I recently made the case that in the future, real clouds won’t use VMs as a primary abstraction; instead they will be relevant primarily in enterprise virtual infrastructures. In this post I make the case that VMs will at best make a marginal contribution to End User Computing (EUC).
The enterprise EUC challenge has three dimensions:
- Empower users to be productive (on any/many devices, and when mobile)
- Securely and privately, and
- Manageably, at scale
On a typical enterprise desktop applications and OS are deployed, patched and managed with System Center, and AD is used for IAM policy controls. At scale management is a challenge – patching faces app compatibility and scalability issues, policies are difficult to enforce, and data is everywhere, and at risk. AV tries to fill the security gap, and any number of security, DLP and compliance agents tries to ensure security and compliance.
EUC mangement is a nightmare, and still not secure.
VMs to the rescue?
- Easier to manage: all VMs can boot from the same, centrally managed and patched OS image; apps are separately layered. (More on app-virtualization later).
- More secure: The EUC “experience” limits the user’s ability to “escape” from the enterprise – for example preventing the user from copying data to a local USB device.
- Users ought to love it. They can even work from their personal devices.
But measured against my three criteria, VDI comes up short: It does not empower users – it chains them to a remotely delivered legacy enterprise desktop user experience. It doesn’t solve the security problem – the user can just as easily click on bad things in a virtual desktop. And although there are some management benefits, VDI is expensive to deploy and manage at scale. Similar arguments apply for client-hosted VMs.
VDI is valuable for specific use cases. Beyond these, it is primarily an abstraction that simplifies compliance.
Back to basics
We seek user empowerment, enterprise security, easy deployment and management at scale.
There is already a type of EUC device that vastly exceeds PCs in each dimension – mobile devices. You love yours; you’re not nearly as worried about its security as your PC’s (though Google needs to do a lot better). And enterprise mobility management tools allow enterprises to ensure compliance, deliver apps and help to protect apps/data at scale. On mobile devices apps run de-privileged and isolated with a granular, policy controlled interface to privileged resources (eg: Can Facebook access your photographs?). Though new OSes aren’t perfect, they are better because:
- Granular isolation of apps and a least-privilege execution model helps us to understand the risk of information exposure if an application is compromised or malicious
- Application (or task-centric) isolation enables the device to better protect itself and the user
But unfortunately the OSes used on today’s enterprise desktops – Windows, Mac OS-X and Linux – do not offer the granular isolation needed to enforce least privilege. Although they use software isolation (eg: processes, JVMs, sandboxing) and hardware (eg: user/kernel modes) to separate applications, OS and data, they cannot deal with their own latent vulnerability: Their kernels offer a vast attack surface (~50 MLOC for Windows, and ~10 MLOCfor Android). Rich feature sets appeal to users, but introduce vulnerabilities.
Micro-virtualization can help
Micro-virtualization is a powerful, simple way to retro-fit granular, hardware-enforced least-privilege execution onto today’s EUC devices (and even VDI VMs). It uses hardware-virtualization and a novel hypervisor called a Microvisor to seamlessly isolate user tasks. Hardware-isolated tasks (in micro-VMs) see a virtualized file system and IP stack that are narrowed according to least privilege. Hardware isolation offers a robust barrier to enforce least privilege – any attempt to access the network, file system or the desktop causes a hardware trap to the Microvisor. If a task is compromised, malware will be contained by the virtualization hardware. To compromise the Microvisor, malware must directly attack its hardened, narrow hypercall interface, which is orders of magnitude smaller than that of the OS.
Micro-virtualization offers numerous benefits:
- It can be used on all modern chipsets and nested on a traditional hypervisor to protect VMs.
- It can be retro-fitted onto any OS and applied to a broad range of applications
- The Microvisor is a late-load hypervisor that can be distributed to end points as an application. It has a small code base – making it easier to harden.
- Micro-VMs can be created and destroyed fast (tens of ms), so they can be applied at the granularity of a single user task (eg: a browser tab) without impacting user experience.
- Micro-VMs execute copy-on-write (CoW). All changes are discarded when the task terminates, making the system naturally self-remediating.
- Finally, the granular nature of a micro-VM allows accurate per-task introspection and facilitates live attack visualization and analysis.
Granular isolation – and not traditional VMs – will be the savior of EUC: Empowering users to use a single device for personal and work tasks, securing the device, and affording privacy and control over what information, identities and access to resources is permitted in each task context.