Introduction to VMware ACEdownload3.vmware.com/vmworld/2005/pac600.pdf · mobility enable several...
Transcript of Introduction to VMware ACEdownload3.vmware.com/vmworld/2005/pac600.pdf · mobility enable several...
Introduction to VMware ACE
The Assured Computing Environment for the Enterprise
Presentation SummaryThe Cost and Risk of Unmanaged PCsVMware ACE OverviewVMware ACE Solutions for the EnterpriseCustomer StoriesLearning More about VMware ACEQ&A
What Is an Unmanaged PC?
MANAGED
Company ownedConsistently attachedFrequently updated
Outside partyRequires access or Internet onlyNever updated or self maintained
UNMANAGED
HQ, field, and branch offices
Teleworkers, contractors, consultants, partners, offshore workers
Dramatic Increase of Unmanaged PCsBy 2008, 41 million corporate employees globally will spend at least one day a week teleworking, and almost 100 million will work from home at least one day a month Independent contractors accounted for 7.4 percent of the nation's total job base Unmanaged PCs used by teleworkers, contractors, outsourcers and partners are not owned or maintained by IT and therefore present increased costs and security risks
Sources: Gartner Research, Computer security Institute,U.S. Department of Labor
The Cost of Unsecured, Unmanaged PCs20% or more of the endpoints on a typical company’s network are unmanaged, driving:
Increased number of service callsLonger troubleshooting cyclesUrgent patching outside of normal schedulesIncreased downtime and loss of productivityUnintentional misuse of company applications and data
Companies spend up to an additional $2,000 per unmanaged PC, per yearCases involving theft of proprietary information doubled from 2004Unauthorized access accounts for 24% of reported financial losses Source: Gartner Research,
Computer Security Institute
Real World Scenarios and RisksA telecommuting employee, working with sensitive corporate information over an unsecured wireless network, unknowingly allows a hacker to access corporate financial informationA contractor, connected through VPN, downloads files to an unmanaged PC, leaving sensitive data outside the protection of the corporate network. The user prints or copies files onto a CD, floppy or USB drive, putting sensitive data at risk outside the corporate networkAn offshore developer is using system software without the most up-to-date patches, even though company policy requires that users install the latest operating system patches. It is challenging to enforce policies on machines controlled by the company and impossible to do so on unmanaged remote PCs outside the company
VMware ACE
VMware® ACE enables security administrators to package an IT-managed PC within a secured virtual machine and deploy it to an unmanaged physical PC
VMware ACE
VMware® ACE enables security administrators to package an IT-managed PC within a secured virtual machine and deploy it to an unmanaged physical PC
Key BenefitsThrough centralized security management and consistent, sandboxed PC environments, VMwareACE delivers:
Secured, IT-managed endpoints on any physical PCImproved security confidential information Reduced costs and simplified support and management
How VMware ACE WorksVMware ACE Manager (Administrator’s PC)
Used by security administrators to create assured computing environments that can be packaged and provisioned to any PC
VMware ACE (End-user’s PC)An application installed by end users to run a pre-configured, secured and sandboxed PC endpoint on their physical PC
Key FeaturesCentralized security and management policiesSecured computing environmentDevice controlExpiration controlCopy protected computing environmentRules-based network accessRevert to clean state
VMware ACESolutions for the Enterprise
VMware ACE Solutions for the EnterpriseKey properties of isolation, encapsulation, and
mobility enable several use cases
Transform unmanaged physical PCs into secured, IT-managed endpoints used by telecommuters, offshore or remote workers, and contractors
Secure unmanaged PCs
Telecommuter, offshore workers, remote workers, contractors
Secure and protect confidential enterprise and personally identifiable information from loss or theft
Secure confidential information
Support desktop applications that are too costly to port, recode or migrate to the latest PC hardware and operating systems
Run multiple secure PC environments
Secure Unmanaged PCsTransform unsecured, unmanaged PCs into secured, IT-Managed endpoints
Telecommuters, offshore workers,
remote offices
