In today's increasingly mobile workplace, how does a desktop administrator or manager provide corporate desktop management, security and compliance for unmanaged (home PC's) or managed but off-site desktop computers or notebooks? Let's look at the options.
There are basically three options available for providing remote access to corporate desktop environments; purchase and populate laptops for remote use, application access through the Web, or create virtual laptop environments through software like VMware's ACE 2.
Purchasing laptops allows the business to manage the desktop environment when it's not off-network. Two detractors from this option are that purchasing laptops for all employees, thereby duplicating desktop resources, is expensive. This is doubly the case if the laptops are lost or stolen, not only losing the physical asset but the data loss as well. Just ask the ING employee in Washington, D.C. whose laptop, containing 13,000 district worker's personal data, including social security numbers and financial information, was stolen from their home.
Creating a Web portal for application access can work for some applications, but not all applications can be "Webified." On top of that, it's prudent to have SSL/VPN capabilities for data protection across the wire. There's also that nagging question about where the application data is stored. If it's stored on an unmanaged (and unprotected) home computer or notebook, you run into the same issues that I mention two paragraphs above.
VMware ACE
Creating a virtual desktop with VMware's ACE (Assured Computing Environment) can address all of these issues with one solution. ACE is a desktop virtualization solution that allows the Desktop Administrator to bundle an operating system and applications together with virtualization software into a package that can be created once and deployed many times. The encrypted package can be deployed using any portable media, through standard systems management software or on a network share to a laptop or desktop and can't be read except by the systems that are authorized to use the package.
The environment within the ACE package can be as tightly controlled as necessary. The administrator uses VMware Workstation 6 (with the ACE option pack) to create a clean environment from which to package the operating system and applications within a secure virtual machine. ACE uses a runtime version of VMware Player as the virtualization platform, which is initiated on the client machine. Policies can be added to the ACE package such as data encryption, device enablement or lockdown, package expiration, network quarantining, copy protection, etc. Once the package is created and deployed on the client systems, ACE Management Server allows the admin to continue to manage the deployed environment. For example, in the event a notebook is stolen, the administrator could remotely deactivate the package, in which case, the virtual environment would shut down, encrypt itself and become inaccessible or readable except by authorized personnel.
When the package is created, the administrator can define where and how the resulting application data is saved and what devices are enabled. By default, the data is saved on the local disk but in an encrypted format so you have to be running the virtual desktop to access the local data.
VMware ACE provides a secure, managed desktop for typically unmanaged environments. So the next time an employee asks if they can work at home or needs to take a laptop to meetings, the business executives can rest easy that the corporate assets are easily deployed and secure.
About the Author: Anne Skamarock, Research Director at Focus Consulting, has been involved with computers and associated technology for nearly 30 years. She started her career as a software engineer developing custom scientific codes and as a UNIX systems administrator. For the past seven years, Anne has worked as a market analyst focusing on the convergence points around systems, storage, and software.
