Last week, I spoke with VMware Vice President of Marketing Michael Mullany about VMware ACE, a fascinating solution that simplifies and secures the deployment of software environments to mobile workers, contractors, and telecommuters. The company plans to roll out the technology by year's end. Indeed, the idea is so good that I'm surprised no one has pursued this sort of solution before now.
VMware Assured Computing Environment (ACE) takes the concept of virtual machine (VM) environments--a market VMware pioneered on the PC--and adapts it to a need that is suddenly endemic in many enterprises: Users are connecting to their networks using mobile computers that aren't current with the corporation's security policies. In many cases, these machines aren't controlled in any way by the enterprise and can be contaminated with Trojan horses, spyware, and malicious software (malware).
Microsoft's response to this remote-user problem is typical for the software giant. It's developing an end-to-end solution, based on its mid-2005 Windows Server update, dubbed Windows Server 2003 Release Candidate 2 (R2), called Network Access Protection (NAP). This feature, formerly called simply "network isolation," will validate corporate policy against mobile computers that attempt to connect to the network, either locally or remotely, and places the machines that don't make the grade into an isolation mode. While the computer is in this mode, you can install any missing upgrades before letting it join the network. Microsoft's approach is complete and far reaching. It's also a year away from being available, and even then, it will be available only to servers running the most recent version of Windows 2003.
In contrast, VMware's solution to this problem is brilliant in its simplicity. Instead of forcing enterprises to update their servers, the company is offering its VMware ACE solution, which consists of a VMware ACE Manager creator console that PC administrators can use to package whatever OS, applications, and data that users might need. VMware delivers these packages as VM environments that administrators can install on a user's computer. "This product is designed for PC administrators who have to manage potentially insecure and unmanaged end points," Mullany said.
You can configure VMware ACE environments in various ways. For example, you might want to determine whether the environment can connect to potentially dangerous external peripherals such as USB keys or 3.5" disk drive. You can configure which network ranges with which the environment can communicate or configure its expiration date, which is a perfect solution for when you use contractors. Perhaps you want the environment to be used only at certain times and on certain days. You can also encrypt the environment, ensuring that any data it contains stays in the environment. Ace is tamper-proof, according to Mullany.
After you create an ACE environment, you can distribute it electronically or via DVD. Unlike standard VM environments, such as VMware workstation, you can even configure the presentation of the virtual environment. For less sophisticated or more controlled users, you can configure the ACE environment to have a simple window that is chromed (or skinned) to include no user-accessible controls. You can give more advanced users more functionality, such as the ability to suspend a session to disk, saving its state so that you can quickly pick up where you left off at a later time.
VMware believes the ACE solution will benefit three key scenarios initially. First, the solution makes it easier and safer to allow contractors on your corporate network by giving them a software environment that includes only the tools they need. This approach saves hardware costs because contractors use their own hardware. And because each environment is copy protected to work only on the first system it's installed on, the environment is more secure. VMware calls this technology "virtual rights management," a play on Digital Rights Management (DRM) technology.
Second, VMware ACE will be ideal for telecommuters who typically use VPN to connect to your networks from their home computers, which can create all sorts of problems. In a VMware ACE environment, these users have a software-based clean room from which to connect and all the tools they need to perform their work.
The third market is mobile users. If a notebook computer is stolen, your company's data will be safe because it's contained in an encrypted environment that your IT department controls, configures, and monitors. No worries.
Mullany believes that the benefits of this type of solution will grow more compelling over time, and I agree. Indeed, it's not hard to imagine that this system, or something similar, will be the standard way to deploy PCs in the future. "VMWare ACE is an assured computing environment that lets a PC participate in multiple logical contexts," said Mullany.
The benefits of this approach should be obvious. By deploying managed virtual environments to mobile computing end users, you control the user environment in a more secure, cost-effective manner. And unlike a standard locked-down corporate laptop, this virtual environment doesn't prevent users from doing what they want to do on their machines ... from outside your secure environment.
VMware ACE is currently in beta and should ship by the end of 2004. The client component will cost $100 per user, but VMware hasn't yet priced the ACE Manager administrator console. In the meantime, I'm looking forward to evaluating this intriguing solution. If VMware is correct--and I think it is--the future of client deployments, especially for mobile users, might well be virtual, assured computing environments.
Windows XP SP2 and SharePoint Reader Feedback I was overwhelmed by the amount of feedback I received to last week's requests for Windows XP Service Pack 2 (SP2) and Microsoft SharePoint experiences. I'm still culling together a response, which I hope to have in time for next week's edition of Windows IT Pro UPDATE. Thanks to everyone that wrote in--your feedback is invaluable.