BenefitsReduce the security risk from unmanaged and unsecured PCsSet policies that control authentication, network and device access, and data securitySimplify and streamline support and maintenance of unmanaged PCsReduce the cost of providing additional hardware to telecommuters and contractors
ChallengeUnsecured and unmanaged endpoints create security risks and management challengesHigh cost to administer unmanaged PCsHigh cost to provision PCs
Consultants, partners, contractors
Use CasesPCs used by telecommuters, offshore/ remote offices, consultants, contractors
Secure Confidential Data on Mobile PCsSecure data in encrypted, copy protected and locked down virtual machines
Use CasesProtecting data on mobile PCs from theft, tampering, and copyingEnable compliance with privacy and data regulations such as HIPAA, SarBox, Gramm-Leach-Bliley
ChallengeCreating a tamper-proof environment on the end pointControlling the hardware as well as data
BenefitsCentralize management of copy protection and encryption policiesSecure confidential information from theft and misuseEnable and enforce compliance with privacy regulations such as HIPAA, SarBox, Gramm-Leach-Bliley
Protected environment for mobile and desktop users
Run Multiple, Secure PC Environments on a Single PC
Use CasesSingle end user needs access to separate classified or secured environments on the same physical PCSupport Windows 9x/NT desktop applications in isolated and encapsulated environments during OS migration
BenefitsEliminate multiple physical PCs per userReduce hardware and management costs
ChallengeCost of porting, re-coding legacy desktop applicationsCost of hardware for multiple PCs per user
Enterprise Desktops and Laptops
Secure PC Environments for Offshore WorkersThe ChallengeProvide secure and manageable PC environments for offshore workers, protecting valuable company dataThe VMware SolutionCNA uses VMware ACE to create secure CNA desktops on CDs for outsourced workers, preventing offshore workers from copying anything into or out of the secure CNA desktop. Images are set to lock out peripherals, such as USB flash drives, to prevent data loss.
• Using VMware ACE is BEST PRACTICE #3• CNA can expire an image at any time• Images give the offshore provider more
control over the PC environment• Offshore workers can do CNA work without
being connected to the CNA network• Helps offshore provider save money
because it can load multiple images on a single machine
• Using VMware ACE is BEST PRACTICE #3• CNA can expire an image at any time• Images give the offshore provider more
control over the PC environment• Offshore workers can do CNA work without
being connected to the CNA network• Helps offshore provider save money
because it can load multiple images on a single machine
“It used to be that employees would have to log out and go to a different computer to enter their time sheets or do e-mail. Now they can do it on their own machines.”
Scott SysolDirector of infrastructure and security architecture
CNA InsuranceIn an article for CSO Online, May 2005,
“Don’t Export Security”
Provision Secure Environments for TelecommutersThe ChallengeBHS wanted to give 50-60 hospital staff members the option to work from home without worrying about hardware or software compatibility, virus protection or security. The VMware SolutionClerical staff use VMware ACE to work from home so BHS can reclaim hospital space for patient care.
• VRM enables access control, image version control , image expiration, copy protection and virus control, protecting BHS system data
• BHS can provide home-based staff member or visiting contractor with virtual machine containing an operating system, and the software they need to do their work
“We are happy to have portable virtual machine technology with VMware ACE, providing us with a new set of benefits as it enables us to provision PC environments on unmanaged guest PCs. ”
Tom Taylor Senior Client Server Analyst
Baptist Healthcare System
Secure Environment for Remote WorkersThe ChallengeGuardian wants a secure computing environment for employees working from home or offshoreThe VMware SolutionGuardian will use VMware ACE to provision secure, standardized PC environments its extended enterprise
• Reduces security risk from unmanaged and unsecured PCs connecting to the enterprise network
• Simplifies management and support of guest worker-owned PCs
• Protects company assets in secure, encrypted, and copy-protected PC environments
“The VRM technology in ACE is very valuable to Guardian as it will allow us to enforce network and patch management policies on environments that connect to our corporate network.”
