Infection of mobile devices and the subsequent compromise of the corporate network are not the only problems; mobile devices may store sensitive data and be capable of reaching the innermost parts of a company's data center. As soon as a laptop is stolen, an IT manager has to handle something even more painful than a virus infection -- an authorized remote access point with partial or complete clearance to reserved information.
Today's products cannot mitigate these kinds of scenarios, and upcoming endpoint security technologies are only partially committed to solving problems like the one described.
The only effective solution comes in the form of VMware Inc.'s product, called Assured Computing Environment (ACE). ACE is a special version of VMware Workstation software, which features a powerful and flexible security wrapper. The security wrapper controls how a virtual machine (VM) interacts with the outside world, at the host and the guest level, in a centralized way.
In the first part of this article, I'll describe a real-world scenario in which ACE is the perfect choice to handle security and privacy issues, and I'll provide details on how to prepare the virtual machine. In part two, I'll talk about how to define your security policy and distribute the package.
Today's scenario involves an SMB company working in a niche provisioning market with aggressive competition. The majority of the company's revenue comes from its territory salesforce carrying out direct sales at customers' sites.
Sales agents are required to order customers' material by accessing an online provisioning portal. They also have to access the company intranet through a VPN with a custom application that tracks, modifies or cancels outstanding orders and verifies the salesperson's commissions.
The company develops its own orders management application for the Windows operating system but elects not to adopt Microsoft Active Directory technology.
To reduce costs, the company populates its salesforce with contractors, and requires them to provide their own computer equipment. The company IT staff then installs and regularly updates the orders management application and makes sure the salesperson can connect to the VPN and has an Internet browser to access the online portal.
This scenario presents many problems for the IT managers:
- Centralized control
Sales agents have to move around in their competency territory with laptops, often in areas with no Internet connectivity. Laptops are not easily controllable in a centralized way.
- Heterogeneous environments
Sales agents have to provide their own computer equipment, which means the IT staff has no guarantee that the operating system will be secure for corporate network remote access and compatible with the company's provisioning application.
- Data disclosure
Sales agents have complete control over their laptops and can illegally replicate corporate data for different purposes -- for backup, personal benefits, etc. Beyond that, lost or stolen equipment could leak not only downloaded data but also the details for remote access to the company.
In our particular scenario, since the sales agents own their computer equipment, when they resign, they are not obliged to give anything back.
Last but not least, sales agents theoretically could sell a copy of the company's application to competitors, providing competitors with continuous access to corporate data.
The VMware ACE solution
To address the security issues of this scenario with ACE, we'll create a minimally configured, secured and compatible operating system inside a virtual machine. We can then install and set up the company's orders management application, a browser that works with the online provisioning portal and the VPN to the corporate network.
Then, we'll limit this virtual machine's ability to reach external networks, also preventing it from being moved or copied around. And finally, we'll ship it in a one-click installation package to be deployed to every sales agent's laptop.
Preparing the virtual machine
The first step is to create the virtual machine. We can create a new one from scratch inside the ACE environment, which is nearly identical to the Workstation environment, or we can import an existing VM created with another VMware product.
We should act carefully when importing an existing virtual machine; a VM created with a version of Workstation 5.x will not be compatible for use with ACE. At the time of this writing, VMware is shipping Workstation 5.5.1 and ACE 1.0.2, but ACE 1.0.2 only works with virtual hardware from the Workstation 4.x family.
Luckily, there is a solution: VMware is working on a product called Virtual Machine Importer 2.0, currently available in beta. It will convert more recent virtual machines' hardware into legacy hardware such that it works with Workstation 4.x products and ACE 1.0.2:
Don't bother trying to do this conversion with the released Virtual Machine Imported 1.5. That version works only on third-party images, not on VMware virtual machines.
Continue to part two of this article to read about how to define the security policy and distribute the package.