Security Risk and Virtualization is multi-factorial which has been discussed before. This article is a part of measures to decrease the security risks and part of the above linked index article. So, we are discussing the 4th point, Use Secure virtual machines in the linked article and the 7th point - Monitor virtual desktops within this article. It is beyond saying that you must know the details about a typical Virtual Machine (VM) at least to an acceptable minimum level, the same goes for Virtual Desktop Infrastructure (VDI). There is some difference between virtual desktops and VDI in operational point of view, which however will not be discussed within this article on Security Risk and Virtualization.
Security Risk and Virtualization : Secure virtual machines
Each virtual machine on the host operating system must be patched and protected, as far as like we would do if they would run on a separate physical platform. Access rights should be governed by policies, machines without a valid policy should not exist. Next which are needed on a regular basis includes the process of automated patching of applications and VM operating system, a powerful virus scanner and a firewall that regulates the access to the applications.
However, virus scanner on each VM and its activities is a threat to the resource efficiency of the system, because they consume the limited processing power. Gartner recommends that you take care when buying VM-virus scanners so that can handle time-delayed scans specifically – making the point sure that they does not repeatedly scan the same files, but a whitelist to only scan once in a controlled fashion. Centrally managed solutions put agent on each machine. Trend Micro Deep Security 9 goes even further deep, for example. The system works completely in an agentless way and it is also capable of simply disabling the the affected port firewall under threats using the so-called virtual patching for the need for closing the respective vulnerable software.
Security Risk and Virtualization : Monitoring virtual desktops
The basic reason, these two points are discussed within one article is their close relationship from the management point of view. For patching virtual desktops, which indeed also a part of the virtual machines, it is recommended to move them before to a demilitarized zone to update and only transfer back them to their normal location when they have passed through an automated functional and safety check.