Agentless security offers virtual peace of mind: Grenda Transit
- — 21 May, 2012 15:17
Despite the increasing organisational complexity of a major business restructure, a completely virtualised server and desktop environment – and a new approach to securing it – has helped Melbourne-area transit provider Grenda Transit (GT) keep on top of its changing security profile.
That profile proved to be a major issue last year when GT, a 67-year-old family business that had grown to employ 1100 staff and run 600 buses, split its bus transit and bus manufacturing businesses in a November 2011 deal that saw its longtime rival, Ventura Bus Lines, take over the bus-transit operations. As part of the deal, however, GT's IT division would retain responsibility for service delivery both to the new organisation and to its newly-separated manufacturing business, Volgren.
Having steadily pushed towards virtualisation technology in the past, GT found itself needing a way to deliver consistent desktop images to employees across the various divisions. Its solution was to run the Citrix Systems Published Desktop, running individual desktop instances in a virtual-server environment.
This approach has become increasingly popular as organisations work to meet the challenges of bring-your-own device (BYOD) strategies, which are forcing IT managers to accommodate employees' personal smartphones and tablets simply through sheer weight of numbers.
"For me, BYOD isn't such a big deal," says Gavin Gusling, Grenda Transit's general manager of IT. "We've virtualised our desktop in Citrix and have a public-facing remote access page where you can log into it. Effectively, all of our data lives in our data centre – and never leaves it. So we've covered off all the privacy issues, and because everything lives in there, I can run desktops on anything from a local computer to an iPod touch."
Not only can the Published Desktops be accessed from nearly any device, but they can be quickly created as new employees are brought onboard. This is particularly useful for the Volgren manufacturing business, which often sees surges in employment numbers as employees are brought onboard to fulfil new bus-making contracts.
Restructuring the server environment has presented its own challenges, however: for example, the change meant revisiting the company's Microsoft Client Access License (CAL) setup, which Gusling says was "nowhere near as easy as what we considered when we first put it on the table".
And while virtualising the company's desktops may have offered significant benefits in accessibility, it created a new security challenge: conventional antivirus-type security scanners into each server desktop tried to seize exclusive control over pooled CPU and disk resources. It also, from a practical perspective, presented an untenable management burden in keeping all images updated all the time.
Grenda had to take a different approach – and it did so by installing the XenDesktop servers not on their own physical hardware, as convention would have it, but loading the XenAPP servers into a XenServer and VMware ESX Server server-virtualisation environment.
"In the past, we had used physical servers," Gusling explains, "and whenever we had changes, it became almost impossible to keep the Citrix image consistent across multiple hardware platforms. We took about a 5 per cent performance hit by virtualising, but that was easily offset by the benefits of being able to quickly provision new Servers."
Since this approach involved pulling the security perimeter back from individual desktops, GT staff are trialing Trend Micro's Deep Security package, which scans for intruders at the ESX Server hypervisor level instead. Deep Security's agentless design avoids the potentially disastrous conflicts between multiple instances scanning simultaneously – and helps GT staff aiming to simplify the administrative overhead for the company's security environment.
"With 80 virtual servers currently providing services across the business plus 30-odd Citrix servers, there is a fair overhead in maintaining our environment," Gusling says. "To actually run the scanning service in the virtual environment as a dedicated machine that had no agents on the virtual guests, means that the whole administrative overhead should just disappear."
Despite the freedoms it has enabled, however, the Deep Security proof-of-concept trial has exposed many of the control issues that the move to centralised security often raises. Users can get touchy when their access to particular resources is blocked, although Gusling says they usually come around when the security requirement is clearly explained to them.
"The key to all of this is being able to talk to your users," he explains. "It's about being able to have a conversation where you say 'we can do this and this and this, but there's a risk that such and such is going to happen'."
"What you'd really like is an educated, human firewall – where the person who's actually using the technology says 'I'm going to be responsible for what I'm doing'. And when you ask them whether they want a particular bit of information published on the front page of the Sydney Morning Herald or The Age, they say 'no, not really'. So you can then work together to do something about it. It's all about interaction."