Computer Security: Implementing desktop virtualization is no longer optional
I’m a firm believer that given today’s technology and security paradigms, compromise is inevitable and unavoidable. With this mindset, my focus has shifted from reactionary to anticipatory. In an office environment, I expect that users will not follow policy and do things that put an organization at risk – and I expect desktops to be compromised by malware. I even expect my home PC to be compromised. To expect otherwise, is to deny the fact that current security technologies are not 100% effective.
When a hacker obtains complete control of a computer, he can change any setting, install additional malware and replace any software with his own variants. Even if you are able to remove identifiable malware, your ability to identify and undo his configuration changes or identify replaced software may be very limited. Although you may think you have “cleaned” your computer, your computer may still contain code or configuration changes that will allow a hacker to maintain or regain control of your computer. This is even more of a concern if the hacker was able to initially compromise your computer using a Web-based zero-day exploit without a known anti-malware signature. If the hacker can point your browser at the same Website again, your anti-malware software is not going to catch the malware the second, third or fourth time around. The only way to be sure your system is malware free, is to re-image the hard drive (we all have full image backups of our hard drives, right?) or reformat the hard drive, reinstall the operating system and all the software. What a pain!
If you can buy into the fact that compromise is inevitable and unavoidable, a better way to deal with compromises is to use desktop virtualization. Virtualization allows you to maintain a completely clean and pristine master image of your computer. You then clone (copy) the master image and just use the clone. If something bad happens, you just delete the clone and create a new clone – it’s as simple as that. Depending on your virtualization software, you can even create snapshots of your computer and revert to the snapshot as required.
The cool thing about virtualization, is that you can run “a computer within a computer”, so you don’t need to run every application in the virtual environment. CPU, memory and video intensive applications that may not run well under the virtual environment can still be run in your regular desktop environment.
Given the benefits of desktop virtualization for security purposes, there are a few issues you should be aware of:
1. Cost. The good stuff isn’t free, but given the value of your time and peace of mind, it’s worth it.
2. System requirements. Don’t expect optimal performance with an underpowered CPU and insufficient memory. You may need to bump up your hardware to meet your individual requirements.
3. Education. Yes, now you have to learn another piece of software. If you can read and follow instructions, this should not be a problem.
4. Setup and Management. This stuff doesn’t manage itself. You have to figure out how and where to store your user settings and data, fine tune performance settings and manage the master image and clones. Once you get into a routine, it becomes second nature.
There are many software vendors that offer virtualization software. Before you buy anything, you need to do some research and determine what product best meets your needs and budget. Many vendors offer full working trial versions of their software.
Below are some VMware Workstation videos to help you understand some of the basics of virtualization. If you want to try VMWare Workstation, it’s available as a 30-day demo or you can try the free VMware Player, which allows you to create virtual machines – but doesn’t have many of the features in VMware Workstation.
Video 1: Demo. Note: You can run a virtual machine in full screen mode. You don’t have to run it in a Window.
Video 2: A more technical presentation on how to create a virtual machine and a discussion about settings.
VMware offers a free multi-media VMware Workstation fundamentals course. You can get smart about VMware Workstation in a very short amount of time. The Overview section is a bit too technical at times, but the Getting Started section is easy to understand.