Re: virtual machines

[Mike Lococo <mike.lococo () NYU EDU>]

On 03/22/2010 11:30 AM, SCHALIP, MICHAEL wrote:
> I’ve dealt with this kind of possibility in a previous life – and the
> first step to any kind of control measures would be to make sure that
> you’ve got a local policy in place first.

It seems to me that your policy regarding user-installed software should 
should be sufficient to address desktop virtualization as well.  Users 
who are empowered (technically and by policy) to install arbitrary 
software on their workstations will be able to do so whether the system 
is physical or virtual.  Users who are not so empowered 
can't/shouldn't-be installing virtualization infrastructure and running 
VM's at all.

I suppose in the rare case where users do have a legitimate business 
need to run a single sanctioned virtual system, but don't have the right 
to install additional arbitrary software, the virtualization platform 
might allow them to work around restrictions in their managed 
environments by installing additional "rogue" virtual-machines.  This 
strikes me as a corner-case which is readily addressed through 
disciplinary action, though.

Virtualization raises a fair number of interesting issues on the 
server-side, but I'm not sure it is particularly game-changing on the 
desktop yet.  If and when virtualization does land on the desktop in a 
big way, I think it will come with a suite of tools that attempt to make 
managing restricted-use desktops easier.  I don't have links handy, but 
VMWare has talked about a vision of desktop virtualization which is kind 
of an amped-up version of roaming-profiles.  If that vision is realized, 
virtualization will become an enforcement tool for managing desktops, 
not a circumvention tool.

Cheers,
Mike Lococo