Virtualization Technology News and Information
VMblog Expert Interview: Andrey Pozhogin of Kaspersky Talks VDI Security and Hybrid Cloud Security

interview kaspersky pozhogin 

With most employees working from home these days because of the COVID-19 (coronavirus) outbreak, two technologies that have been around for quite some time have stepped up to the plate of importance: Virtual Desktop Infrastructure (VDI) and Virtual Private Network (VPN).  And with social distancing comes a new threat – a cybersecurity related one.  In turn, the security of VDI and VPNs must become paramount for IT teams.

As organizations rush to shift their businesses to a remote workforce, cybercriminals are ramping up their tactics to take advantage of inadequate or naive security setups.  With this new "experimentation" of mass working from home, we're creating a new attack surface that provides for an attractive opportunity for threat actors.

To gain a better sense of security and VDI, VMblog spoke to a cybersecurity expert, Andrey Pozhogin, a Senior Product Marketing Manager at Kaspersky.

VMblog:  What's your preferred way to enable working from home during the pandemic lockdown?  VPN or VDI?

Andrey Pozhogin:  Both are industry standards with their own pros and cons, but in my opinion VDI can be a little more secure. It can also facilitate some tricky scenarios, ensure compliance and even give an organization a way out if they're unable to procure the necessary hardware in time.

VMblog:  You mentioned better VDI security - what do you mean?

Pozhogin:  There are some obvious benefits, such as data never leaving the corporate datacenter - only an image makes it to a client device. You break the connection, and there is no data left beyond your perimeter for cybercriminals to find. And then there's also better control and visibility, with the right approach - the use of golden images, for example, to make sure all the VDs are configured the same, which is easier to manage. However, there needs to be a certain level of respect for the security of the VD guest operating system, because a virtual desktop is still a user machine and users are known to be able to surprise security administrators.

VMblog:  How does Kaspersky approach this problem?

Pozhogin:  Providing best-of-breed security for our customers is where we shine, and securing a virtualized infrastructure also has to be done in a very efficient way. There are a couple of such ways to tackle this and using a traditional endpoint solution is definitely not one of them. And we don't go this route; instead, we give our customers two options: use Kaspersky's solution built specifically for VMware's vShield and enjoy completely agentless security for VDs, or, better yet, use the other option, which is Kaspersky Security for Virtualization Light Agent. It's based on our own patented architecture and provides a significantly higher level of security. Both applications are part of the Kaspersky Hybrid Cloud Security solution.

VMblog:  Why is there a difference in the level of security between those two?

Pozhogin:  The thing with Agentless is that we were limited by VMware's API - there were certain things we couldn't do or that didn't make sense from the performance optimization standpoint. Basically, in this scenario we work with whatever vShield throws at us. Make no mistake - having Agentless security is still better than none at all, but if I could chose, I'd go with Light Agent every time. What we do is we put a tiny agent in each of the desktops and this gives us much greater control - we can scan memory, we can protect against network threats, we can monitor how applications communicate and prevent exploitation attempts, monitor and flag attempts to modify essential files and so much more!

VMblog:  This sounds a lot like a traditional endpoint security solution...right?

Pozhogin:  It does, doesn't it? However, the benefits come, as I mentioned, from two things:
  1. Patented architecture that allows us to optimize a lot of operations and keep the performance up. We centralize the security function by offloading it to a Security Virtual Machine (SVM). This Virtual Machine gets requests from the rest of the VMs to scan an object for threats. There's a lot to it, but as an example - think about how many CPU cycles and how much memory we can save by maintaining a cache of those verdicts! If we've already seen an object and are asked to scan it again, we'd instantly reply with the cached verdict.
  2. Integration with a wide range of virtualization platforms. Our solution closely integrates with VMware, Citrix, Microsoft, KVM and other platforms to simplify deployment, configuration and status reporting. This may not sound like much, but administrators who are tasked with this will certainly appreciate the level of automation and convenience the solution provides.

VMblog:  Let's get back to VDI - how does your solution improve it?

Pozhogin:  I mentioned that performance is critical for VDI. Our solution scales linearly with the increasing load onto the virtualization hardware, so basically you can keep squeezing it (that is - rising consolidation ratio) without risking getting stabbed in the back by your security solution. What many organizations have learnt the hard way is that your average endpoint security is not as forgiving.

We've also implemented dynamic license distribution. What that means for a customer is that they can mold Light Agent into their Golden Image and once a new desktop is spun from the image, the Light Agent will pull a license for itself from the management console and start protecting the VD almost instantly.

And last but not least - security. I talked a little bit about this, but it is such an important topic. We need to assist our users as they go about their job-related activities using a machine (physical or virtual) connected to our networks. We need to help them identify threats in the executables they launch and the documents they open. We need to scan the web pages they visit for threats and warn them about phishing sites. Only by doing this can we ensure that our users make educated, informed security choices.

VMblog:  Kaspersky Hybrid Cloud Security seems to be a solution cut specifically for VDI.  Is that the case?

Pozhogin:  It is, and reducing login time for a virtual desktop from minutes to seconds is a validation of that. But it's also so much more. It is our solution of choice when it comes to protecting server environments, both physical and virtualized. We've also invested a lot of effort into integration with public clouds. A built-in Cloud Configuration Wizard helps you deploy our management console in AWS, Azure or GCP in about an hour, as well as set up generic policies and tasks. You can roll out protection in several clouds and it's the same console to manage the security across all the desktops and servers, both physical and virtual as well as instances in public clouds. Flexible licensing options (for example, you can pay per use in AWS or opt for a 1 year AWS contract. Or you can bring your own license that you can get from a Kaspersky's partner), tons of integrations and ultimate configurability can fit any environment of any complexity. And if you ever need our help with anything, we're right here for you.


Published Tuesday, April 28, 2020 7:32 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2020>