Like IT managers elsewhere, the U.S. Department of Defense would like to supply its forces with mobile computing, but doing so risks the possibility that data being carried on a device will fall into the wrong hands.
"The challenges we face are the same ones you face in the corporate world," says Michael Metrovich, senior technology officer for the Defense Intelligence Agency, although he was referring to risks over and above the possibility that a laptop will disappear at airport security. Nevertheless, if virtual desktops are the DOD's answer to end user computing security, IT managers should pay attention to how they do it.
Last week at Citrix Systems annual user group meeting, Synergy, two different spokesmen involved in creating a secure mobile DOD client said a new form of virtual desktop was available and part of their approach to equipping their forces with more computing power. Indeed, they elevated the discussion of virtual desktops away from how can we engineer them for easier, less costly operations to how secure can we make the desktop and how far afield can we let it roam? It was explicit that not only was the virtual desktop locked down but that it could be readily adapted to run on different mobile devices.
As IT faces the overwhelming problem of supporting employees who have brought their preferred consumer device to work and plan to take it with them on their next business trip and European vacation, the DOD effort clearly offers some lessons learned about launching, managing and controlling virtual desktops.
More work has been accomplished on this front than I realized, until I heard Metrovich talk about his own desktop. Metrovich is responsible for secure communications between his agency and commanders of the war in Iraq, the war in Afghanistan, NATO headquarters in Europe, NATO operations in Libya--you get the idea. Because of that, he once had 16 physical PCs, each tied by its own cabling to the wiring closet with switches for secure networks, as his personal, composite desktop.
Today he has one physical machine and 16 virtual desktops, each tied by a virtual network through one cable to a switch in the wiring closet. The virtual desktops he needs have different characteristics and the networks he uses require different degrees of security, but that's not a problem because in both instances, the desktop and its network are running in their own virtual machines.
The transformation that's taken place on his desktop is now taking place throughout the agency as it implements end user virtualization using new security controls. So far 400 desktops have been virtualized. There's still a long ways to go with his agency's 50,000 users in 200 countries, but Metrovich said Thursday at Synergy, "There have been no major security issues to report so far."
That reflects growing confidence to provide secure client hypervisor operation, even when the hypervisor may have entered enemy territory. Citrix Systems and other virtualization vendors are making use of new capabilities built into the latest generation of Intel vPro chips and motherboards that check the 70,000-line hypervisor as its components are assembled from the client's disk.
When the user calls for his hypervisor to be activated, a client using Intel's Trusted Execution Technology can measure the hypervisor components as they are booted and check those measurements against its knowledge of their exact specifications, which has been stored on the motherboard. If the hypervisor has been intruded upon, tampered with, or experienced some unanticipated update, the boot is interrupted and a fresh version downloaded from a trusted server.
"We believe XenClient has the potential to be very secure," Metrovich says. He's created his agency's virtualized desktops with XenClient XT, the lightweight hypervisor Citrix designed to run on client machines and announced May 25. VMware is a user of a Intel's TXT self-checking capability as well with its ESXi hypervisor, the one that's built into and ships with servers that will serve as hosts for multiple virtual machines.
Metrovich says he recently had to supply a secure network to "a small community" that planned and executed the mission to invade Osama bin Laden's compound in Pakistan. Secrecy was an absolute priority and was maintained, he says.
In the past, U.S. agents or military teams could not take sophisticated computing devices across potentially hostile borders, "the threat of losing the device was too great." But he suggested that ample client computing power had accompanied the Navy SEALs incursion into Pakistan in their pursuit of Osama bin Laden. "With virtual desktops, all the data remains on a central server, with a remote user able to access and work with it, regardless of where he might be," he says.
"The key is nothing permanently resides on the computing device," says Metrovich, which opens up new possibilities for missions behind enemy lines. U.S. intelligence agencies and the military are extremely interested in what missions secure virtual desktop might enable, he says.
