Security remains top of mind for any data center professional but who knew it was this bad: Gartner is now advising people to just kill workloads entirely to improve security.
At the Gartner Data Center Conference on Tuesday, Gartner VP and Research Fellow Neil MacDonald gave a talk titled, “Killing Workloads to Make IT More Secure and Ultimately Improve IT Resiliency.”
His point was that malware has become so difficult to detect that we can no longer tell for sure what’s infected with malware and what isn’t. His suggested solution is to simply wipe out applications, routinely, and replace them with those you know to be malware-free.
Let’s start with servers. MacDonald says the process we use to patch servers is “fundamentally flawed.” When a patch comes out, IT dutifully applies it to servers, thinking that’ll fix any issues. But if you can’t say for sure that the server isn’t already infected, you are simply applying a patch to a server that’s in a questionable state. “So now you have a patched machine that’s still in a questionable state,” he said.
A better approach is to keep a collection of applications that you know are free of malware, using emerging tools from vendors such as RPath. When a patch comes out, apply it only to that central image, which you know is free of malware. Then kill the app on all your servers and replace it with that new, patched image. Assuming you’ve got sufficient bandwidth in your network, it won’t take any longer than traditional patching, MacDonald assured me after his talk.
As for desktops, his answer is simple: desktop virtualization, or virtual desktop infrastructure (VDI). I’ve had my eye on VDI technology for years and have talked with lots of customers who have had great success with it. There’s doubt in my mind that VDI does lead to improved security on desktops.
But the way MacDonald framed the argument was new. He’s essentially saying that because you can’t say for sure that your desktops aren’t infected, you should blow them up every time a user logs off and install a new image every time the user logs on again. That’s a slightly different twist on the argument that we’ve used for VDI for years: because you are maintaining only a single desktop image within the confines of the data center, it’s far easier for IT to secure. As with the server example, just patch one image and distribute it to whoever needs it. It’s a fine line, but if it gets more people to consider VDI for the operational and security benefits it brings, that’s a good thing indeed.