hi all,

I think it is a good idea. But there are chances of goof ups where thinking that it is sandbox, you do something stupid on your business/production VM.

better still would be a LIVE CD where you could do what you want when you want without any chances of issues.

OR dual boot anyone ?

BR,
~A

I completely agree with Bob's larger point that many in IT take the 'it's not YOUR computer, it's OUR computer' point of view way too far.

Virtualization as a compromise is a good idea -- with limits.

I am actually looking at implementing a similar approach. The host OS would be the 'corporate' environment. The corporate environment will be configured with a reasonable amount of flexibility. It won't be completely 'locked down' but with Vista we should finally be able to have users not have administrator rights without unreasonably compromising their ability to compute. It can be done on XP, but with a large application portfolio, non-admin on XP takes 3rd party software and lots of in-house work. (Server 2008 includes some things that used to be 3rd party software - may make enabling non-admin XP easier. Haven't looked at that in detail.)

Users will be able to run VM's that are more - but not completely - unrestricted. For example, VM's will be required to have antivirus and to be set to receive patches automatically.

We should be able to provide base VM's for at least a few OS versions (probably XP and a Linux distro to start).

Ideally, the solution would also include network restrictions so that the VM's could not access high-value corporate resources (think perhaps IPSec zones) but would still be able to access the Internet.

One important thing to realize: Virtualization is NOT a security barrier. It's already been demonstrated that malicious code that gets a toehold inside a guest VM can reach out and get into other VM's running on the same host, or even the host itself. (Google "Intelguardians virtual machine escape" or of course "Rutkowska blue pill".)

In the end a company that gives IT the mandate to provide tools for its employees to leverage and improve in new ways is what will fundamentally change the equation. I think a company that does that will really be able to out-perform the competition. Look for IT to be adding value and not just holding down costs, and such ideas can really be made to work. That way, IT has an incentive to make sure the users can actually use this solution (i.e. it is user friendly) and it isn't just an excuse to make the complaints go away.

One aspect VM will not help with is bandwidth usage. Streaming video, streaming audio, and numerous gadgets and widgets take a toll on line speed.

I've told two employers that I'd be happy to supply my own computer and software (I already own a well-equipped laptop) just to avoid dealing with IT. They could just give me a power outlet and broadband Internet, and I'd handle everything else.

I used to *be* IT, but dealing with them now is so frustrating I'd be willing to literally pay money to avoid it.

Don't tell anyone here, but I now use a Linux Live CD for 'personal' use when I am traveling. Since it does not even mount the hard drive by default, I don't use any corporate data and have minimal risk of company resources -- while still accessing e-mail and browsing the Internet.

Unless they very paranoid and lock the BIOS settings to force hard disk boot, I can be happy and they can continue in ignorance.

Businesses buy equipment, internet connections and whatnot to run their business. People already spend too much company time on their cell phones, on personal web surfing, personal e-mail and whatnot as it is. The last thing any business needs is to spend more money on IT time, payroll, equipment, faster internet feeds, etc to make it even easier for people to screw off during the day.

IMO, the biggest problem you are going to find, is thatthe security rights of Windows simply doesn't allow this to happen.

How will you be able to stop people from tweaking the network settings to allow them access to "the other side" for example.

There are lots of examples like this too...

Virtualisation:

- Security isn't optional for The Enterprise. It is only a matter of (a short) time before we see the first corporate collapse from this.

- The VM system in IBM z-Series is 'EAL 5' certified - the highest security rating. In time something near this will be available for the desktop

- Why would you run guest VM's directly under your main desktop App? It isn't designed for it in any way, nor does it have the security setting & focus. A small, secure host O/S that can control all the runnable VM's is more secure and more manageable. The host O/S can perform security scanning & firewall duties - as well as isolating each of the guest VM's and their data.

- once you have >1 workspace, why limit it? 10 is as good as 2.

- one VM per functional application group. As you say, Users *do* figure it out. It also means individuals can be given access to functions as & when needed - without significant effort or complications.

