Over the years, I have heard variations of the thought that is roughly: “I don’t have to secure these systems because they will be reset tomorrow”. I used to hear this from kiosk vendors and libraries, but I now hear it from organizations that are rolling-out Virtual Desktop Infrastructure (VDI) and public cloud initiatives.
It is a risky – but very real -assumption that the primary advantage of virtualization and cloud is ‘disposable computing’, and related to that, all of the problems of the day are disposed of and replaced with near-zero effort and cost too. Well who wouldn’t see the advantage, because this is a stark contrast to the days when a problematic system needed to be rebuilt with appreciable cost and effort.
But security can become a casualty of disposable computing thinking. If a system is deemed problematic, it can be replaced in moments, right? Where is the incentive to investigate the source of a problem, in this throw-away thinking? It used to be that if a support person needed to spend more than fifteen minutes troubleshooting an end-user system, it would be reimaged. Today, fifteen minutes seems like a very long time. Without analysis, systems that may be misbehaving as the result of being compromised will never be identified.
To boil-down the issues that disposable computing presents to security, let us consider:
- How does one find what one isn’t even looking for
- The attackers are getting better at attacking what you’re not looking for
- What are you willing to lose (or find) in an afternoon?
The first point is about learned indifference. If a system is not adequately monitored, it will never be known to be compromised. The second point furthers this; the attackers who are serious about harvesting information create malware that doesn’t make its presence obvious. Gone are the days of frozen or blue-screening systems. Instead, we now face well-written rootkits that are superb at quietly doing their work, while the user does theirs.
The final consideration is about the value of data.
I recall conversations with three organizations. One ran kiosks, the second library stations, neither of which held any data that could be considered valuable to the owners. At the end of each day, the systems were simply reset to the state at which they had started the day. Although the owners saw little risk, the trust of the users of those systems was valuable to the owners – without that trust, nobody would use the systems, after-all. Unfortunately, that trust was in peril since the end-users were working on systems that were known to be compromised.
The third, and bolder example involves a bank. The operations team was very bullish about rolling-out virtual desktops that were to be accessed from thin clients (essentially, scaled-down laptops) running a popular embedded operating system. The embedded systems would revert to a known safe status upon reboot. The thin clients were to be used to access the secured virtualized desktops, which housed sensitive applications. Of course, the security team identified the flaw – they were not willing to risk losing data from a potentially compromised thin client. They realized that the disposable sessions on the thin clients were just as vulnerable. Without basic security, they were as vulnerable as any typical laptop. Rebooting and reverting to a known-safe version did not exempt the system from leaking valuable information before the reboot; reversion to a safe state is not retroactive.
Let’s be clear; the idea of disposable goods as the driver of boot-strapping an initiative, or an entire business, is valid. Public cloud and VDI offer businesses tremendous savings and efficiencies in an unprecedented way – allowing businesses to, in some ways, adopt disposable attitudes and methodologies. Just like in day-to-day life, everything has its place. Certain things and certain relationships are disposable. However, we don’t universally apply “throw-away” to every aspect of our lives. We protect the important things, and worry less about the trivial stuff.
Applying the disposable philosophy universally in a corporate computing environment is beyond risky, when you consider how attacks have changed. Certain “things” like security require more consideration.
Virtualized end-user systems and public cloud computing will play a role in nearly every business over the next decade. The quick turnover of VDI and public cloud instances is of value in and of itself. The technical challenge will be maintaining insight, introspection, and enforcement across computing estates that include VDI, public cloud, mobile, and traditional endpoints. The business challenge will be maintaining consistent policies throughout the truly borderless datacenter.