Simon Crosby is the CTO of the datacenter and cloud division at Citrix Systems, Inc. He was founder and CTO of XenSource prior to the acquisition of XenSource by Citrix. You can read more on his blog and also follow him on Twitter@simoncrosby.
Worried about your data? If you’re not, you’re kidding yourself. It’s become clear over the past few months that the risk of security breaches has reached a new and frightening level — from sophisticated tools in the hands of national governments and organized crime to spontaneous attacks harnessing the resources of thousands of loosely connected vigilantes. Add to that the dizzying array of devices now used to access, move and store data. Security strategies that seemed airtight only a few years ago now look like so much Swiss cheese.
In this light, your first instinct might be to pull back from cloud computing, viewing it as inherently less secure than keeping data and applications locked into hardware. After all, the word “cloud” itself implies that your precious assets are out there floating around somewhere, right? It’s an understandable reaction and one that couldn’t be more wrong. In fact, the cloud is now the safest place for your data.
Think about it: Data is lost when an organization loses control over it, including how it’s stored, how it’s transmitted, and what end users do with it. Clouds, and the virtualization technologies on which they run, give you back that control, from data center to delivery to endpoint.
Deliver User Experiences, Not Vulnerable Data
A key tenet of security is making sure data doesn’t go astray when it leaves the enterprise. But what if data never left the enterprise in the first place? Desktop virtualization means that all data, applications and state remain centralized; users can access an immersive experience indistinguishable from traditional computing (actually even better in some regards, like instant-on apps) using either a hosted desktop or application experience, or a rich client experience. IT gains precise, granular control over applications and data. Everything is encrypted at rest, using keys that never leave the data center. Meanwhile, full back-end automation means less human involvement and less human involvement means less chance of things going wrong.
A locked down data center is all well and good, but how are workers supposed to be productive if they can’t move data around? With virtualization, data is available from multiple points. Accordingly, there’s never a reason to save anything to removable media (like the kinds that seem so often to fall into the wrong hands). A good desktop virtualization solution lets you set policies as to what kinds of client-side devices can be used, from thumb drives to printers.
What about offline use? No problem. Any data delivered to the desktop cache remains encrypted at all times, and IT holds the keys. Lost laptop? Disgruntled employee? Hotel room theft? Not to worry.
A New Perspective on Endpoint Security
A moment of silence, please: Traditional endpoint security is dead. It’s simply no longer possible to detect attackers faster than they can mutate, and managing antivirus protection guest-by-guest can’t possibly scale. It’s also fundamentally incompatible with virtualization, since we can’t have every endpoint in the organization trying to update a centralized attack file and index its virtual hard disk at the same time. Symantec, it’s time to rethink your business.
What if we take the reverse perspective? If we can’t make data invulnerable, what if we make attacks less relevant by ensuring that each endpoint is in its best possible state? When a hypervisor is booted, one of the first things it does is check that it hasn’t been modified since it was last signed by its creator. The same applies for each virtual machine. After each login, each VM is returned to its original state, so attackers have no way to gain a foothold in your environment. This approach — essentially, moving from blacklisting to whitelisting — is a fundamental shift in endpoint security.
There’s still an important role for the security vendors to play in making virtual desktop security simpler and more scalable for large enterprise deployments, such as integrating in-hypervisor threat detection into both client-side and server-side virtualization products. Some of the top security providers are already doing exactly this, working in tandem with virtualization solution vendors. More will follow suit or find themselves stranded in an outdated and shrinking space.
Deny DoS Attackers
Even the best data security can’t protect against a denial-of-service attack. You know what can? Truly massive perimeter control. But don’t start pouring your own concrete yet. Why do you think people started keeping their money in a bank instead of at home? Because the bank has a better safe. So does Amazon. It’s even better, as we’ve seen, than PayPal and Visa. The largest cloud providers have defense resources far beyond anything you could match in your own datacenter.
Any way you look at it, the bottom line is clear: The online world may be getting more dangerous by the day — but the cloud is safer than ever.