Educause Security Discussion mailing list archives
Re: OS virtualization at the desktop
From: Graham Toal <gtoal () UTPA EDU>
Date: Thu, 13 Jul 2006 14:58:11 -0500
Are there opportunities to improve security at the desktop using virtualization?
Yes, but I expect it will take some discipline and politicking to make it happen: 1) completely secure the outer-level environment, using every trick you know. Make it so that only legitimate work can be done on the 'real' machine. No mail, no web browsing etc. Just spreadsheets, docs, printing etc. 2) have a VM inside this which is less strictly controlled, *but* which is considered temporary and is reset to a know state from a central server periodically. This is where people do their email, browsing etc. You do not allow anyone to access sensitive data within this environment. (either by policy or by software if at all possible) In principle it should be impossible to break out of the VM into the real machine; whereas if someone broke into the real machine you should assume they have full access to the VM as well, which is why there's no point in distributing a secure VM image to insecure desktops. I say 'in principle'. There does exist the possibility that some vm vendor extensions might be abused in order to escape to an outer level. But if there were no vendor back doors and the software was reasonably well written, then it ought to be a captive environment. Graham
Current thread:
- OS virtualization at the desktop Chad McDonald, CISSP (Jul 13)
- <Possible follow-ups>
- Re: OS virtualization at the desktop Pace, Guy (Jul 13)
- Re: OS virtualization at the desktop Graham Toal (Jul 13)