MASSACHUSETTS VIRTUAL DESKTOPS ALTERNATIVES AND SECURITY VMware ACE virtual desktop alternatives home in on security

VMware ACE virtual desktop alternatives home in on security

By Hannah Drake, Associate Editor 06 Nov 2007 | SearchServerVirtualization.com

If more companies used virtual desktop technologies, there would be a lot fewer news stories about stolen corporate laptops.

Organizations that have fallen prey to stolen laptops and loss of sensitive data include the Transportation Security Administration, Yale University and the U.S. Department of Veterans Affairs. And last month, home improvement store giant Home Depot announced the theft of a laptop containing personal information, including Social Security numbers, names and addresses of 10,000 nationwide employees. Virtualizing desktops accessed by remote or traveling workers could help to eliminate this problem.

Client-side virtual desktops to the rescue
To address increasing mobile computer use as well as concerns about data security and protection, software companies Kidaro Inc. and Sentillion Inc. have developed enterprise-level virtual desktop applications to keep proprietary and confidential information secure.

As with VMware's Assured Computing Environment, or ACE, these companies' virtual desktop technologies add a policy and authentication layer to virtual machines running on an existing virtualization layer such as VMware Workstation or SWsoft's Parallels Desktop. By requiring sign-on from remote computers, the data and applications running in a virtual desktop are securely isolated from a notebook's own local desktop and applications.

This client-side approach to virtual desktops differs from server-side implementations such as VMware's Virtual Desktop Infrastructure (VDI) and the newly announced Citrix XenDesktop. With these server-side solutions, the desktop resides on a virtual machine running on server hardware in a data center and is accessed over a network. Client-side virtual desktop technologies, on the other hand, physically reside on the local computer. Although IT workers like VDI-type solutions because they centralize control, the technology has its limitations. "Since the user has to be connected, [server-side virtual desktops are] limited to deployments in call centers or other environments where there's pervasive connectivity," said Bob Roudebush, the voice of the virtualization blog RoudyBob.net .

At the same time, the ability to encapsulate a virtual desktop image and run it on a local PC should appeal to many companies whose users need to access sensitive business information outside of the office, according to Michael Rose of Framingham, Mass.-based research firm IDC.

VMware's ACE doesn't cut it
While VMware currently dominates the virtualization market, some system administrators have chosen Kidaro or Sentillion's vThere rather than the market leader, VMware's ACE.

"Both vThere and Kidaro offer interesting capabilities which VMware ACE does not provide," said Roudebush. VThere offers a Web-based virtual desktop authentication, hosting and management system, and Kidaro offers a streamlined end-user interface and desktop security on a stick, he said.

Kidaro's simple end-user experience touts easy access to desktop images and a windowless application feature that makes virtualized applications appear as though they are running on a user's physical PC.

"In ACE, when you run your virtual desktop, the virtual desktop is a separate window," said IDC's Rose. "Kidaro has integrated the two desktops. If you have applications on your desktop environment, the program list [in the virtual desktop] will include the applications on the regular notebook." Kidaro also offers speedy data transfer with its Trim Transfer technology. If a remote computer already runs an operating system and/or patches assigned to a virtual desktop, for example, Kidaro will exclude the operating system from the virtual desktop download. This is called "data de-duplication," said Roudebush. Kidaro's ToGo, which stores a virtual desktop on a USB stick, also simplifies virtual desktop access. While ToGo is similar to VMware's PocketACE, Roudebush said that some feedback he's gotten indicates that PocketACE doesn't have the level of control or encryption that Kidaro ToGo provides. Unlike Kidaro, Sentillion's vThere is a Web-based solution, in which a "golden image" of a virtual desktop is stored on Sentillion's vThere.NET site and from which it is downloaded to a user's PC. End users authenticate access via the Web. Although it's unnecessary to use vThere's .NET third-party hosting service, it's a large part of the vThere technology and offers considerable benefits, according to Roudebush.

"[Web distribution] removes the need for a remote user to connect to the corporate network to download and use an image or for the IT group to need to figure out some other method to distribute the image," he said. "By uploading the image to vThere.NET, remote users, whether they are employees, contractors, or partners, don't necessarily need direct access to corporate IT resources."

Not surprisingly, vThere focuses heavily on the remote-access use case, Roudebush said. Other features include virtual private network (VPN) and Active Directory integration into the VM startup and authentication process via a modified GINA (that is, graphical identification and authentication) client, Roudebush explained.

Chris Wolf, an analyst at Midvale, Utah-based Burton Group, agreed that vThere's "greatest perk" is its focus on security. "Organizations are increasingly challenged with how to securely connect users who connect on untrusted personal or third-party systems," Wolf wrote in an email. "For example, many remote presentation applications have no answer today for keyloggers on the remote system," he continued. "I haven't heard of a keylogger yet that's capable of capturing keystrokes inside a secure vThere virtual environment." Another perk of Web-hosted virtual machine authentication is that access to a revoked image is restricted as quickly as possible, Roudebush added, explaining that VMware ACE doesn't offer this feature.

For those who choose to employ Kidaro or vThere rather than ACE, deciding between the two technologies can be tough. What kinds of factors should guide the choice?

Smaller companies with fewer resources as well as organizations that value RSA-certified security and VPN integration, may prefer vThere because of its hosted management capabilities, suggested Roudebush.

Kidaro would appeal to companies that want to replace a large number of loosely managed physical PC-based images with tightly controlled virtualized desktops, that need support for both Microsoft and VMware-based technologies, and that want to use an underlying virtualization application apart from VMware Player or Parallels Workstation (and to which vThere is currently limited).

Making the business case for virtual desktops
While the software isn't free, making the case for virtual desktop technology shouldn't be difficult, according to Roudebush.

"As long as IT departments have tangible ways to measure the cost of purchasing, configuring and supporting physical PCs, it will be fairly easy to justify the expense of moving to virtual desktops, especially in remote-access or branch-office scenarios and other prime use cases like call centers or third-party access to corporate systems," he continued.

Virtual desktop software is typically licensed according to the number of end users. Kidaro recently lowered its pricing from $250 per seat to $125 per seat. VThere Player costs $125 per seat, plus $795 for vThere Image Creator necessary to manage the virtual desktop images, and VMware ACE starts at $999 for VMware ACE Manager, 10 ACE client licenses and Workstation, with additional client licenses available at $80 per seat. But implementing virtual desktops should also provide plenty of cost-saving opportunities.

"If a company can provide a virtual desktop for a work-at-home user to use on their own PC, that would save them money," Roudebush said.

Virtual desktop technologies can also reduce companies' help desk costs. "Though the initial cost of deploying a physical PC with standard software is usually measured in the hundreds of dollars, the cost in terms of IT resources to manage those systems and support their use can easily be thousands of dollars over the life of a typical corporate PC," Roudebush said. "This is where virtualized desktops promise to provide relief."

Last but not least, virtual desktop technologies may help a company avoid the cost of losing sensitive information. In June of this year, the theft of a laptop from an intern's car cost Ohio taxpayers $600,000 in identity-theft protection for those affected. The device contained 64,467 Ohio state government employee's names and Social Security numbers.

The bottom line? Virtual desktops secure information, no matter which ZIP code the portable device is in.

"If a device is stolen, the virtual machine is locked down because it's virtualized, separate in a VM from the apps," said IDC's Rose. "The underlying apps and OS are vulnerable, but the virtualized desktop is not."

Let us know what you think about the story; email Hannah Drake, Associate Editor.

Also, check out our news blog at serverspecs.blogs.techtarget.com.