With operating system virtualization, the whole OS is virtualized, as opposed to specific applications. Although vendors have different types of products, the general principle of application virtualization is to separate application code from the restrictions of individual servers, operating systems and clients to improve portability, manageability and compatibility. A virtualized application is not installed on the hard disk of the machine, but is packaged and run on a virtualization layer, which transparently intercepts all file and registry operations of the virtualized application. The application believes that it is directly interfacing with the operating system and its resources, whereas it is actually encapsulated from them and running in its own virtual space or "bubble."
Since all the required files are available in the bubble for that specific application, these separated virtual spaces ensure that applications cannot conflict with each other. This separation allows superior control over where application data is stored. Data can be located in the corporate data center where it is easier to ensure access policies and regulatory compliance rules are adhered to.
From a security perspective, the big advantage is that this isolation prevents applications from making changes to system files. Application virtualization greatly reduces the chances of malware being able to compromise other applications or the operating system, as the malicious code is contained only in that virtual environment.
Although the applications run on client machines, they can be administered from one main location. This arrangement reduces ongoing PC management -- and helpdesk calls -- since change control for software and data is centralized. All an administrator needs to do is apply security patches or software updates to the one application instead of each installation on the user desktop. However, an unpatched virtual application is just as vulnerable as an unpatched local application!
One drawback of virtualized applications has been that they can't communicate with each other, as they're operating in their own virtual bubble. So for example, if a user is running virtualized Microsoft Word, any Web links in the document won't work since Word won't be able to open Internet Explorer. Solutions and workarounds for these productivity limitations are appearing, but from a security standpoint, they weaken the benefits of application virtualization.
Before fully implementing application virtualization, it's necessary to test and validate deployment on a wide variety of PC configurations. Not all applications can be virtualized; the developer may not have followed best practices for coding or registering DLLs, or the application may require the client or user to have administration rights. The time and cost of this testing need to be taken into account when looking at the ROI of application virtualization.
This was first published in November 2008