Home » Security Bloggers Network » Non-Persistent VMs with a Persistent User Experience – Make Your IT Admin’s Life Easier

Non-Persistent VMs with a Persistent User Experience – Make Your IT Admin’s Life Easier

by Yan Aksenfeld on August 11, 2020

Desktop virtualization solutions and use cases

Desktop virtualization for end users in organizations is not a new concept. Since the 90’s, Citrix has been offering end users remote access to corporate software running in the datacenter. While managed virtual desktop infrastructure has provided a full desktop in the datacenter since the early 2000’s, and has continued to grow in popularity in certain markets.

Developers and IT personnel have been using personal virtualization software such as the VMware Workstation since the inception of x86 hypervisors in 1999 to experiment and develop software. Organizations have been spinning up personal environments in their data centers for experimentation and remote access purposes (“jump boxes”) for years as well.

More recently, a full virtualized desktop is now offered as a fully managed service in the cloud by companies such as VMware or Microsoft.

Use cases of desktop virtualization include:

A fully virtualized desktop in the datacenter or the cloud with a full or thin client for initiating the connection
Secure and isolated remote access to the organization
Productivity access to the internet where a virtualized environment allows users to not be confined to the stringent restrictions of the corporate network
Developers who need to experiment in an isolated environment

Managing and protecting virtualized environments

One of the bigger issues with any desktop virtualization solution has always been that there is an additional underlying operating system running the virtual operating systems. This OS needs to be patched, managed, scanned for vulnerabilities, protected and sometimes re-imaged by IT. Managing the OS of a single set of endpoints (or thin clients) is hard enough – this problem is amplified when taking into account that IT now needs to manage the OS of another virtualized environment. Now,imagine patching, managing and protecting double the amount of machines; you get a huge and costly IT operation.

Sponsorships Available

This significantly lowers the ROI of virtualization solutions for isolation, secure access from home and productivity (not to mention the datacenter, licensing and hardware/cloud costs).

Securing those operating systems can be a nightmare, but it is necessary. They are sometimes meant as playgrounds for experimentation or gateways to the internet, but are especially important when used for accessing corporate applications. If breached or infected, they need to be monitored and reimaged (a timely process) or made into non-persistent OS. Non persistence brings a set of new issues as users may lose all their work and setup every time they login.

Over the years, multiple methods have been proposed and implemented for more efficient VM image management to reduce the issues:

OS Management Solutions such as SCCM, Intune, Workspace One, IBM Bigfix and more can centrally manage non-VDI virtualized environments (such as local VMs, jump boxes or datacenter based development VMs). These solutions are complex, and double the amount of OS’s to manage, sometimes even doubling the costs of the deployment. These systems do not provide a good solution for managing VDI environments.
VDI and DaaS solutions are centralized in the datacenter or cloud, they offer the ability to manage a small set of golden images for disparate user groups and have the changes apply to all virtual desktops at once. This solves the pain of managing thousands of machines, but requires heavy investment in making sure these golden images are “perfect” – optimized and secure. A slip on one of the images could mean significant downtime, performance issues or worse of all a security breach. In addition, applying these changes is far from quick and requires long downtimes for provisioning and reimaging and leads to various issues (login storms anyone?). VMs still need to be managed after initial deployment from a golden image.
In many cases, the VMs are created as non-persistent VMs or volatile VMs. This creates great security and consistency making sure that everyone gets the same experience, and prevents the need to patch the VMs after initial deployment.

That said – non-persistent VMs are problematic from a user experience perspective. Users lose any configurations, files or software installed on the VMs making this a solution feasible only for very specific and limited use cases such as call centers which include very basic computer usage.

Introducing Non-persistent VMs with a twist

Some non-persistent VMs take a different approach, which brings the best of both worlds and have a great security vs productivity value. Such machines are non-persistent, but provide a persistent user experience. This means the OS is created from scratch each time, and a clean version is spun up without any potential breaches or malware that could be lingering in the OS files and other system directories. On the other hand they contain a persistent area allowing more complex use cases where the VM needs to be customized, data stored and applications installed.

Productivity

Non-persistent machines prevent users from storing their files, setting and installing software without them getting deleted upon a restart, and allow users to customize and personalize their machines. This can fit certain use cases, but it would prevent most users from effectively accomplishing their tasks.

With a non-persistent machine providing persistent user experience, the VM is split into three distinct areas:

A non-persistent, consistent and clean OS returning to a snapshot with every restart
A non-persistent snapshot overlaid on top of the basic OS files. This snapshot is a clean area sanctioned by the organization and includes any applications, configurations (e.g. certificates) which can be included in the clean state of the VM. When the machine restarts, it essentially reverts to the clean snapshot and not a completely clean OS.
Users get their own persistent area to work in – their user profile. Users are limited to work inside their profile to prevent user frustration and losing data.This allows users to store files, any Windows store app and other programs confined to the user profile in a persistent manner if allowed by their organization.

As a result of this split, users get a clean OS, while still maintaining persistent areas for themselves and their organization.

Such VMs can even take productivity to the next level by providing a flexible application catalog to end users. Users could choose applications from a catalog and have them automatically – or even immediately attached to a virtual machine.

This can be achieved through multiple technologies with concepts similar to VMware App Volumes, Microsoft FSLogix or Microsoft app attach which attach applications to VMs making application installation instantaneous.

Security

Depending on the use case, malware could infect the operating system of the virtual machine. A fully persistent machine will need complex detection and mitigation software in place to quarantine and prevent the malware.

On the other hand, a non-persistent machine would just be reverted to a clean slate on reboot including a completely clean operating system image and snapshot.

If a compromise is discovered in the user profile, it can be reset within seconds and assuming the data is backed up the user can be productive again within minutes rather than days or hours on a fully persistent machine.

From an isolation perspective, VMs are one of the best and most trusted ways to keep data, potential malware and attackers isolated. At the end of the day they are trusted to isolate information in the datacenter and the cloud for the past 20 years. Malware sitting in the VM cannot in any way affect the host.