Desktop VM managers make a virtual two-horse race

The virtualized desktop is finally coming of age. Once the purview of the technorati, desktop virtualization is rapidly evolving into a viable solution for delivering mainstream applications and services – thanks in large part to the efforts of innovative third-party developers such as Kidaro and Sentillion. By pushing the boundaries of what defines a virtualized environment, these vendors are obliterating the technical and logistical barriers that have long stymied enterprise IT efforts to leverage desktop virtualization, both to reduce TCO and to minimize the overall corporate security surface area.

But first, a point of clarification: desktop virtualization, as described in this article, refers to the deployment of corporate applications and data within discrete VM images that then run independently on a host-client system. This is different from the virtualized desktop model promoted by VMware and its partners, which typically involves running multiple VM images on a centralized, hypervisor-brokered server, although VMware also offers ACE (Assured Computing Environment), a decentralized solution (see VMware ACE lags the pace).

Kidaro and Sentillion, as well as VMware ACE, provide centralized authentication and validation of VMs, including the ability to isolate and revoke rogue images. They bolster security through encryption of the local VM disk image or file structure, and through encryption of the VM network connection, which is typically handled within the VM by a VPN client. They also offer the ability to restrict the VM’s access to local resources such as USB, disk, and clipboard. And they integrate with Active Directory to simplify authentication and identity management.

Beyond these essentials, Kidaro and Sentillion both provide a variety of additional unique and highly innovative features that differentiate their products from the more basic VMware offering, and also from each other. The solution you choose will come down to your evaluation priorities, with Kidaro’s host integration prowess squaring off against Sentillion’s deployment convenience to woo prospective customers.

Kidaro Managed Workspace 1.0 Kidaro Managed Workspace is one of a new class of management tools targeted at the emerging virtualized desktop market. Leveraging existing VM engines (VMware and Microsoft Virtual PC), Kidaro Managed Workspace extends and enhances the virtualized runtime environment to make it more secure and easier to manage. It accomplishes this by wrapping the VM engine with additional client logic that controls its interaction with local (host USB, file, and print) and network (LAN, WAN, and VPN) resources as well as providing detailed auditing and authentication/validation functions.

Several features help to differentiate Kidaro from the competition. For starters, there’s the Published Applications mechanism: Programs hosted within the Kidaro-managed VM are integrated seamlessly with the host desktop, running in their own windows and even appearing on the local task bar and Start menu. It’s a trick reminiscent of the Coherence technology in Parallels Desktop for the Macintosh and serves to blur the line between virtualized and nonvirtualized operation.

Another compelling feature is Kidaro’s Trim Transfer Technology. Essentially an intelligent streaming mechanism, Trim Transfer addresses one of the most challenging aspects of virtual desktop deployment: transferring massive VM images to multiple end points. By leveraging existing code resources on the host client (DLLs, EXE images), Trim Transfer dynamically adjusts the VM image, stripping out redundant components and using the host’s resources to fill in the gaps. The final VM image is verified against a unique cryptographic signature.

Depending on the degree of similarity between VM and host (whether they’re the same Windows version or revision, for example) Trim Transfer can drastically reduce the network load during VM deployment. It also makes slipstreaming upgrades or patches easier since the administrator needs to modify just the source image. Trim Transfer then seamlessly filters the changes down to the affected clients using the same dynamic assembly process. Right now it’s a Kidaro exclusive and, thus, a huge differentiator in what will likely become a crowded management market.

I tested Kidaro Managed Workspace on a Kidaro-provided ThinkPad laptop running Windows XP Professional. The Kidaro Management Server, which was installed within a Virtual PC VM, uses Windows’ IIS (Internet Information Services) to communicate with the Kidaro client agent and supports most standard firewall and proxy server scenarios. I found the Kidaro Management Console easy to navigate, with most functions clearly labeled. Tight integration with Microsoft Active Directory made it simple to correlate Kidaro VM images with specific organizational units and to apply policies using the existing Active Directory model.

A major concern with this sort of deployment model is the security of the offline image. Kidaro addresses this by encrypting both the local VM image and any files that are extracted from the image to the local host environment (assuming this functionality is enabled in the VM’s policy). AES (Advanced Encryption Standard) encryption keys are generated transparently by the Kidaro server and stored locally at the client. For network security, the Kidaro client runs its own private firewall within a dedicated virtual appliance, further isolating the Managed Workspace from the network.

