Ask the Expert

What risks do application virtualization products pose?

I'm working for the U.S. Air Force in Europe, and it is deploying multiple virtualization products in its environment; I'm working specifically with application virtualization. Have there been any reviews of application virtualization products (rather than OS virtualization) and the risks they pose to enterprise security? Phrases that continue to be used with this type of virtualization are "isolation" or "bubble," but I really would like to know if application virtualization truly is an isolated state from risks possibly entering or escaping those 'isolated' environments.

    Requires Free Membership to View

Over the past few years, virtualization has really taken off, as it can help an organization's infrastructure to work harder and faster while reducing costs. Some of the benefits of virtualization include saving space, resources and power consumption, providing redundancy and provisioning capabilities, and improving security. The first virtualization techniques that came into the market were those of server virtualization -- one approach being operating system virtualization, where everything is run from a so-called virtualized disk on the network, encapsulating the entire operating system from the hardware.

With operating system virtualization, the whole OS is virtualized, as opposed to specific applications. Although vendors have different types of products, the general principle of application virtualization is to separate application code from the restrictions of individual servers, operating systems and clients to improve portability, manageability and compatibility. A virtualized application is not installed on the hard disk of the machine, but is packaged and run on a virtualization layer, which transparently intercepts all file and registry operations of the virtualized application. The application believes that it is directly interfacing with the operating system and its resources, whereas it is actually encapsulated from them and running in its own virtual space or "bubble."

Since all the required files are available in the bubble for that specific application, these separated virtual spaces ensure that applications cannot conflict with each other. This separation allows superior control over where application data is stored. Data can be located in the corporate data center where it is easier to ensure access policies and regulatory compliance rules are adhered to.

From a security perspective, the big advantage is that this isolation prevents applications from making changes to system files. Application virtualization greatly reduces the chances of malware being able to compromise other applications or the operating system, as the malicious code is contained only in that virtual environment.

Although the applications run on client machines, they can be administered from one main location. This arrangement reduces ongoing PC management -- and helpdesk calls -- since change control for software and data is centralized. All an administrator needs to do is apply security patches or software updates to the one application instead of each installation on the user desktop. However, an unpatched virtual application is just as vulnerable as an unpatched local application!

One drawback of virtualized applications has been that they can't communicate with each other, as they're operating in their own virtual bubble. So for example, if a user is running virtualized Microsoft Word, any Web links in the document won't work since Word won't be able to open Internet Explorer. Solutions and workarounds for these productivity limitations are appearing, but from a security standpoint, they weaken the benefits of application virtualization.

Before fully implementing application virtualization, it's necessary to test and validate deployment on a wide variety of PC configurations. Not all applications can be virtualized; the developer may not have followed best practices for coding or registering DLLs, or the application may require the client or user to have administration rights. The time and cost of this testing need to be taken into account when looking at the ROI of application virtualization.

More information:

  • Hardening VMware's ESX Server has been a difficult job, but a tool developed by VMware and partner Tripwire aims to ease the pain.
  • Get the latest news and expert research on virtualization security.
  • This was first published in November 2008

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: