For organizations exploring VDI, desktop security has always been a bit of a sore spot. For the past 2 years, I have answered questions from some of Forrester’s and Citrix’s largest clients about how they should be approaching endpoint security in a virtualized world. While it wasn’t ideal, the answer to “how to secure VDI” was to treat the virtual environment exactly the same as you treat the physical environment – with a good endpoint security suite inside EACH virtual machine. While this made great security sense, it didn’t help organizations that were trying to scale out their VDI deployments in a cost effective manner. Why? Because when you have 100 VMs on a single server and the AV scan kicks off at lunchtime, you have rendered that server useless. Well, at least users now get a lunch hour, right? So, it was not surprising that the natural next question from a customer was, “well, since these VMs are now in the datacenter, can our network and server security tools do the job by themselves?”
No, that doesn’t work either. As we all know, users are constantly downloading email and other files to their machines, surfing the web, and plugging in USB storage devices with all sorts of “data” on them. These virtual machines need the same protection against malicious files that may enter the VM that physical machines need. Unfortunately, server and network scanning wont cut it. The answer was still that endpoint security is required.
This is what makes last week’s announcements from Citrix and McAfee so exciting to me – someone whom for so long had to give the bad news to customers that endpoint security in EVERY machine was still needed in the virtual world. This joint solution will for the first time, enable the AV and other endpoint security products to be pulled outside of the VM to deliver VDI with the scalability it was designed for without compromising security. (In McAfee’s initial testing, they have seen an 181% increase in user density on a server and 10x improvement in CPU/Memory utilization – this is huge!) Imagine now finally being able to simply install and manage one master security solution per server and have all of the VMs on that server be able to take their cues from the master.
Now, this is just the beginning. With this API being built into XenDesktop and XenClient, all sorts of security and agent offloading will be possible in the future. Vendors, not just McAfee, will be able to use the API to deliver their solutions to you in a much more manageable form then they ever were able to in the past. Think about all of the current desktop management and security agents you use today being moved outside the VM for better management, security, performance, and scalability. Isn’t this what we all signed up for when we embarked on our VDI and other desktop virtualization missions?
My question to you: what desktop technology would you want to remove from the desktop image and offload to a server or virtual appliance?