Bob Mathers2nd Vice President
IT Operations Guardian Life Insurance
SummaryVMware ACE enables security managers to:
Provision secured, IT-managed endpoints on unmanaged PCs.Secure confidential data on mobile PCs.Run multiple secure PC environments on a single PC
Through centralized security policies and consistent, sandboxed PC environments, VMware ACE delivers:
Increased security of unmanaged PCsImproved security of confidential information Reduced costs and simplified support and management
Learn More about VMware ACEBuy or try VMware ACE (free 30-day trial) –Talk to your local VMware VIP PartnerLearn more by visiting: http://www.vmware.com/evalace
Download product information, solution briefs, and technical notesView online streaming demos
Join the ACE community forum on VMware.comhttp://www.vmware.com/community/index.jspa
Thank You!Any Questions?
FAQQ. My customer has deployed Citrix; why do they need VMware ACE?A. The best solution is to use both! Citrix and other remote access
technologies secure the network connection. VMware ACE secures the hardware at the endpoint. VMware ACE can help prevent unauthorized copying and misuse of data downloaded through remote access solutions.
Q. How do ACE licenses for end users work?A. Customers need a license of VMware ACE for each end user PC that has
a non-expired ACE environment installed and running. Once an ACE environment expires, the customer can return that license to the ‘pool’. This is explained in the end user license agreement (EULA).
Q. Does VMware ACE run from a CD or DVD or USB Drive?A. No. End users install an ACE package from a DVD, CD, download, or it is
provisioned via a tool such as SMS, Altiris or LANDeskQ. Does VMware ACE install on a Linux host OS?A. No. This version of VMware ACE must be installed on a host PC running
Windows 2000 or later. VMware is looking into Linux hosts as a supported platform.
Key Feature Drilldown
Key Feature DrilldownCentralized security and management policiesSecured computing environmentDevice controlExpiration controlCopy protected computing environmentRules-based network accessRevert to clean stateCustomizable user interface
Centralized control of security policies, devices, and network access through ACE Manager
Centralized Security & Management PoliciesVirtual Rights Management (VRM)
Digital Rights Management control over computing environment:
Creation, access, and copyingConfiguration modificationExpiration
Policy enforcement supported when ACE is both online and offlineIntegrates with existing security and management toolsExtensible with scripting
Secured Computing Environment
Protect the entire ACE environment:
Seamlessly encrypt all dataProtect against data theftProtect configuration and policies against tampering by user
Leverage existing authentication mechanisms:
Password, Active Directory, or custom script
Seamless AES 128-bit encryption and strong authentication creates a tamper-resistant environment
HostAppsHostApps
HostDataHostData
Policies Data Config
VMware ACE enables a “secure sandbox” on unmanaged and unsecured PCs
Remote Computer
ACE
Secured Computing Environment
Data Security: Virtual machine isolation protects against host compromiseNetwork Security: Bi-directional firewall allows only VPN traffic in and out of virtual machineNetwork Isolation: Lack of host VPN channel keeps corporate network isolatedOperating system inside virtual machine can be locked down
Expiration and Copy Protection
Expire VMware ACE at a future date or preconfigured number of days after installationBind VMware ACE to each PC to prevent unauthorized copying or moving Control VMware ACE activity through pre-set policies
Control VMware ACE lifecycle with expiration, encryption and copy protection
Rules-Based Network Access
Control network access privileges:
Limit network accessDynamic policies
Virtual machine version control:Enforce corporate IT policiesNon-compliant desktops are immediately identified and quarantined until remediationIntegrate with existing security and management solutionsContain threat from unpatched desktops prior to power-on
2-Way Firewall
Internet or LAN
Zone-based network quarantine Manage network privileges with:
Optional Policy Server
Zone-Based Network QuarantineHost Quarantine
Zone 1: Public
VPN
Extend network quarantine to the host PC
Internet Corporate LAN
Zone-Based Network QuarantineHost Quarantine
Zone 2: Work
Internet
Apply network quarantine rules based upon location
Corporate LAN
Revert to Clean State
Start where you left offResume session in seconds
Revert to clean state‘Discard session’capability to revert to a previous state in seconds
Greater flexibility than traditional PC environments
Optimized UI for Business End Users
Configure ACE to start in Full-screen modeVMware ACE looks and feels like any other windows applicationEnd user is similar to a terminal session: Desktop on top of a desktop
Policy-controlled environments with a simple user interface
Additional Customer Slides
Provision Standardized Desktop PC EnvironmentsThe ChallengeQuickly and easily deploy software to students who are using different types of hardware and operating systems. The VMware SolutionVMware ACE enables ASU to provide students with prepackaged software in virtual machines that cannot affect their physical hardware, software or operating systems. Software in virtual machines is easy for students to use, plus easy to manage.
