Approach Two: A Separate Peace
Since trying to enforce good policy on machines that lie outside the
control of IT is such a tricky proposition, a simpler way to install
controls involves situating a tightly controlled desktop environment
within the employee's machine through desktop virtualization.
The most mature means of providing users with desktop environments
that are segregated from their hardware involve SBC (server-based
computing) products such as Microsoft Terminal Services and Citrix
Systems' XenApp (formerly known as Presentation Server). These products
enable administrators to deliver managed desktop environments or
individual applications to their users.
In addition to traditional server-based computing, companies can
deliver managed desktop sessions hosted from individual virtual
machines running in the data center atop hypervisor products such as
multiple VMware ESX Server or Citrix XenServer desktop virtual
machines. Users can then access the hosted sessions through a remote
desktop technology such as VNC (Virtual Network Computing) or
Microsoft's RDP (Remote Desktop Protocol).
Bit9 takes aim at malware with application whitelisting.
This approach offers more flexibility than server-based computing
because VM-based desktops can be treated the same as typical desktops,
in terms of the sorts of applications to which they can play host.
However, SBC and VDI (virtual desktop infrastructure) share the same
significant downside: Both strategies rely on continuous network
connectivity to keep user desktops accessible.
For the many situations in which stable network connectivity cannot
be relied upon, client-side desktop virtualization options-such as
VMware's ACE-enable IT departments to deploy virtual computing
environments that run atop a Type 2 hypervisor, which is itself hosted
under the user's client operating system.
Over the past few years, the range of Type 2 hypervisor options has
expanded such that most client operating systems, including Windows,
Mac OS X, Linux and Solaris, can be outfitted to host an x86-based
guest environment. The SBC and VDI approaches to desktop virtualization
are also cross-platform friendly, as remote desktop clients are
available for most client operating systems as well.
Client-side virtualization products place an added hardware resource
burden on desktops and notebooks, however. In particular, RAM
requirements for machines that host virtual desktop instances are
greater. Similarly, not all applications run happily in a virtualized
hardware environment, a limitation most likely to materialize for
Finally, just as with the nonvirtualized user-controlled system
approach I laid out above, the fact that both SBC/VDI and client-side
virtualization run under a host operating system makes it difficult to
exorcise issues of trust and security when that host is managed outside
the domain of company administrators.
Looking forward, I expect to see support for much stronger isolation
between multiple operating environments running on a single-client
machine improve as Type 1 hypervisors begin to ship on notebooks and
desktops. Citrix and VMware have both discussed plans for embedding
"bare-metal" hypervisors in future notebooks, which should help resolve
issues around deploying trusted, closely managed guest environments
alongside user-controlled environments.
Executive Editor Jason Brooks can be reached at firstname.lastname@example.org.