Desktop virtualisation: How can managed service providers minimise data risk

There’s a big push for desktop and client virtualisation as BYOD continues to grow in popularity. Unfortunately many IT departments don’t know how to manage or deal with all the security implications it brings. According to a recent survey conducted by Comms-care 44 per cent of respondents cited worries about safeguarding data as a main barrier for adoption.

Outsourcing BYOD support is an appealing option, but many managed services providers aren’t staying close enough to the technology or keeping up with new developments to understand it well enough. Like many IT departments, service providers are also terrified of managing the security risks posed by mobile and tablet devices because they don’t know what types of risks virtualised clients actually bring.

If managed service providers expect to grow in the future, they need to understand how to manage virtualised desktop environments and deal with security risks.

The good news is that it’s safer to have virtualised clients on a personal device - because the security is taken care of by a centralised cloud server and not managed on a per device basis. If something goes wrong then the problem can be addressed quickly by an administrator by accessing the central area where all the data is stored.

Furthermore, preventative measures can be taken before any client virtualisation software is installed to shield data from external attacks. Among the most effective ways is to invest in Cisco’s Identity Services Engine (ISE). This is an all-in-one enterprise policy control platform that enables organisations to enforce compliance, enhance infrastructure security, and simplify service operations. It allows users to produce security profiles for different devices - whether it’s tablets or mobiles - so they can connect to a network securely.

ISEs are installed at the beginning to eliminate all security problems coming from external threats. But are these risks exaggerated? Do most businesses actually have data that is sensitive enough to be of any value?

The fear of being hacked by an elite external mafia gang is extremely small for most businesses. Professional hackers and troublemakers are only going to go after organisations that store personal data on file and they are generally massive global organisations that have encrypted this data and stored it on a private cloud.

In reality, the biggest threats to data are actually coming from internal sources. Over 90 per cent of the greatest risks to data, such as - malware, viruses and hacking - are done by people taking things away on a USB or downloading them into personal devices.

With internal hacking, you can’t just avoid the problem by installing a piece of software. It’s all about security processes and how to implement policies. That’s the biggest risk that’s always overlooked. There’s very little that can be done if an inside job has taken place and there’s a security breach.

The one thing that businesses and government organisations are adhering to at the moment is an unpublished standard called the business Impact Levels (ILs). This framework provides a seven-point scale to help assess what steps organisations need to take to effectively meet their risk management requirements of confidentiality and integrity. Enforcing an IL can help to create policies that protect data and possibly deter people from stealing it - but ultimately it can’t stop all attacks.

Essentially, the onus is always on the organisation to have the right level of encryption to protect data.

Virtualisation is already here and soon most desktops will be part of the environment. To speed up adoption, vendors such as Microsoft are even starting to give away virtual clients for free - and this trend will only continue. If managed service providers and IT departments are to stay in tune with this innovation they need to understand the risks and encourage end users to encrypt data.

Darren Briscoe joined Comms-care in January 2003 after working within the channel as a senior technical consultant. He has over 15 years' experience in technical and managerial roles and is highly respected within his field.