Working together in a virtual environment: application whitelisting and anti-virus
Application whitelisting, AWL, has had an ongoing love-hate relationship with anti-virus software since day one. Originally conceived as a positive IT-controlled approach to endpoint security that would compete head to head with negative attack-centric anti-virus, AWL has instead been searching for a more peaceful co-existence strategy. One approach that organizations are evaluating is using AWL and AV cooperatively in virtual desktop infrastructures, VDI.
Anti-virus can have significant performance problems when securing VDI, particularly when virtual desktops simultaneously conduct full system scans or reach out to the cloud for pattern file updates. This is known as an “AV storm” that destroys any semblance of performance on the entire virtual server – causing IT to buy and manage more servers to make up for the severe roll-back in the density of planned virtual desktops per server. For example, if the CPU utilization of your physical Windows PC spikes to 10% during a scan and noticeably degrades performance, imagine what would happen if multiple scans were concurrently taking place. It won’t be pretty. Since security is the leading driver for VDI projects, moving forward without endpoint security is out of the question. This is where AWL can help overcome the performance and security hurdles that have stymied early VDI deployments.
There are a couple of points about AV in a VDI environment that should be recognized. The first is that AV does not have to reside and execute within every desktop VM – a single anti-virus VM working with the hypervisor can efficiently perform malware scanning services for all desktops executing on the virtual server while avoiding an “AV storm” and preserving acceptable desktop densities. There are anti-virus vendors who support this anti-virus service architecture, and that seems like the best place for AV.
Application whitelisting comes into play to protect the individual desktop VM, both while it is resident on the virtual server and while it is checked out to be hosted locally (say, on a laptop for a business trip). Anti-virus cannot catch everything, so AWL within the desktop as the next line of defense is a natural security strategy that organizations are looking into. AWL protects virtual desktops within the data center and when the desktop is checked out to be locally hosted; anti-virus scans traffic on the virtual server to remove attacks before they can reach the desktop.
This is the relationship that makes the most sense. It is not so much a discussion of which security approach is stronger – the discussion is driven by the IT need to offer great performance to its users, secure the business against threats, and control acquisition and operating expenses. In a VDI environment, both application whitelisting and anti-virus are co-existing to meet the security, performance, and density requirements. The beauty is that everybody wins – the business wins with strong layers of defense, IT wins with fewer servers to purchase and manage, users win with acceptable performance to perform their jobs, and compliance auditors win with secure virtual desktop solutions hosted in the data center or check out to local PCs.