Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Virtualization Security Using Desktop Virtualization

by Neil MacDonald  |  January 11, 2010  |  3 Comments

As I discuss multiple security alternatives for enterprise desktops with clients, one of the options that must be discussed is the use of server-based computing and terminal services also referred to by vendors as “presentation virtualization”. One of the questions that comes up is “are terminal services really a form of virtualization, or are vendors just calling this ‘presentation virtualization’ to take advantage of the industry hype around anything to do with virtualization?”.

At its most fundamental level, virtualization is a layer of abstraction between a resource and something that consumes that resource, decoupling these in a way that neither the consumer nor the resource has to know they are being decoupled.

With “presentation virtualization”, the layer of abstraction is between the windows eventing system (the resource) and the Windows application (which consumes and processes the events). The most relevant events in this case are keystrokes, mouse clicks and video updates – let’s start there.

By inserting a layer of software, we can capture the relevant events in both directions and decouple the linkage so that the application can be run by a keyboard, mouse and video system located elsewhere. A network-based protocol (like ICA or RDP) is used to carry the KVM information to and from the physical KVM and the application. Since the abstraction separates the consumer and resources across a network connection, the abstraction takes two pieces of software that work together – in this case, the terminal services software running at the server and the ICA/RDP client running at some type of client device.

The setup delivers what most people consider to be examples of what virtualization enables:

  • The application (say Excel) doesn’t know that the user (KVM data) is no longer directly attached.
  • The physical keyboard, video and mouse systems don’t know that the application they are using is no longer necessarily local.
  • The application could be changed out (say to a new version of Excel) and nothing has to change.
  • The keyboard could be replaced and nothing has to change.
  • One KVM system could drive multiple copies of the application (as is used in training/classroom scenarios)
  • One application could be driven by multiple mice/keyboards (this happens when the technology used for remote support by the help desk for example but can be quite confusing if the user isn’t expecting this!)

The evolution of the ICA/RDP (and others) software and protocols can now virtualize more than just KVM. They can also do the same for USB, printers, CD ROM and other interfaces. The principle is exactly the same. It would be more accurate to call this “user interaction virtualization” but “presentation virtualization” is close enough and is what the industry has settled on for a term.

If we simply virtualized the user interface stuff as described above, this provides usefulness in of itself – say for help desk support or for people to remotely access their desktops. But terminal services and Citrix go farther. Perhaps what is confusing people is that in conjunction to the user interface virtualization, terminal services / Citrix also create the illusion of multiple copies of Windows desktops running on a single copy of Windows. This in of itself is a form of OS virtualization, similar to what Solaris Containers or Virtuozzo does, but TSE/Citrix focuses more on the end-user workspace experience. So it is more accurate to describe terminal services/Citrix as a combination of virtualization solutions that a) creates the illusion of multiple desktops on a single copy of Windows *and* b) virtualizes the user interaction as well so everyone doesn’t have to be directly and physically attached to the server.

In any event,  I believe it is a form a virtualization – albeit one that has been around for more than a decade.

Semantics aside, why do you care? As you consider your enterprise strategy for desktop virtualization and securing these assets, understand there are multiple types of desktop virtualization available on the market today – including full OS virtualization, workspace virtualization, application virtualization and “presentation virtualization” (user interaction virtualization) and more. Each has their uses and pros and cons. In fact, these types of virtualization should be able to be mixed and matched as needed to create a manageable and secure composite workspace appropriate to the user’s needs and the sensitivity of the data and application being hosted.

3 Comments »

Category: Beyond Anti-Virus Virtualization Security     Tags: , , ,

3 responses so far ↓

  • 1 Doug Dooley   January 11, 2010 at 12:37 pm

    Neil -

    Couldn’t agree more with the idea of coupling multiple forms of virtualization in order to solve all the various use cases. Case in point, VDI is really just the coupling of server virtualization (hypervisors on servers) with presentation virtualization (thin-client protocols) and for some customers the addition of workspace virtualization (persistent layer on a non-persistent VM pool) in order to handle all the user-installed applications, personalized settings, user data, and the ability to take the entire workspace offline to a laptop for greater mobility.

    For some use cases, all 3 forms are needed. For others, just 1 or 2 forms are sufficient. However, what this blog points out to me is that the desktop computing environment moving forward needs greater flexibility then what’s available in the non-virtualized, status-quo desktops most companies use today.

    I’m on-board with your ideas regarding “secure composite workspaces” – it’s definitely needed.

  • 2 uberVU - social comments   January 12, 2010 at 12:49 am

    Social comments and analytics for this post…

    This post was mentioned on Twitter by Partnerpedia: #Virtualization #security using desktop virtualization http://ow.ly/Vi4B

  • 3 Tweets that mention Virtualization Security Using Desktop Virtualization -- Topsy.com   January 13, 2010 at 11:45 pm

    [...] This post was mentioned on Twitter by George V. Hulme, Ruben Spruijt, Gerben Kloosterman, Partnerpedia, RES Software and others. RES Software said: Gartner analyst Neil MacDonald on "Virtualization Security Using Desktop Virtualization": http://bit.ly/6B0g8O ^RG [...]