While the control systems of a nuclear power plant may seem exotic and far removed from a typical business environment, the increasing reliance of business on technology and the growing sophistication of attacks on that technology are creating more scenarios where a security breach would cause lasting harm to an organization. Together with increased regulation and stricter security standards, these factors are forcing more "everyday" organizations to adopt sophisticated security measures once reserved only for exotic environments. In other words, high-risk environments are becoming more common rather than less.

One clear example of the broadening of high-risk environments is highlighted by the Payment Card Industry Data Security Standard, or PCI. This standard, created by the major credit card companies including Visa, MasterCard, and American Express, recognizes the increasing threats to organizations that process credit and debit cards. One of the approaches stipulated in the PCI standard to increase the security of payment processing systems is to introduce network separation, greatly reducing attack vectors for those systems. Maintaining network separation requires separation of network infrastructure, servers, and, eventually, multiple desktop systems for individual users. The result is that security measures once reserved for classified government systems or nuclear power plants are now being deployed in typical business environments.

These examples share one thing in common with all high-risk environments: a focus on the separation from the network layer up to all of the connected systems' security measures once reserved for classified government systems or nuclear power plants are now being deployed in typical business environments. This approach focuses on reducing the number of systems and software that must be trusted to be correct and secure to maintain the overall security of an installation.

Consider, for example, the nuclear power control network. By putting only the critical systems needed to run the nuclear power plant onto that network and isolating them from the much larger corporate network and Internet, it's much easier to maintain the level of security and reliability needed. The alternative of a single network would require every connected system to be secure, from the intern's desktop to the sales person's laptop that is connected to unsecured wireless networks across the country. A breach in any system could eventually result in the compromise of the most critical system.

The traditional approach to maintaining the required level of network separation at the desktop is to deploy multiple desktop systems for a single user, each connected to a single network. This approach preserves the network separation, but results in organizations deploying two, three, or more desktops for users. While secure utilization of multiple desktops introduces management, space, power, and cost challenges, power alone is becoming a serious concern. Some organizations are spending more on electricity to power their desktops than they do to power their data centers.

Realizing the benefits of desktop virtualization in these scenarios requires introducing security that rivals the physically separate systems. All aspects of the desktop virtualization system must be secure; network, disk, removable devices, and users must be isolated so that an exploit in a guest operating system or the virtualization software does not result in a loss of separation or control. In addition, users must not be able to compromise the security of the system through accidental misconfiguration of (or malicious tampering with) the software.

Achieving the needed level of security with desktop virtualization is challenging and requires engineering choices that may not be acceptable in a general-purpose product. For example, for endpoint desktop virtualization solutions, where the virtualization is performed directly on the desktop system, the security of the host operating system is often the primary limiting factor. The host operating system, such as Microsoft Windows, sits between the virtualization software and the system hardware. Given its architectural placement, any flaw in the host operating system can be exploited to gain complete control of the system, including the virtualization software and guest operating systems. In addition, Microsoft Windows, while providing many security features, is simply not designed to strictly control the flow of information between several connected networks. Setting aside virtualization and software vulnerabilities, there is no effective way to enforce a high degree of network separation with Microsoft Windows.

Given the importance of the security of the host operating system, any desktop virtualization solution targeting high-risk environments must provide a secure host operating system. This can be done by utilizing a highly secure, locked-down operating system, such as a Linux distribution that uses Security Enhanced Linux (SELinux), or by switching to a hypervisor custom-built to provide secure virtualization. Either of these choices, which are potentially effective in removing the host operating system as a weakness, requires migration away from the dominant Microsoft Windows environment. This migration is likely acceptable in a high-risk environment, but is more controversial for less risky environments since it requires additional hardware support verification, staff training, and a migration process. Linux is a compelling solution that many organizations are now adopting, especially when combined with virtualization to allow the continued use of Microsoft Windows in virtualized guests; however, it is still a migration that introduces some cost and risk.

Another limiting factor for the security of desktop virtualization is the virtualization software. In both endpoint virtualization and virtual desktop infrastructure (VDI), where desktops are virtualized in the data center and delivered via a remote desktop protocol, most solutions implement the security controls in the same virtualization layer that provides all of the functional features.

The level of security needed by high-risk environments requires an additional layer of security control over and above what is provided by the virtualization software. This security layer can be much smaller and easier to verify for correctness, making it less likely that it will be exploitable. With an independent security layer in place, an exploit in the virtualization layer can be contained. While some damage may be done in a single guest operating system, the exploit will be prevented from escaping further, violating the separation and attacking other guests. This independent security layer can also protect against accidental or malicious misconfiguration of the virtualization software.

While many solutions have evolved to address the more pervasive Microsoft Windows desktop operating system, they ultimately inherit the underlying weakness of the operating system and can never accommodate more stringent security requirements. Several solutions are available using the Linux and SELinux as the basis of the approach described earlier and many others are in development. The NetTop and High Assurance Platform (HAP) projects of the U.S. National Security Agency both aim to provide desktop virtualization in classified environments. Tresys VM Fortress was also introduced earlier this year as a secure, yet flexible desktop virtualization solution for environments requiring high security in a non-classified environment.

As you consider security requirements for your organization's desktops and embark upon the establishment of an operational plan to enable you to leverage virtual desktop technology, remember that desktop virtualization represents both increased risk and an opportunity for better security. Errors in the necessarily complex virtualization layer can lead to an exploitable flaw that could weaken the overall security of your organization. However, choosing the right security architecture and technology can strengthen the security offered by virtualization, allowing even organizations with high-risk environments to gain the many benefits of virtualization without compromising security.