Introduction to VMware ACE

The Assured Computing Environment for the Enterprise

Presentation SummaryThe Cost and Risk of Unmanaged PCsVMware ACE OverviewVMware ACE Solutions for the EnterpriseCustomer StoriesLearning More about VMware ACEQ&A

What Is an Unmanaged PC?

MANAGED

Company ownedConsistently attachedFrequently updated

Outside partyRequires access or Internet onlyNever updated or self maintained

UNMANAGED

HQ, field, and branch offices

Teleworkers, contractors, consultants, partners, offshore workers

Dramatic Increase of Unmanaged PCsBy 2008, 41 million corporate employees globally will spend at least one day a week teleworking, and almost 100 million will work from home at least one day a month Independent contractors accounted for 7.4 percent of the nation's total job base Unmanaged PCs used by teleworkers, contractors, outsourcers and partners are not owned or maintained by IT and therefore present increased costs and security risks

Sources: Gartner Research, Computer security Institute,U.S. Department of Labor

The Cost of Unsecured, Unmanaged PCs20% or more of the endpoints on a typical company’s network are unmanaged, driving:

Increased number of service callsLonger troubleshooting cyclesUrgent patching outside of normal schedulesIncreased downtime and loss of productivityUnintentional misuse of company applications and data

Companies spend up to an additional $2,000 per unmanaged PC, per yearCases involving theft of proprietary information doubled from 2004Unauthorized access accounts for 24% of reported financial losses Source: Gartner Research,

Computer Security Institute

Real World Scenarios and RisksA telecommuting employee, working with sensitive corporate information over an unsecured wireless network, unknowingly allows a hacker to access corporate financial informationA contractor, connected through VPN, downloads files to an unmanaged PC, leaving sensitive data outside the protection of the corporate network. The user prints or copies files onto a CD, floppy or USB drive, putting sensitive data at risk outside the corporate networkAn offshore developer is using system software without the most up-to-date patches, even though company policy requires that users install the latest operating system patches. It is challenging to enforce policies on machines controlled by the company and impossible to do so on unmanaged remote PCs outside the company

VMware ACE

VMware® ACE enables security administrators to package an IT-managed PC within a secured virtual machine and deploy it to an unmanaged physical PC

VMware ACE

VMware® ACE enables security administrators to package an IT-managed PC within a secured virtual machine and deploy it to an unmanaged physical PC

Key BenefitsThrough centralized security management and consistent, sandboxed PC environments, VMwareACE delivers:

Secured, IT-managed endpoints on any physical PCImproved security confidential information Reduced costs and simplified support and management

How VMware ACE WorksVMware ACE Manager (Administrator’s PC)

Used by security administrators to create assured computing environments that can be packaged and provisioned to any PC

VMware ACE (End-user’s PC)An application installed by end users to run a pre-configured, secured and sandboxed PC endpoint on their physical PC

Key FeaturesCentralized security and management policiesSecured computing environmentDevice controlExpiration controlCopy protected computing environmentRules-based network accessRevert to clean state

VMware ACESolutions for the Enterprise

VMware ACE Solutions for the EnterpriseKey properties of isolation, encapsulation, and

mobility enable several use cases

Transform unmanaged physical PCs into secured, IT-managed endpoints used by telecommuters, offshore or remote workers, and contractors

Secure unmanaged PCs

Telecommuter, offshore workers, remote workers, contractors

Secure and protect confidential enterprise and personally identifiable information from loss or theft

Secure confidential information

Support desktop applications that are too costly to port, recode or migrate to the latest PC hardware and operating systems

Run multiple secure PC environments

Secure Unmanaged PCsTransform unsecured, unmanaged PCs into secured, IT-Managed endpoints

Telecommuters, offshore workers,

remote offices

BenefitsReduce the security risk from unmanaged and unsecured PCsSet policies that control authentication, network and device access, and data securitySimplify and streamline support and maintenance of unmanaged PCsReduce the cost of providing additional hardware to telecommuters and contractors

ChallengeUnsecured and unmanaged endpoints create security risks and management challengesHigh cost to administer unmanaged PCsHigh cost to provision PCs

Consultants, partners, contractors

Use CasesPCs used by telecommuters, offshore/ remote offices, consultants, contractors

Secure Confidential Data on Mobile PCsSecure data in encrypted, copy protected and locked down virtual machines

Use CasesProtecting data on mobile PCs from theft, tampering, and copyingEnable compliance with privacy and data regulations such as HIPAA, SarBox, Gramm-Leach-Bliley

ChallengeCreating a tamper-proof environment on the end pointControlling the hardware as well as data

BenefitsCentralize management of copy protection and encryption policiesSecure confidential information from theft and misuseEnable and enforce compliance with privacy regulations such as HIPAA, SarBox, Gramm-Leach-Bliley

