With operating system virtualization, the whole OS is virtualized, as opposed to specific applications. Although vendors have different types of products, the general principle of application virtualization is to separate application code from the restrictions of individual servers, operating systems and clients to improve portability, manageability and compatibility. A virtualized application is not installed on the hard disk of the machine, but is packaged and run on a virtualization layer, which transparently intercepts all file and registry operations of the virtualized application. The application believes that it is directly interfacing with the operating system and its resources, whereas it is actually encapsulated from them and running in its own virtual space or "bubble."
Since all the required files are available in the bubble for that specific application, these separated virtual spaces ensure that applications cannot conflict with each other. This separation allows superior control over where application data is stored. Data can be located in the corporate data center where it is easier to ensure access policies and regulatory compliance rules are adhered to.
From a security perspective, the big advantage is that this isolation prevents applications from making changes to system files. Application virtualization greatly reduces the chances of malware being able to compromise other applications or the operating system, as the malicious code is contained only in that virtual environment.
Although the applications run on client machines, they can be administered from one main location. This arrangement reduces ongoing PC management -- and helpdesk calls -- since change control for software and data is centralized. All an administrator needs to do is apply security patches or software updates to the one application instead of each installation on the user desktop. However, an unpatched virtual application is just as vulnerable as an unpatched local application!
One drawback of virtualized applications has been that they can't communicate with each other, as they're operating in their own virtual bubble. So for example, if a user is running virtualized Microsoft Word, any Web links in the document won't work since Word won't be able to open Internet Explorer. Solutions and workarounds for these productivity limitations are appearing, but from a security standpoint, they weaken the benefits of application virtualization.
Before fully implementing application virtualization, it's necessary to test and validate deployment on a wide variety of PC configurations. Not all applications can be virtualized; the developer may not have followed best practices for coding or registering DLLs, or the application may require the client or user to have administration rights. The time and cost of this testing need to be taken into account when looking at the ROI of application virtualization.
- Hardening VMware's ESX Server has been a difficult job, but a tool developed by VMware and partner Tripwire aims to ease the pain.
- Get the latest news and expert research on virtualization security.
Dig Deeper on Virtualization security issues and threats
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.