Approach Two: A Separate Peace
Since trying to enforce good policy on machines that lie outside the control of IT is such a tricky proposition, a simpler way to install controls involves situating a tightly controlled desktop environment within the employee's machine through desktop virtualization.
The most mature means of providing users with desktop environments that are segregated from their hardware involve SBC (server-based computing) products such as Microsoft Terminal Services and Citrix Systems' XenApp (formerly known as Presentation Server). These products enable administrators to deliver managed desktop environments or individual applications to their users.
In addition to traditional server-based computing, companies can deliver managed desktop sessions hosted from individual virtual machines running in the data center atop hypervisor products such as multiple VMware ESX Server or Citrix XenServer desktop virtual machines. Users can then access the hosted sessions through a remote desktop technology such as VNC (Virtual Network Computing) or Microsoft's RDP (Remote Desktop Protocol).
This approach offers more flexibility than server-based computing because VM-based desktops can be treated the same as typical desktops, in terms of the sorts of applications to which they can play host. However, SBC and VDI (virtual desktop infrastructure) share the same significant downside: Both strategies rely on continuous network connectivity to keep user desktops accessible.
For the many situations in which stable network connectivity cannot be relied upon, client-side desktop virtualization options-such as VMware's ACE-enable IT departments to deploy virtual computing environments that run atop a Type 2 hypervisor, which is itself hosted under the user's client operating system.
Over the past few years, the range of Type 2 hypervisor options has expanded such that most client operating systems, including Windows, Mac OS X, Linux and Solaris, can be outfitted to host an x86-based guest environment. The SBC and VDI approaches to desktop virtualization are also cross-platform friendly, as remote desktop clients are available for most client operating systems as well.
Client-side virtualization products place an added hardware resource burden on desktops and notebooks, however. In particular, RAM requirements for machines that host virtual desktop instances are greater. Similarly, not all applications run happily in a virtualized hardware environment, a limitation most likely to materialize for graphics-intensive applications.
Finally, just as with the nonvirtualized user-controlled system approach I laid out above, the fact that both SBC/VDI and client-side virtualization run under a host operating system makes it difficult to exorcise issues of trust and security when that host is managed outside the domain of company administrators.
Looking forward, I expect to see support for much stronger isolation between multiple operating environments running on a single-client machine improve as Type 1 hypervisors begin to ship on notebooks and desktops. Citrix and VMware have both discussed plans for embedding "bare-metal" hypervisors in future notebooks, which should help resolve issues around deploying trusted, closely managed guest environments alongside user-controlled environments.
Executive Editor Jason Brooks can be reached at [email protected].