• Virtual machines are customized to meet students’ needs
• Removes concern about OS, software or hardware compatibility
• Students need less training. “They can point and click and it works.”
• Virtual Rights Management capabilities enable ASU to control licensing and security of virtual machines
“For us, it’s the easiest way to give a machine to an end user. We can set expiration dates for the environment so students can use it for the term, and we don’t need to give them the software to configure on their machines.”
Scott Worthington Technology Support Analyst, Sr.
Arizona State University
Provision Standardized Desktop PC EnvironmentsThe ChallengeALG Software needed a way to quickly and easily set up training classes at customer sites, which had varying hardwareThe VMware SolutionALG Software uses VMware ACE to provide prepackaged virtual machines that can be used at client sites for training
• Can create, maintain and manage standardized, hardware-independent, secure desktop configurations
• No longer need to create separate builds for different types of hardware
• Virtual Rights Management capabilities provide encryption, security and expiration control
“By using a standardized product image we can reduce the disruption to the client’s site, while ensuring our product is used in a safe and secure way.”
Dave Parsons Vice President of Product
DevelopmentALG Software
Support Legacy Desktop ApplicationsLarge Power Company
ProblemMore than 15,000 PCs need to run legacy Windows 95 applications on newer hardware running Windows XP Porting or recoding the legacy applications was too risky, would take too long and cost too much money
SolutionInstall VMware ACE on the all the PCs Deploy the legacy applications to the PCs via a VMware ACE package End users have access the applications they need while running on more reliable hardware and operating systems
Backup Slides
Minimal Hardware RequirementsCPU
400MHz or faster including Intel® Celeron®, Pentium® II, Pentium III, Pentium 4, Pentium M (including computers with Centrino mobile technology), Xeon (including "Prestonia"), AMD Athlon, Athlon MP, Athlon XP, Duron, Opteron
Memory128 MB
Storage10 GB Hard Disk
Video16bit Video
NetworkSingle 100 MB Ethernet Card
Supported Host OSMS Windows XP Pro, MS Windows 2000 Pro SP3 or 4
Suggested Hardware RequirementsCPU
1.7 Ghz or faster, including Intel® Celeron, Pentium 4, Pentium M, Xeon, AMD Athlon, Athlon MP, Athlon XP, Opteron
Memory1gb
Storage40 GB Hard Disk
Video16bit Video
NetworkSingle 100 MB Ethernet Card
Supported Host OSMS Windows XP Pro, MS Windows 2000 Pro SP3 or 4
Additional BenefitsVMware ACE is an enterprise solution for IT Managers who want to:
Dramatically reduce end-user support costs, efforts, and downtimeProvision a single, consistent, hardware-independent image to be deployed throughout the extended enterpriseReduce costs associated with provisioning PC environments to unmanaged PCsRecover rapidly from viruses, trojans, malware, and spywareImprove security of confidential enterprise and personally identifiable informationCompliment Active Directory with self-policing virtualized PC environments
Centralized Control & Configuration ManagementCommon PC Management Challenges
End-User Support Costs
and Efforts
Remote User Support
Complexity
End-user Self Inflicted PC Problems
Viruses, Trojans,
Malware, & Spyware
User workstation rollback capabilities
and policy enforcement
A single, fault-tolerant, tamper-
resistant hardware-independent PC
environment
Lack of Complete PC
Control
