The security situation appears to be worse than many think, as Gartner is now advising people to just kill workloads entirely to improve security. It’s like giving up, admitting defeat, packing your tent and going home. “I quit. I can’t secure this stuff. Just take it all down.”
Yes, I’m exaggerating, but not all that much. At the Gartner Data Center Conference on Tuesday, Gartner VP and Research Fellow Neil MacDonald gave a talk titled, “Killing Workloads to Make IT More Secure and Ultimately Improve IT Resiliency.”
His point was that the bad guys have gotten so good at being bad that we can no longer tell for sure what’s infected with malware and what isn’t. His suggested solution is to simply wipe out applications, routinely, and replace them with those you know to be squeaky clean.
Let’s start with servers. MacDonald says the process we use to patch servers is “fundamentally flawed.” When a patch comes out, IT dutifully applies it to servers, thinking that’ll fix any issues. But if you can’t say for sure that the server isn’t already infected, you are simply applying a patch to a server that’s in a questionable state. “So now you have a patched machine that’s still in a questionable state,” he said.
A better approach is to keep a collection of applications that you know are free of malware, using emerging tools from vendors such as RPath. When a patch comes out, apply it only to that central image, which you know is free of malware. Then kill the app on all your servers and replace it with that new, patched image. Assuming you’ve got sufficient bandwidth in your network, it won’t take any longer than traditional patching, MacDonald assured me after his talk.
As for desktops, his answer is simple: desktop virtualization, or virtual desktop infrastructure (VDI). We’ve covered this issue before, including here and here, and there’s no doubt in my mind that VDI does lead to improved security on desktops. But the way MacDonald framed the argument was new. He’s essentially saying that because you can’t say for sure that your desktops aren’t infected, you should blow them up every time a user logs off and install a new image every time the user logs on again. That’s just a slightly different twist on the argument that we’ve used for VDI for years: because you are maintaining only a single desktop image within the confines of the data center, it’s far easier for IT to secure. As with the server example, just patch one image and distribute it to whoever needs it. But if the way MacDonald frames the issue gets more people to consider it, great.
Gartner does seem to think VDI deployments are on the uptick, although most analysts have backed off their heady projections of two or three years ago as we’ve learned more about how expensive VDI deployments can be. Still, where you can make VDI work, it makes sense.