EMC Corp’s VMware subsidiary will today launch an offshoot of its VMware Workstation virtualization environment to make PCs and the networks they hook into more secure, by wrapping them in a virtualization layer that restricts what end users can do with the operating system.
Michael Mullany, vice president of marketing at VMware, said VMware Assured Computing Environment, or ACE, was created at the behest of corporate customers who kept asking VMware to dial back on the capabilities of operating systems running within its VMware Workstation, which is a virtualization product that allows multiple and incompatible operating systems to be run on a single X86 desktop or laptop.
While VMware Workstation can mimic x86 iron, that is a far different thing from turning off operating system or application features based on an end user profile.
This, among other things, is what VMware ACE does. The ACE product is based on the same core virtualization software that goes into the Workstation product, but the two are mutually exclusive. ACE is not something you add to Windows or Linux or to a Workstation virtual environment, but rather a software container in which you run an operating system for a specific end user with a specific set of application, storage, and network resources.
Mullany says ACE is targeted at three specific types of end users: laptop users, telecommuters, and IT contractors, none of whom you would ever allow to plug their own machines into the corporate network to do their work from either side of the corporate firewall.
The security risks are too high, particularly in the virus and worm plagued Windows world – and soon Linux, as it gets increasingly used. The ACE environment could be used to create a virtual machine with, say, Windows XP and the set of corporate applications a specific end user would need access to. That environment can be loaded onto a DVD and then loaded into any machine.
Since the ACE virtual container would only be running permitted applications – and could forbid the copying or downloading of any data to any peripheral device – it is in essence a disposable computing environment. This is a more precise and controlling solution than just allowing end users to use Citrix or RDP protocols to log into remote Windows servers and do whatever they want.
The rights management core of the ACE program can restrict not only what applications and peripherals end users can employ as they work from within that container on the corporate network, but also can be set up with a time limit that would, for example, deactivate the software in 30 or 60 days.
Moreover, the ACE software is not very fond of hackers, so if someone tries to tamper with the virtual environment to steal files, the virtual environment is separate from the operating system inside the container as well as the one outside of the container – the native OS on the laptop or desktop – and if it detects shenanigans, it will simply commit suicide and not let ACE load again.
The ACE approach has another benefit. You could create a truly standard set of corporate desktops that are not tied so tightly to the initial operating system or underlying hardware on an x86 machine. End users might be running the same exact environment on all different kinds of PCs or laptops, but they would never know because they work from within ACE. System administrators and help desks are going to love this idea.
VMware ACE goes into beta testing today, and is expected to be available in the fourth quarter. Mullany says that pricing has not yet been finalized, but that EMC will charge about $100 per client for the software. The software consists of a client – which you pay for – and a manager, which is used to configure the ACE container for each end user. The manager is free. Both the manager and the client run on Windows 2000 and Windows XP.