- if you use the 'hibernate' facility & store images on servers,
desktops becomes simple terminals

- you can maintain a 'in-progress' workspace over many days

- and disaster recovery becomes trivial if you use real-time
'snapshots' on your local file servers.

- so the corporate laptop can never run the corporate Apps if not 'connected'

- at a stroke, you eliminate the question: "What desktop O/S will we use" - everything runs!

- Not all a bed of roses - DRM & TPM along with 'license
restrictions' are big issues.

- no more forced O/S upgrades or being held back - just have a Win95 VM if you need

- having a private-use VM in a different security region (not 'outside the firewall') is exactly right

- You can arrange it so that 'private' use is metered & virus scanned by the corporate firewall. And at home or on the road, the host O/S takes on this role.

- And 'power-users' don't stuff up the corporate desktop, nor does IT Support have to learn & support anything & everything - people are responsible for the admin/management of their 'private' workspaces

- if a user installs something in one of their 'sandboxes', they get to support/manage it themselves

- but you might like to make it easy for them to make backups & do restores or revert to prior images

- the sort of stuff that ordinary users won't put time into, even if they know they 'should'

You *can* have Security and Flexibility - you just have to design for it

A very effective variation on this theme is Intel MacOS X as the host, running either VMware or Parallels virtualized guest OSes (Windows, Linux, Solaris, whatever). By using a different host OS from the Guest OS, cross contamination issues are at least somewhat mitigated.

Gee, sorry to hear that John Doe's world is populated by chronically lazy, unscrupulous "screw-offs." Perhaps being the saint among sinners would be more palatable if the business he refers to focused more on the outcomes of labor and less on the mechanisms.

It would seem in an Internet economy, time spent gaining familiarity with said economy and markets might be viewed as a strength in ways the old "watercooler" networking tradition could never have achieved.

Businesses succeed or fail on their net value in the marketplace, at least according to free market mantra. Why is it, then, that what's good for the goose is never good enough for the gander?

It's the lawyers, friends. Here in my highly locked-down environment (bank) there are holes in security that are known and possibly fixable. But those fixes would be vastly expensive, whereas locking down the desktop and turning off the usb ports is nearly free. As long as it looks to the lawyers like reasonable diligence is paid to security, the business can proceed. Security breaches happen all the time even in "highly secure" environments like the FBI, so practically speaking it is not possible to be truly secure and still accomplish anything. Looking like you are is good enough.

Isn't this called 'Citrix'?

Of course, in the future, all business apps will be available as web services, so you'll only need the ability to run a browser from any device and you'll be able to access your normal office desktop :)

Based on the inputs so far, it would seem that we're not yet to the point to where the current desktop OS technology would support the scenario I outlined in my email to Bob. Biff may be right that an Intel Mac running OS X and either Parallels or VMware Fusion comes the closest to giving us what I'm looking for--but is it close enough to bring about an end user / IT cease fire, let alone a peace treaty?. (See www.infoworld.com/article/07/10/22/43TC-parallels-fusion_1.html for some insight into this possibility.)

FYI, for an extensive (if somewhat overwhelming) overview of current VMs, see en.wikipedia.org/wiki/Comparison_of_virtual_machines.

As for the objections some of you raised, realize that the problems you're pointing out are mostly related to the current state of VM technology (which is pretty weak on true virtualization, especially in the Windows world). Don't ditch the concept just because Bill Gates isn't going to deliver a solution tomorrow.

Finally, don't kid yourself that either SAAS or Citrix solves our problems just because someone (either the end user or IT, depending on who's talking) gets more control over the desktop. The business goals are to (1) protect your organization's data management and communications structure (hey, users!) and (2) enable the employees to be as productive and creative in their service of the organization as they can be (hey, IT!). Any "solution" that looks at only one side of that equation or that otherwise greatly sacrifices one goal for the sake of the other is no real solution at all.