Implementing Security Best Practices in the Virtual Data Center

  • Virtual data center security must be agile and mapped in real-time to virtual infrastructure management tools
  • Offloading of anti-malware scanning improves user experience, reduces redundant scans, and provides high availability
  • Born-secure VM instantiation ensures compliance, improves virtualization density, and minimizes application latency

Virtualization heavyweight Citrix recently published a thoughtful article in the Tech Papers section of the Citrix Tech Zone entitled Endpoint Security and Antivirus Best Practices, outlining a point-by-point primer on working with security vendors to procure the right anti-malware tools to secure virtual applications and desktops. Citrix focuses on four challenging areas:

  • Agent Registrations
  • Signature Updates
  • Performance Optimizations
  • Anti-Virus Exclusions


This blog describes Bitdefender’s fully-compliant implementation of the Citrix best-practice guidelines, covering GravityZone Security for Virtual Environments (SVE) which provides security for next-generation infrastructure including the software-defined datacenter, hyper-converged infrastructure, and the hybrid cloud.

  1. Securing Non-Persistent Workloads

“Isn’t AV the same in the virtual data center and VDI desktops as it is for fixed and persistent VM endpoints?”

Securing non-persistent workloads—like VDI desktops that rapidly come and go—presents numerous challenges that exceed the scope of fixed client security. Within these transient workloads, machines are often identified uniquely by a GUID that is generated during the security tool installation process, so that dynamically provisioned machines do not appear in the management console and deprovisioned machines leave orphaned entries in the console.

Enterprise software requires centralized management for real-time granular deployment operations, security policy configurations, and event reporting. GravityZone SVE is built with from the ground-up for virtualization. It is delivered as a virtual appliance, integrates with infrastructure-management tools, and leverages virtualization infrastructure for seamless operations because the virtualization infrastructure is monitored in real-time. GravityZone SVE integrates with Infrastructure as a Service (IaaS) management tools—including vCenter Server, XenServer, Nutanix Prism, AWS, and Azure—allowing for inventory replication in real time with full visibility into environmental changes. Any time a virtual machine is created, moved, or deleted from the inventory, GravityZone SVE updates immediately.

  1. Performance of Legacy Antivirus

“When our old AV would start scanning, the infrastructure would come to a screeching halt”

Legacy antivirus solutions in the virtualized datacenter face the longstanding challenge whereby AV signature updates significantly degrade performance, reducing the efficiency of the datacenter and frustrating users. Unoptimized security solutions use decentralized updates, often with large signature files that must be downloaded and updated regularly (sometimes hourly) and scanned continuously. In non-persistent environments, this can lead to security challenges (window of opportunity) and large network traffic (signatures are reset on boot).

GravityZone SVE scan offloading solves these problems. A Security Virtual Appliance (SVA) handles all updates so that each VDI client requires fewer updates. Significant CPU, memory, and disk activity footprint consumption is moved to the SVA so that virtual datacenter environments achieve higher VM-to-host densities and superior VDI performance.

How to Build A Windows Virtual Desktop (VDI) Experience Properly Cheat Sheet

  1. Navigating “Agentless”

“Wouldn’t agentless security solve all of my virtual datacenter performance and density issues?”

Not long ago, security administrators (and security vendors) hung their hopes on “agentless” security to solve their virtual datacenter performance woes, performance and density being chief among them. In practice however, all agentless VMs rely on a single security appliance and unknown files are transferred in full between each VM and the offloading appliance, resulting in higher latency and slower performance. Built correctly as in GravityZone SVE, scan offloading has since supplanted agentless security as the preferred deployment model, as shown in the table below.

Agentless vs. Scan Offloading Deployment Models


Scan Offloading

Require 1 SVA per host

Requires 1 SVA per 200 VMs across hosts

Offloading handled by a platform driver

Offloading handled by a Bitdefender driver

Full files transferred to SVA for analysis

Only unique file sections transferred to SVA

High availability is not achievable

High-availability and load distribution built-in

  1. Security Optimization for Large-Scale Deployments

“I’ll just scale up my existing AV solution to match the rapid growth of my virtual datacenter deployments.”

Security optimization remains a persistent challenge in large-scale deployments. Traditional security agents are not suitable for single-image management and the lack of centralized scanning and intelligence sharing hinders efficiency.

Bitdefender overcomes these scale issues with a two-tier caching technology. GravityZone SVE caching occurs on both the VM and the Security Virtual Appliance. The caching also has two components: a pre-trained cache and a self-learning cache. With this efficient design, the SVA inspects each file only once even if it appears on multiple VMs—avoiding redundant scanning, dramatically reducing CPU, RAM, IO, and network load across the datacenter or any defined VM cluster.

  1. Troubleshooting Performance Issues

“If nothing else changed and users are complaining about performance, start by checking antivirus.”

Administrators of virtual datacenters face a core challenge when attempting to troubleshoot performance issues and determine their root causes. With so many moving parts, and multiple vendors involved, solutions are often unclear.

GravityZone SVE features a single point of configuration for all server, desktop, and cloud VMs. It maintains centralized configurations that propagate in real time and provides a local troubleshooting interface for testing and validating configuration changes that can resolve and improve performance issues.


     6. Lack of Smart Scanning Exclusions

“Our old antivirus caused excessive latency as it would scan system files that are always the same across clones.”

A final challenge faced by virtual datacenter administrators is the lack of smart scanning exclusions, especially among VDI desktop and server “clones”, where thousands of pre-installed operating system and application files are identical across VM instances. Since as stock Windows 10 installation often includes over one million distinct files—before any applications are even loaded onto it—why scan “known good” files when you don’t have to?

Conventional AV tools use two common approaches to scanning exclusions in the virtual datacenter: no default exclusions at all, or a single exclusion policy for all VM workloads. Both solutions are suboptimal. GravityZone SVE includes a flexible scan exclusion model with default scanning exclusions for a fast, reliable performance boost across your VM estate, or admins can implement custom exclusions as recommended by their specific virtualization infrastructure provider, including:

  • Citrix-recommended exclusions for XenApp and XenDesktop
  • VMware-recommended exclusions for VMware Horizon
  • Microsoft-recommended exclusions for Windows servers and desktops
  • Nutanix-recommended exclusions for Acropolis and Prism

Impact of Virtualization Security on Your VDI Environment White Paper


Layered next-generation security is a necessity, especially in the virtual datacenter, where advanced protection against breaches cannot come at the expense of VM efficiency, density, or performance. Organizations should opt for security specifically designed for virtualization and for the cloud, as legacy anti-malware security introduces excessive latency that hinders user experience with their “heavy” agents that take up host resources, reduce consolidation ratios, and drive up costs. Real-time security integration with infrastructure-management tools is critical for expedient deployments, to maintain real-time VM inventory, facilitate security automation, and ensure compliance in non-persistent environments.

For further information on GravityZone SVE, please download our datasheet or contact us here.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Michael Rosen. Read the original post at:

Secure Coding Practices