Granted the virtual desktop distributes no data to the locale of the end user. In what other ways is the virtual desktop more secure today than it was before? A view into what's being done was offered by Ian Pratt and Air Force researcher Ryan Durante in a Synergy session May 26. Pratt is the Cambridge University professor who deciphered the x86 instruction set for the Xen open source hypervisor. He did so after Mendel Rosenbloom had accomplished that feat in the U.S., so he sometimes gets less recognition than the founder of VMware, but I doubt if the small amount of time separating their respective efforts made the job any easier.
The Air Force is part of the DOD effort to come up with a secure desktop and Durante, chief of the cross-domain solutions and innovation section of the Air Force Research Laboratory, says it is seeking to virtualize its desktops in a manner similar to that of the Defense Intelligence Agency. Pratt has been the lead liason with the Air Force Research Laboratory work in that effort and the pair hosted the session on XenClient security. If the Air Force's version of a virtualized end user desktop is convincingly secure, it will be used as a model for adoption throughout the Department of Defense, Durante says.
Pratt joined Citrix as VP of advanced products when it purchased XenSource, the company behind the Xen hypervisor. He's using, as might be expected, XenClient XT, the version also announced May 25 that makes use of Intel's trusted boot process for the hypervisor. If someone has modified the virtual machine, the Intel TXT checking will detect it and kill off the boot. The process makes it difficult for an intruder to get any spyware or system alterations planted on a virtual machine. It's available with motherboards built with Xeon 5600 chips.
XenClient is a Type 1 hypervisor that enforces strict isolation on each virtual machine, so different types of virtual machines may run on one client without risking exposure to each other. Likewise, different networks are each booted in their own VMs and run alongside each other without intruding on or compromising each other's traffic, even if one has a much lower security rating than the other, Pratt said in an interview at the end of the May 26 session.
If a virtual machine were in some way compromised on a user device, the fact that the network is in its own virtual machine prevents the malady from spreading to other VMs, Pratt says. Pratt also says XenClient relies on Pascal and other research languages more than the C family, often used in the world of PC exploits. "Another key technical barrier is the narrow interfaces between XenClient components," he says. A strictly defined interface between, say, the hypervisor and client network controller offers a smaller attack surface. The interface can also be inspected quickly for integrity.
Citrix is clearly using these security features as credentials for secure operations in the larger corporate market. It is expanding the usefulness of XenClient by giving it a companion piece of client software that adapts to different devices, allowing the same XenClient virtual machine to run on each. That added piece is Citrix Receiver.
Think of Citrix Receiver as the software that does for XenClient what the Java Virtual Machine did for Java. To meet Sun's boast of having a write once, run anywhere language, it needed to create a virtual machine environment that could be written for individual hardware devices. The JVM differed from machine to machine, but the Java compiled code could run in any JVM. Likewise, a version of Citrix Receiver can be created for different PCs, tablets, and smartphones but run the same virtualized desktop in each. So far, Receiver runs on 1,000 different PC models, 149 smartphone, 37 tablets, and 10 different thin clients. There's a Receiver for Apple iOS, Google Android, HP's webOS and Google ChromeOS. So far, the Apple iPad, HP TouchPad, Blackberry Playbook and Google Chromebook are covered, along with a many laptops and PCs.
Many problems of end user virtualization remain to be worked out. But if virtual desktops provide secure computing for wide ranging Defense Intelligence Agency staffers, they may be the answer for highly mobile enterprise workers as well. Desktop virtualization in a new secure form is about to emerge, and it may help not only the DIA but those IT managers perpetually under siege as well.
Charles Babcock is an editor-at-large for InformationWeek.
In the new, all-digital InformationWeek Best Of Interop supplement: See why VMware's vCenter Operations and eight other products stood out at Interop 2011. Also in our supplement: Dell, HP, IBM, and 13 other vendors team up to showcase gear based on OpenFlow, the network virtualization standard. Download it now. (Free registration required.)