Desktop Virtualization and Security

Probably more Macintosh owners than PC owners are using desktop virtualization software on their systems. Like it or not, sometimes we need to live in a PC world, and Parallels, VMWare Fusion, and Apple’s Boot Camp allow us to run Microsoft Windows along side or instead of MacOS on our machines. At this point in time, Apple does not allow MacOS to be virtualized. Microsoft Virtual PC allows Windows XP and Windows Vista to be virtualized on the same or the other OS.

In addition to the ‘convenience’ of being able to run Windows on our systems we can gain a substantial amount of security. But let me back up for just a moment to describe an idea that’s been gaining popularity amongst workers while causing CIO heartburn.

Like it or not, many employees are using their own hardware for work. It starts with smart phones but soon extends to using their own desktops at home and finally ends up with employees bringing their favorite high-powered laptop into the office so that they don’t have to put up with that five pound two-year-old dinosaur that the IT department issued to them when they joined.

Some companies, most notably Citrix Systems, have embraced employees bringing their own systems to work calling it something like ‘Bring Your Own Computer.’ The company specifies some minimum capabilities and requirements but lets the employee choose whatever computing device they want. Minimum requirements might include buying a maintenance contract, locking down the USB ports, running antivirus software, and encrypting the hard drive.

Let’s go back to our virtual machine. Whether employee or company owned, home and work use tend to get mixed. How many of you can say that you never check your personal email or visit ebay at work or on a business trip? Wouldn’t it be better if you could separate home and work 100% without losing convenience?

Home and work can be kept separated through different accounts on the same OS, but a number of issues arise. For example, file permissions can be altered under one account to allow access from another account, and if the system is infected while using one account then all accounts are infected.

Running completely separate virtualized OS instances guarantees total separation. This can be done today on Mac or PC by using one of the hosted hypervisors listed above. As of the date this was written, if you want one OS to be MacOS then the other OS instance needs to be Windows because the MacOS license does not allow it to be virtualized. Another issue is that any virtualized OS needs to run as a guest on the another OS until a workstation class native hypervisor shows up. This means that if the host OS crashes, the guest crashes with it. Citrix and Intel have announced cooperation to develop a native hypervisor which will prevent this problem.

I hope this post gives you some background on how to use VMs to get your IT department off of the employee PC upgrade treadmill and let them use the hardware and OS that will make them more productive while increasing the security of your information.

My next post will talk about ways to virtualize desktops and applications so that they run in your data center where they are easier to safeguard and upgrade. Hope to see you soon!

Ron LaPedis, MBCP, MBCI, CISSP-ISSAP, ISSMP
Principal
Seacliff Partners International, LLC

Get a Trackback link

1 Comment to “Desktop Virtualization and Security”

  • Hannry says:

    We are located in Malaysia. We have created something similar to U3; but are open community friendly to make this an open system with API & SDK. We are wondering if anyone can help us to get funding if there is any potential and opportunities in this business.

    We also signed TAP with VMWare to use their apps virtualization to proliferate in the market and figure out where to work to make the apps secure tied to licensing so that there will no commercial software flying around over the internet with legal implications.

    Thanks for your kindness
    Hannry

Post a Comment