|
The consolidation and virtualization of physical servers and workstations is a growing IT trend that promises more cost-effective, “anywhere, anytime” collaboration. VDI/VM solutions also offer a means to begin enforcing data policies for those supporting IT “consumerization” (allowing employees to access sensitive corporate information from personal devices like iPads and Android platforms), which creates a whole new area of unmanaged risk to sensitive corporate data. Unfortunately, it is “virtually” impossible to enforce most information governance policies in Virtual Desktop Interface (VDI) or Virtual Machine (VM) environments on desktops or mobile devices using typical infrastructure-based IT security, as the solution requires a technology that can monitor and control data in physical and virtual environments at the same time.
Providing complete enterprise information protection (EIP) for thousands of virtual users worldwide, Digital Guardian is a proven and mature solution for VDI/VM security that monitors, audits, and enforces identity-based usage policies for data moving between physical and virtualized infrastructure. As a data-centric technology platform, Digital Guardian allows companies to gain the benefits of VDI/VM solutions to enable IT cost-cutting and consumerization support, while increasing their ability to productively enforce data policies across internal and 3rd party users.
VDI Environments
Most enterprise-scale virtual environments are based upon the virtual desktop interface (VDI) architecture, which can support a variety of configurations and virtual architectures depending on the business need. VDI solutions, like Citrix XenApp, VMware, MS Hyper-V act as a “system within a system”, whereby multiple users can remotely login to individual “virtual machines" (VM) on host servers from which they can access data, applications, or network resources in a fully-contained and temporary environment. Once a session has been terminated, some VDI solutions will recycle the VM so as to present the next user with the same gold-image desktop.
A feature common to all VDI’s is the dissociation of IP address and machine ID from the VM or shared desktop. As a result the user and session are often only temporarily associated with an IP or machine ID. This dynamic naming assignation also means infrastructure-dependent IT security solutions cannot operate correctly, as they cannot distinguish between a physical and virtual environment.
VDI Security Challenges
Virtualization is valued for its cost effectiveness and flexibility; however, they can also add new operational risks if typical IT security solutions – like DLP, access control, or network security appliances – are unable to enforce information security policies. For instance, how can a DLP technology enforce data or user-level policies within a virtual session if it cannot readily associate a user with the machine? Or, how can separate access policies be enforced in a Citrix environment supporting both partners and employees? Or, how can infrastructure-based security solutions like encryption appliances, content filters, and HIPS secure virtualized services in an Infrastructure as a Service (AAS) hosting facility? An entirely different security approach, independent of physical infrastructure, is required to protect information within virtual environments.
Information Security within VDI
A virtual security model must be able to operate equally within a virtual or physical machine. It must be able to distinguish multiple virtual sessions and users on the same physical machine simultaneously, and enforce individual policy logic based on the context between user, data, and activity. Finally, it must continuously log and reference events at the point of data use – and where it is most vulnerable – regardless of whether the environment is virtual or physical, yet remain a passive monitor until a policy response is needed.
Such a complex set of solution requirements can only be technically addressed using a root-level “reference monitor”, or agent, that dynamically assigns user-based policies upon login to the physical host, and again as the virtual session is created. The agent must then seamlessly enforce policy as the user and data move between physical and virtual environments.
The Digital Guardian VDI Solution
Digital Guardian is a proven, enterprise-class solution platform for securing information within virtual environments. The Digital Guardian platform provides virtual security by first identifying the user at login, then using low-level agents to enforce the user’s specific policy rules simultaneously in both their physical and virtual machines. Most importantly, Digital Guardian does not require a machine name or IP address to operate, or any other network dependencies.
Digital Guardian agents operate within the virtual image, on the hosting server, and on the physical host to provide end-to-end forensic auditing and rules-based policy enforcement – including data classification, encryption, and usage control – from the moment a user logs into their physical machine through a virtual session creation and termination. The Digital Guardian platform provides total policy control within both environments, and “knows” when data is being passed between them to correlate event logs and control local operations like Copy & Paste, Print Screen, Save As, etc.
Secure Consumerization with Digital Guardian for VDI
Many companies consider virtualization as the first step towards supporting allowing “bring your own device” or “consumerization” policies which allow any employee-owned mobile device to be used to access and use corporate resources. Verdasys’ EIP Mobile solution for Virtual Desktop Interfaces (VDI) and Virtual Machines (VM) extends Digital Guardian’s data policy management to virtual workspaces on personal mobile devices like smartphones and tablets using solutions like Citrix Xen, Microsoft Hyper-V, and VMware to sandbox users, audit activity, and enforce their information security policies.
EIP Mobile is the set of data-centric functions within the Digital Guardian technology platform capable of securing mobile data based on user, data, application, and session-specific policy rules across both physical and virtual machines. When deployed as part of a virtual infrastructure Digital Guardian allows employee-owned mobile devices to be secure and productive “dumb terminals” when connecting to a virtual session. Digital Guardian for VDI/VM provides the same risk-based policy enforcement capabilities as physical agents, including real-time policy awareness prompts and integrated file, network, and email encryption.
Virtual Digital Guardian agents enforce user- and session-level information protection policies as part of a golden image, and/or on the VDI/VM server itself, and forensically logs data movement between a virtual session and the mobile device. Once a user logs into a virtual machine, Digital Guardian automatically provisions their specific usage policy for the session – even for multiple users logging in simultaneously. When a policy rule is triggered Digital Guardian determines the risk-appropriate response based on who the users is, and what their policy allows in that usage context, from silent alerting and real-time awareness prompting to encryption or blocking.
Digital Guardian VDI/VM agents operate in both kernel and user-modes simultaneously for precise situational and threat awareness within the virtual image and/or the host server. Its architecture provides both system and application auditing, and policy enforcement, for mobile device users from the moment they log into a session through its termination, without requiring a Digital Guardian instance on the device itself. Agents communicate with the Digital Guardian Management Console (DGMC) to retrieve each user’s data policy, and to securely upload forensic session logs. When combined with physical Digital Guardian agents, the EIP Mobile solution for VDI/VM provides complete visibility and control over corporate data through any interface while enabling businesses to securely adopt new and cost-effective IT models that make employees even more productive.
|
