Friday, May 11, 2007

VMware ACE 2

Just read the announcement of VMware ACE 2. This has at least one cool feature - you can deploy virtual images and manage policies like expiration date centrally, across networks. Imaging setup like this -
  • A consultant is coming to help you. You hand him a virtual image with your enterprise desktop. The image expires the date, the consultant has finished working
  • You deploy an image on you MP3 player (Pocket ACE). This image can be used to run your enterprise desktop from any PC. Corporate IT could expire these images after a month, so a new up-to-date image must be downloaded each month
  • Supply your users with an enterprise desktop image. If the user needs further programs, they can install them themselves on the physical PC. But, remember that you should consider the entire security setup before doing this.
  • Merger scenario. Company A buys company B. The A desktop can be deployed as virtual images on B's PCs.

The virtual disk is encrypted, so it should be (fairly) tamper safe. Physical access to the virtual disk has always been a security risk (but also a nice feature) but with encrypted disks that picture is changing. Naturally, the physical host is still able to grab network communication (can be prevented by encrypting the traffic from/to the virtual guest) and the physical host can read and modify the memory used by the virtual guest. ACE 2 is also able to prevent the host from accessing the network, but this can probably be bypassed in some way.

Once deployed, use the ACE 2 Management Server to monitor ACEs and enforce corporate policies from a central location. The ACE 2 Management Server enables administrators to deliver dynamic policy updates to local and remote ACE instances, as well as to control the activation and de-activation of each package for contractors, consultants and other temporary users.

No comments: