Aside from the production benefits of virtualization, an added benefit is improving security posture, which is paramount to most IT organizations. For those that haven’t already determined that a virtualized infrastructure is a better solution than handing out laptops with a VPN connection, there are a number of eye-opening reasons to reconsider the security impact of locally stored applications and data.
Is SaaS the Answer?
While some organizations feel that a SaaS-only application infrastructure eliminates the need for virtualization, they should think again. Browser compatibility is a key issue because not all SaaS-based applications work well with all browsers. Further, browsers are not always properly updated on the local device, and plugin versions may be outdated, causing what may appear to be inconsistent issues.
A key security issue is that many browser-based applications write to the Temporary Internet Files folder on the local device. Even though connectivity to the SaaS-based application would likely be secured by SSL/TLS, the data within the Temporary Internet Files folder remains on the local device after the session completes and thus could be compromised after logoff.
Why Local Apps and Data Aren’t Secure
First and foremost, if a user has a computer with data stored locally, the physical device itself is a major security concern. A laptop can be left in an airport or stolen from a computer bag. Old computers that are discarded without their hard drives having been completely wiped may contain data that could fall into the wrong hands. Hackers are especially adept at cracking login passwords when there is no connectivity to a back-end mechanism that monitors and tracks attempts.
Data that is stored on the local device is a further concern and represents a single point of failure in the event of a hard drive crash. That critical report or spreadsheet that took hundreds of hours to create could be gone in an instant. While an IT organization may admonish users to back up their local files via a VPN onto a network share, the chances that users will back up their data, much less in a consistent manner, remains slim. Worse yet, users may assume that all online data services are secure and may transmit sensitive data to an unapproved service over an unsecured connection.
It’s a little-known fact that many applications write confidential data to the local user profile. In particular, the AppData folder contains a plethora of information that various applications use to store data, either temporarily or permanently. This data may include log files, print jobs, configuration files, documents, and the like. Within a virtualization environment, that AppData folder is stored (and secured!) entirely within the data center.
When users access applications sans virtualization, application updates and patches are not only a headache: if these are not applied properly, security holes can exist. Say, for example, that an application update that addresses a security issue must be deployed to user computers. If a user is on medical leave and doesn’t turn on that user’s computer, the update will not apply. Depending on the mechanism used to automate the deployment of applications and patches, an expiration or timeout may be invoked before the user returns. The user device will not be up to date and therefore will be vulnerable when the user returns to work. On the other hand, a virtualized infrastructure allows applications and patches to easily be applied centrally.
Virtualized applications and desktops allow administrators to control communications with the endpoint device. Disabling access to client drives—i.e., the local hard disk as well as any plugin data storage such as thumb drives—can be easily configured. Because all applications and data reside within the data center, it can be controlled and monitored.
While you can’t stop a user from taking a photo of a computer screen, a virtualized infrastructure inherently secures data as it crosses the wire. While the ultimate solution for secure remote access is a proxy such as NetScaler Gateway, the transmitted and received data without that highly recommended component is still more secure than direct queries to a database or other back-end resource. Consider this example: A user queries an SQL Server database to find a customer number. In a Citrix infrastructure, the user sends keystrokes and mouse movements within numerous packets to the application that is housed on the VDA, which then queries the database. The response is sent to the application, which is then sent to the user as a series of bitmaps, not the customer number in readable format.
This is 2017. The security benefits of running your IT department on a virtualization platform are even more paramount than the productivity gains. Virtualized applications and desktops, as well as service providers that offer turnkey solutions, are readily available and far less expensive than a security breach.