Other interesting features include a USB key deployment option, in which you copy the VM to a USB key for plug-and-play distribution; a “revertible” mode, in which the VM rolls back changes at log-off with selective overrides for user folders and registry customizations; and various timeout/lease revocation options to deny access to the Managed Workspace after a configurable period of time.

Overall, Kidaro Managed Workspace is a compelling solution, one that leverages unique innovations including Trim Transfer and seamless application integration to effectively mitigate many of the major factors inhibiting widespread VM adoption.

Sentillion vThere 2.0 Like Kidaro’s namesake product, Sentillion’s vThere is a management solution for virtual machine clients. Its purpose is to make configuring and deploying virtual desktop images easier by wrapping the VM with an additional layer of management. It differs from Kidaro in its inclusion of a hosted component, vThere.net, and its use of a customized version of Parallels Workstation for Windows as the runtime engine. In contrast, Kidaro works with VMware and Microsoft Virtual PC images.

The hosting angle is a major differentiator for vThere. Customers can upload their customized VM to the vThere.net site and use it as a secure reference point for user/VM authentication and VM validation, distribution, and security. Outsourced hosting of applications is nothing new (think Salesforce.com); however, this is the first time I can recall a vendor offering such a service for virtualized desktops – the various server-based Citrix/Terminal Services hosting providers notwithstanding.

As a distribution mechanism, the advantages to the vThere.net approach are obvious. For starters, it takes much of the complexity out of protecting and securing virtualized images. They simply won’t run without authenticating against vThere.net and can be remotely disabled with a few mouse clicks. Virtual machines can also be configured to time out when working offline, effectively preventing the kind of “VM theft” scenario that gives IT personnel heartburn.

In addition to hosted distribution, vThere virtual machines can be delivered as encrypted ISO images or burned to a CD or DVD for manual propagation, all while still leveraging vThere.net for authentication. But although this pervasive validation mechanism makes vThere attractive from an IT security context, it also creates a single point of failure outside of an IT organization’s control, a situation that some firms may find disconcerting. As with any hosted solution, IT shops would do well to carefully review the vThere.net SLA to make sure it meets their standards.

I tested vThere 2.0 under Microsoft Windows Vista Ultimate. Installation of the vThere Image Creator utility was straightforward and included a customized version of the Parallels Workstation for Windows environment, which installed seamlessly with the rest of the vThere suite. Creating a new image took just minutes and I was able to save it to an encrypted ISO image suitable for burning to CD or DVD (you can also upload the image to vThere.net for Web-based distribution via the company’s Amazon.com-backed storage network). Overall, the product’s interface was easy to navigate, although I was annoyed by the need to log in to vThere.net before working with the Image Creator tool.

One area where vThere shines is in its support for VPNs. The vThere GINA (Graphical Identification and Authentication) client, which installs as a log-on service within the virtualized Windows image, greatly simplifies end-user authentication by managing disparate VPN and Windows Active Directory credentials. For example, GINA is smart enough to detect when the user is operating on the corporate LAN and prompts for only the local network credentials.

Other interesting features include a role-based policy mechanism, which makes it easier to create standardized VM images, and support for third-party credential processing via RSA SecureID. On the whole, vThere is a well-rounded solution that addresses most of the major issues associated with VM-based application deployment. The vThere.net hosting component, in particular, is a compelling feature if for no other reason than it eliminates the need for any back-end server infrastructure. The challenge for Sentillion will be in convincing customers that the solution is truly secure – I’m convinced that it is – and that vThere.net is reliable enough to deliver the kind of around-the-clock uptime that demanding enterprises require.

Be there or vThere? Both Kidaro Managed Workspace and Sentillion vThere offer excellent, base-level management functionality that matches or beats VMware’s ACE offering. Considering Kidaro’s seamless host integration and Trim Transfer technology and Sentillion’s strong VPN support and robust hosting benefits, these solutions more than justify the modest price premium over the generic VMware solution. A preference for Kidaro or Sentillion will depend on how your organization’s specific needs match up to their respective value-added propositions.

If you’re mostly concerned with usability and you need to keep the solution entirely in-house, then Kidaro Managed Workspace is a great choice. On the other hand, if you’re managing a far-flung enterprise and don’t object to a hosted model, Sentillion’s vThere can take much of the stress out of managing a large virtualized user base, and it’s a bit less expensive. In the end, both products are winners, so you really can’t go wrong.