Protected environment for mobile and desktop users

Run Multiple, Secure PC Environments on a Single PC

Use CasesSingle end user needs access to separate classified or secured environments on the same physical PCSupport Windows 9x/NT desktop applications in isolated and encapsulated environments during OS migration

BenefitsEliminate multiple physical PCs per userReduce hardware and management costs

ChallengeCost of porting, re-coding legacy desktop applicationsCost of hardware for multiple PCs per user

Enterprise Desktops and Laptops

Secure PC Environments for Offshore WorkersThe ChallengeProvide secure and manageable PC environments for offshore workers, protecting valuable company dataThe VMware SolutionCNA uses VMware ACE to create secure CNA desktops on CDs for outsourced workers, preventing offshore workers from copying anything into or out of the secure CNA desktop. Images are set to lock out peripherals, such as USB flash drives, to prevent data loss.

• Using VMware ACE is BEST PRACTICE #3• CNA can expire an image at any time• Images give the offshore provider more

control over the PC environment• Offshore workers can do CNA work without

being connected to the CNA network• Helps offshore provider save money

because it can load multiple images on a single machine

• Using VMware ACE is BEST PRACTICE #3• CNA can expire an image at any time• Images give the offshore provider more

control over the PC environment• Offshore workers can do CNA work without

being connected to the CNA network• Helps offshore provider save money

because it can load multiple images on a single machine

“It used to be that employees would have to log out and go to a different computer to enter their time sheets or do e-mail. Now they can do it on their own machines.”

Scott SysolDirector of infrastructure and security architecture

CNA InsuranceIn an article for CSO Online, May 2005,

“Don’t Export Security”

Provision Secure Environments for TelecommutersThe ChallengeBHS wanted to give 50-60 hospital staff members the option to work from home without worrying about hardware or software compatibility, virus protection or security. The VMware SolutionClerical staff use VMware ACE to work from home so BHS can reclaim hospital space for patient care.

• VRM enables access control, image version control , image expiration, copy protection and virus control, protecting BHS system data

• BHS can provide home-based staff member or visiting contractor with virtual machine containing an operating system, and the software they need to do their work

“We are happy to have portable virtual machine technology with VMware ACE, providing us with a new set of benefits as it enables us to provision PC environments on unmanaged guest PCs. ”

Tom Taylor Senior Client Server Analyst

Baptist Healthcare System

Secure Environment for Remote WorkersThe ChallengeGuardian wants a secure computing environment for employees working from home or offshoreThe VMware SolutionGuardian will use VMware ACE to provision secure, standardized PC environments its extended enterprise

• Reduces security risk from unmanaged and unsecured PCs connecting to the enterprise network

• Simplifies management and support of guest worker-owned PCs

• Protects company assets in secure, encrypted, and copy-protected PC environments

“The VRM technology in ACE is very valuable to Guardian as it will allow us to enforce network and patch management policies on environments that connect to our corporate network.”

Bob Mathers2nd Vice President

IT Operations Guardian Life Insurance

SummaryVMware ACE enables security managers to:

Provision secured, IT-managed endpoints on unmanaged PCs.Secure confidential data on mobile PCs.Run multiple secure PC environments on a single PC

Through centralized security policies and consistent, sandboxed PC environments, VMware ACE delivers:

Increased security of unmanaged PCsImproved security of confidential information Reduced costs and simplified support and management

Learn More about VMware ACEBuy or try VMware ACE (free 30-day trial) –Talk to your local VMware VIP PartnerLearn more by visiting: http://www.vmware.com/evalace

Download product information, solution briefs, and technical notesView online streaming demos

Join the ACE community forum on VMware.comhttp://www.vmware.com/community/index.jspa

Thank You!Any Questions?

FAQQ. My customer has deployed Citrix; why do they need VMware ACE?A. The best solution is to use both! Citrix and other remote access

technologies secure the network connection. VMware ACE secures the hardware at the endpoint. VMware ACE can help prevent unauthorized copying and misuse of data downloaded through remote access solutions.

Q. How do ACE licenses for end users work?A. Customers need a license of VMware ACE for each end user PC that has

a non-expired ACE environment installed and running. Once an ACE environment expires, the customer can return that license to the ‘pool’. This is explained in the end user license agreement (EULA).

Q. Does VMware ACE run from a CD or DVD or USB Drive?A. No. End users install an ACE package from a DVD, CD, download, or it is

provisioned via a tool such as SMS, Altiris or LANDeskQ. Does VMware ACE install on a Linux host OS?A. No. This version of VMware ACE must be installed on a host PC running

Windows 2000 or later. VMware is looking into Linux hosts as a supported platform.

