Manage Learn to apply best practices and optimize your operations.

What risks do application virtualization products pose?

Phrases that continue to be used to describe application virtualization are "isolation" or "bubble," but Michael Cobb examines the possible threats entering or escaping those 'isolated' environments.

I'm working for the U.S. Air Force in Europe, and it is deploying multiple virtualization products in its environment; I'm working specifically with application virtualization. Have there been any reviews of application virtualization products (rather than OS virtualization) and the risks they pose to enterprise security? Phrases that continue to be used with this type of virtualization are "isolation" or "bubble," but I really would like to know if application virtualization truly is an isolated state from risks possibly entering or escaping those 'isolated' environments.
Over the past few years, virtualization has really taken off, as it can help an organization's infrastructure to work harder and faster while reducing costs. Some of the benefits of virtualization include saving space, resources and power consumption, providing redundancy and provisioning capabilities, and improving security. The first virtualization techniques that came into the market were those of server virtualization -- one approach being operating system virtualization, where everything is run from a so-called virtualized disk on the network, encapsulating the entire operating system from the hardware.

With operating system virtualization, the whole OS is virtualized, as opposed to specific applications. Although vendors have different types of products, the general principle of application virtualization is to separate application code from the restrictions of individual servers, operating systems and clients to improve portability, manageability and compatibility. A virtualized application is not installed on the hard disk of the machine, but is packaged and run on a virtualization layer, which transparently intercepts all file and registry operations of the virtualized application. The application believes that it is directly interfacing with the operating system and its resources, whereas it is actually encapsulated from them and running in its own virtual space or "bubble."

Since all the required files are available in the bubble for that specific application, these separated virtual spaces ensure that applications cannot conflict with each other. This separation allows superior control over where application data is stored. Data can be located in the corporate data center where it is easier to ensure access policies and regulatory compliance rules are adhered to.

From a security perspective, the big advantage is that this isolation prevents applications from making changes to system files. Application virtualization greatly reduces the chances of malware being able to compromise other applications or the operating system, as the malicious code is contained only in that virtual environment.

Although the applications run on client machines, they can be administered from one main location. This arrangement reduces ongoing PC management -- and helpdesk calls -- since change control for software and data is centralized. All an administrator needs to do is apply security patches or software updates to the one application instead of each installation on the user desktop. However, an unpatched virtual application is just as vulnerable as an unpatched local application!

One drawback of virtualized applications has been that they can't communicate with each other, as they're operating in their own virtual bubble. So for example, if a user is running virtualized Microsoft Word, any Web links in the document won't work since Word won't be able to open Internet Explorer. Solutions and workarounds for these productivity limitations are appearing, but from a security standpoint, they weaken the benefits of application virtualization.

Before fully implementing application virtualization, it's necessary to test and validate deployment on a wide variety of PC configurations. Not all applications can be virtualized; the developer may not have followed best practices for coding or registering DLLs, or the application may require the client or user to have administration rights. The time and cost of this testing need to be taken into account when looking at the ROI of application virtualization.

More information:

This was last published in November 2008

Dig Deeper on Virtualization security issues and threats

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.