In heavily-regulated industries like healthcare and financial services, it’s not enough to keep sensitive data out of the wrong hands. Companies must go a step further and provide detailed records proving compliance with rules to protect customer privacy, block intrusions and control access to internal systems.
Compliance can be a resource-intensive job regardless of IT infrastructure. But for companies deploying virtualized desktops, there are some added complexities, as well as tools and techniques to make record-keeping and audit preparation a bit easier.
At root, the same feature that can make VDI efficient for record-keeping – sophisticated central control of IT resources across dispersed workstations – also makes it challenging to prove compliance to auditors accustomed to more traditional infrastructure.
“You used to be able show an auditor the physical infrastructure,” says Holland Barry, chief technology officer at Catbird, a provider of security products used in virtual computing environments. One could point to a firewall cable connecting a workstation and demonstrate who had access to a particular system. Today, as enterprises move to cloud infrastructure and software-defined networking security architecture, proving compliance is more complicated.
North Country Federal Credit Union of Vermont had to “test, test, and test,” before rolling out its VDI system to make sure that applications behave the same in a virtualized environment as on a physical desktop, according to Michael Chouinard, network administrator for North Country. The credit union has deployed virtual desktops to serve the vast majority of employees. One tricky issue was the software it uses for tellers, Fiserv Datasafe Teller Navigator, which associates authorized users with a particular device. North Country had to use persistent desktops, with each user's settings saved to reappear at the next login, for the program to work.
Integrating compliance policies and programs in a VDI system can be a particularly complex task in heavily-regulated industries, given the alphabet soup of compliance mandates and the plethora of software products used to manage them. In healthcare, HIPAA (Health Insurance Portability and Accountability Act) is one of the most complicated mandates for IT compliance. In financial services, standouts include SOX (the Sarbanes Oxley Act) and PCI DSS (Payment Card Industry Data Security Standard).
Every mandate contains different sets of technical specifications. Enterprises must address security vulnerabilities at the user level, the endpoint device level, the application level, data center level, the network level and the management level. As well, regulations are only getting more stringent. A 2015 Thomson Reuters survey of financial compliance practitioners found that most expected regulatory fatigue, resource challenges and personal liability to increase in the coming months and years.
Light at the end of the compliance tunnel
VDI won’t make those compliance burdens go away. However, a big advantage of the technology is that it provides central control and tracking over which desktops can access which applications, Barry says.
“The VDI use case is really a killer one because you can do things that would be very hard on a physical desktop, such as intra-zone isolation, which ensures that desktops can’t talk to each other, only to applications they need to access,” he explains.
Barry says he’s optimistic that audits for VDI-enabled businesses will become easier as more professionals hired to oversee security compliance learn to assess virtualized systems. Even a few years ago, he recalls, if you were using a virtual firewall, it was hard to find a security auditor willing to certify its effectiveness. Today, virtualization-savvy auditors are much more prevalent. That’s an important development, as heavily-regulated industries are among the heaviest users of VDI.
Moreover, deployed properly, VDI can be a much more secure solution for companies than physical desktops, says Chouinard. “We’re keeping out data off the edge, out of those physical places where it could be lost or stolen,” he says. “It’s all locked up in our server.”
Underwritten by HPE, NVIDIA and VMware.