approach could be a door opener to desktop virtualization at its best: higher performance, resource optimization and sufficient security all working in synergy for the efficient provision of services.

Vitaly Mzokov is Solution Business Lead, Data Center & Virtualization Security, Kaspersky Lab.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code