Centralized & offline policy enforcement via
VRM (Virtual Rights Management)
VMWare ACE Solution
Increasingly Distributed Workforce
Multiple Images & HW
Platforms
End-user self inflicted PC problems
Image Updates &
Maintenance
Application development, testing & QA complexity
Satisfying regulatory
compliance standards
VMware ACE Compared to Workstation
What does it do:Enables security managers to:
Package an IT-managed PC within a secured virtual machine and deploy it to an unmanaged physical PC.Secure confidential information on mobile PCs
What does it do:Enables technical professionals such as
developers, testers, and QA engineers to: Run multiple OSes and applications in virtual machinesStreamline development and testing as well as accelerated application deployments
VMware ACE
Key Capabilities:Virtual Rights Management is THE key!
Set Expiration dates for each ACE on an end-user PCLeverage existing Authentication (ADS)Enforce IT policies through Rules-based network accessSecure and protect enterprise information through seamless Encryption and Copy protection controls on hardware
Key Capabilities:Snapshots for reverting to a previous state, greatly reduces dev cycle timesAdvanced networking between VMs to reproduce production environmentsTrack virtual machine performance through integration with the Windows performance monitor counters. PXE provisioning to easily install OS and application images
VMware Workstation
VMware ACE Enables Secured, IT-Managed Endpoints
Employee Contractor
InternetTrusted Corp Network
Partner
Telecommuter, remote
Contractor, outsourcer
A secured virtual machine provides a consistent and IT-managed PC endpoint residing inside the security perimeter while the unmanaged physical PC is not granted access
Unmanaged PCs
Connect via Enterprise
VPN
IT-ManagedEndpoints
Used internally, remotely, connected or disconnected from the trusted network
Secure confidential data and isolate against malware
Leverage existing security and management tools
Causes of Common Security BreachesCATEGORY CAUSES
Abuse of Wireless Network Unauthorized Wireless NIC cards
Insider Net AbuseFile and Desktop Sharing ApplicationsPublic Instant Messaging
Theft of Proprietary Information
Poor password securityUnauthorized hardwarePublic Instant Messaging
Denial of Service Attacks
Insecure software (lack of patching or poor configuration)Disabled personal firewalls
Virus Outdated/inactive antivirus software
Managed PCs Still Pose Considerable RiskProliferating Vulnerabilities
422 new vulnerabilities found in 2005's second quarter, according to the SANS Institute. That's 10.8 percent higher than the first quarter, but patches do exist for the new vulnerabilities. Source: E-Commerce Times
Maintaining UptimeEnterprises that don’t enforce security policies during network logon will experience 200% more network downtime than those who do. Source:Gartner Research
Unauthorized Access to Corporate Information5 percent average fall of market caps after the publicized exposure of confidential information, according to recent academic research. Source: Enterprise Systems Journal
Compliance with Regulatory Standards94 percent. Proportion of companies saying their Sarbanes-Oxley auditors have uncovered IT systems deficiencies, according to a CFO IT survey. Source: CFO.com
Different Shades of Security Management
MANAGED PARTIALLYMANAGED UNMANAGED
Company ownedConsistently attachedFrequently updated
Company ownedIntermittentlyattachedUpdated when accessible
Outside partyRequires access or Internet onlyNever updated or self-maintained