Key Feature Drilldown

Key Feature DrilldownCentralized security and management policiesSecured computing environmentDevice controlExpiration controlCopy protected computing environmentRules-based network accessRevert to clean stateCustomizable user interface

Centralized control of security policies, devices, and network access through ACE Manager

Centralized Security & Management PoliciesVirtual Rights Management (VRM)

Digital Rights Management control over computing environment:

Creation, access, and copyingConfiguration modificationExpiration

Policy enforcement supported when ACE is both online and offlineIntegrates with existing security and management toolsExtensible with scripting

Secured Computing Environment

Protect the entire ACE environment:

Seamlessly encrypt all dataProtect against data theftProtect configuration and policies against tampering by user

Leverage existing authentication mechanisms:

Password, Active Directory, or custom script

Seamless AES 128-bit encryption and strong authentication creates a tamper-resistant environment

HostAppsHostApps

HostDataHostData

Policies Data Config

VMware ACE enables a “secure sandbox” on unmanaged and unsecured PCs

Remote Computer

ACE

Secured Computing Environment

Data Security: Virtual machine isolation protects against host compromiseNetwork Security: Bi-directional firewall allows only VPN traffic in and out of virtual machineNetwork Isolation: Lack of host VPN channel keeps corporate network isolatedOperating system inside virtual machine can be locked down

Expiration and Copy Protection

Expire VMware ACE at a future date or preconfigured number of days after installationBind VMware ACE to each PC to prevent unauthorized copying or moving Control VMware ACE activity through pre-set policies

Control VMware ACE lifecycle with expiration, encryption and copy protection

Rules-Based Network Access

Control network access privileges:

Limit network accessDynamic policies

Virtual machine version control:Enforce corporate IT policiesNon-compliant desktops are immediately identified and quarantined until remediationIntegrate with existing security and management solutionsContain threat from unpatched desktops prior to power-on

2-Way Firewall

Internet or LAN

Zone-based network quarantine Manage network privileges with:

Optional Policy Server

Zone-Based Network QuarantineHost Quarantine

Zone 1: Public

VPN

Extend network quarantine to the host PC

Internet Corporate LAN

Zone-Based Network QuarantineHost Quarantine

Zone 2: Work

Internet

Apply network quarantine rules based upon location

Corporate LAN

Revert to Clean State

Start where you left offResume session in seconds

Revert to clean state‘Discard session’capability to revert to a previous state in seconds

Greater flexibility than traditional PC environments

Optimized UI for Business End Users

Configure ACE to start in Full-screen modeVMware ACE looks and feels like any other windows applicationEnd user is similar to a terminal session: Desktop on top of a desktop

Policy-controlled environments with a simple user interface

Additional Customer Slides

Provision Standardized Desktop PC EnvironmentsThe ChallengeQuickly and easily deploy software to students who are using different types of hardware and operating systems. The VMware SolutionVMware ACE enables ASU to provide students with prepackaged software in virtual machines that cannot affect their physical hardware, software or operating systems. Software in virtual machines is easy for students to use, plus easy to manage.

• Virtual machines are customized to meet students’ needs

• Removes concern about OS, software or hardware compatibility

• Students need less training. “They can point and click and it works.”

• Virtual Rights Management capabilities enable ASU to control licensing and security of virtual machines

“For us, it’s the easiest way to give a machine to an end user. We can set expiration dates for the environment so students can use it for the term, and we don’t need to give them the software to configure on their machines.”

Scott Worthington Technology Support Analyst, Sr.

Arizona State University

Provision Standardized Desktop PC EnvironmentsThe ChallengeALG Software needed a way to quickly and easily set up training classes at customer sites, which had varying hardwareThe VMware SolutionALG Software uses VMware ACE to provide prepackaged virtual machines that can be used at client sites for training

• Can create, maintain and manage standardized, hardware-independent, secure desktop configurations

• No longer need to create separate builds for different types of hardware

• Virtual Rights Management capabilities provide encryption, security and expiration control

“By using a standardized product image we can reduce the disruption to the client’s site, while ensuring our product is used in a safe and secure way.”

Dave Parsons Vice President of Product

DevelopmentALG Software

Support Legacy Desktop ApplicationsLarge Power Company

ProblemMore than 15,000 PCs need to run legacy Windows 95 applications on newer hardware running Windows XP Porting or recoding the legacy applications was too risky, would take too long and cost too much money

SolutionInstall VMware ACE on the all the PCs Deploy the legacy applications to the PCs via a VMware ACE package End users have access the applications they need while running on more reliable hardware and operating systems

Backup Slides

Minimal Hardware RequirementsCPU

400MHz or faster including Intel® Celeron®, Pentium® II, Pentium III, Pentium 4, Pentium M (including computers with Centrino mobile technology), Xeon (including "Prestonia"), AMD Athlon, Athlon MP, Athlon XP, Duron, Opteron

Memory128 MB

Storage10 GB Hard Disk

Video16bit Video

NetworkSingle 100 MB Ethernet Card

Supported Host OSMS Windows XP Pro, MS Windows 2000 Pro SP3 or 4

Suggested Hardware RequirementsCPU

1.7 Ghz or faster, including Intel® Celeron, Pentium 4, Pentium M, Xeon, AMD Athlon, Athlon MP, Athlon XP, Opteron

Memory1gb

Storage40 GB Hard Disk

Video16bit Video

NetworkSingle 100 MB Ethernet Card

Supported Host OSMS Windows XP Pro, MS Windows 2000 Pro SP3 or 4

Additional BenefitsVMware ACE is an enterprise solution for IT Managers who want to:

Dramatically reduce end-user support costs, efforts, and downtimeProvision a single, consistent, hardware-independent image to be deployed throughout the extended enterpriseReduce costs associated with provisioning PC environments to unmanaged PCsRecover rapidly from viruses, trojans, malware, and spywareImprove security of confidential enterprise and personally identifiable informationCompliment Active Directory with self-policing virtualized PC environments

Centralized Control & Configuration ManagementCommon PC Management Challenges

End-User Support Costs

and Efforts

Remote User Support

Complexity

End-user Self Inflicted PC Problems

Viruses, Trojans,

Malware, & Spyware

User workstation rollback capabilities

and policy enforcement

A single, fault-tolerant, tamper-

resistant hardware-independent PC

environment

Lack of Complete PC

Control

Centralized & offline policy enforcement via

VRM (Virtual Rights Management)

VMWare ACE Solution

Increasingly Distributed Workforce

Multiple Images & HW

Platforms

End-user self inflicted PC problems

Image Updates &

Maintenance

Application development, testing & QA complexity

Satisfying regulatory

compliance standards

VMware ACE Compared to Workstation

What does it do:Enables security managers to:

Package an IT-managed PC within a secured virtual machine and deploy it to an unmanaged physical PC.Secure confidential information on mobile PCs

What does it do:Enables technical professionals such as

developers, testers, and QA engineers to: Run multiple OSes and applications in virtual machinesStreamline development and testing as well as accelerated application deployments

VMware ACE

Key Capabilities:Virtual Rights Management is THE key!

Set Expiration dates for each ACE on an end-user PCLeverage existing Authentication (ADS)Enforce IT policies through Rules-based network accessSecure and protect enterprise information through seamless Encryption and Copy protection controls on hardware

Key Capabilities:Snapshots for reverting to a previous state, greatly reduces dev cycle timesAdvanced networking between VMs to reproduce production environmentsTrack virtual machine performance through integration with the Windows performance monitor counters. PXE provisioning to easily install OS and application images

VMware Workstation

VMware ACE Enables Secured, IT-Managed Endpoints

Employee Contractor

InternetTrusted Corp Network

Partner

Telecommuter, remote

Contractor, outsourcer

A secured virtual machine provides a consistent and IT-managed PC endpoint residing inside the security perimeter while the unmanaged physical PC is not granted access

Unmanaged PCs

Connect via Enterprise

VPN

IT-ManagedEndpoints

Used internally, remotely, connected or disconnected from the trusted network

Secure confidential data and isolate against malware

Leverage existing security and management tools

Causes of Common Security BreachesCATEGORY CAUSES

Abuse of Wireless Network Unauthorized Wireless NIC cards

Insider Net AbuseFile and Desktop Sharing ApplicationsPublic Instant Messaging

Theft of Proprietary Information

Poor password securityUnauthorized hardwarePublic Instant Messaging

Denial of Service Attacks

Insecure software (lack of patching or poor configuration)Disabled personal firewalls

Virus Outdated/inactive antivirus software

Managed PCs Still Pose Considerable RiskProliferating Vulnerabilities

422 new vulnerabilities found in 2005's second quarter, according to the SANS Institute. That's 10.8 percent higher than the first quarter, but patches do exist for the new vulnerabilities. Source: E-Commerce Times

Maintaining UptimeEnterprises that don’t enforce security policies during network logon will experience 200% more network downtime than those who do. Source:Gartner Research

Unauthorized Access to Corporate Information5 percent average fall of market caps after the publicized exposure of confidential information, according to recent academic research. Source: Enterprise Systems Journal

Compliance with Regulatory Standards94 percent. Proportion of companies saying their Sarbanes-Oxley auditors have uncovered IT systems deficiencies, according to a CFO IT survey. Source: CFO.com

Different Shades of Security Management

MANAGED PARTIALLYMANAGED UNMANAGED

Company ownedConsistently attachedFrequently updated

Company ownedIntermittentlyattachedUpdated when accessible

Outside partyRequires access or Internet onlyNever updated or self-maintained