While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
As Joe Q. Citizen, Sean McPhilamy will tell you that he totes his Apple MacBook everywhere, touting its benefits to friends and colleagues alike, in person and on numerous online message boards. But as Joe Q. Public, Master Chief Petty Officer Sean McPhilamy, command chief to the Coast Guard sector command in Boston, must work in an environment dominated by Intel-based PCs running Microsoft Windows. That doesn’t mean, however, that he goes without his Mac.
McPhilamy uses desktop virtualization in the form of the Microsoft Parallels virtual desktop application. McPhilamy is not alone in warming to the virtualized desktop, and Parallels is just one approach. Essentially, there are two main techniques for creating virtual desktops:
“The Coast Guard encourages traveling and home-based computing options and has policies to keep us safe — as long as the out-of-network traffic is run through Windows XP,” McPhilamy says. “The Parallels virtual desktop solution allows me to connect to the network through Windows without having to give up my Mac.”
With Parallels, McPhilamy can run the Coast Guard’s preferred Windows XP Professional operating system and other Windows applications on his MacBook while adhering to the Coast Guard’s remote-access policies. Parallels lets him toggle to Windows to connect to the Guard’s enterprise network through a secure virtual private network and gain complete access to his work files and message-trafficking systems. It partitions the PC’s hard drive so that a system can run multiple OSes and the user can then run virtual desktops simultaneously, switching back and forth as needed.
As agency IT teams increasingly must balance efforts to improve efficiency of their systems infrastructures and provide secure network services to a more mobile and distributed workforce, the potential of these virtualized desktops holds appeal, says Shawn P. McCarthy, an analyst with IDC Government Insights.
Agencies need to reduce the management headaches associated with a mobile workforce while remaining in compliance with patch management, configuration management and authentication policies, McCarthy says. He also cites continuity of operations and the need to ensure the availability of mobile devices as desktop virtualization drivers.
But, says McCarthy, outside of the Defense Department, most agencies have only just begun to consider a move toward desktop virtualization as a way to boost the flexibility, manageability and efficiency their workers need to do their jobs.
One early enterprise adopter is the Marine Corps. Dubbed the “first to fight” service, the Corps’ relatively small and dynamic force typically operates as part of forward deployments on front lines around the world. This presents a difficult challenge for the Marines’ Common Computing Resources Program team when providing support for forces in the field — one that it intends to overcome through a phased rollout of integrated virtualization tools covering infrastructure, application delivery and client-side capabilities.
Always-on-the-go Marine forces often do not have access to reliable network transmission paths for running mission-critical applications, says Maj. Carl “Chip” Brodhun, project officer for enterprise virtualization with the Marine Corps Systems Command (MCSC) in Quantico, Va. As the military’s first responders, the Marines also don’t always have the luxury of time and resources when setting up infrastructures for forward bases, putting them at a distinct disadvantage. This reality requires rapidly deployable, highly available and inherently secure information exchange capabilities, Brodhun says.
In addition, Corps forces often participate as part of multiservice, multiagency and multinational force teams, requiring troops to make do with the hardware available and the mobile gear they are able to take with them. The result? The potential for complex, onsite troubleshooting of systems to gain access back to the Marine Corps enterprise network — IT complexity that the typical Marine doesn’t have time to work through, Brodhun says. MCSC will leverage virtualization technology to improve joint interoperability and to enhance warfighter efficiency, he says.
“Marines, like any other mobile workers in the civilian world, do their job much more effectively when they are exposed to less stress,” he says. “MCSC fields capabilities that give Marines the technological edge necessary for winning battles while reducing the level of effort required to manage and maintain fielded systems.”
Brodhun says the client-side approach centers on network-delivered, network-managed and partially connected devices. This will let Marines access the Corps enterprise network from any end-user system by booting a virtual machine session. Virtual desktop solutions are part of the virtualization strategy the Corps intends to deploy over the next several years to give troops a secure desktop in the field without tying them to hardware. The desktop virtualization rollout is part of a three-pronged virtualization strategy leveraging a 2006 deal to use VMware technology.
Client-side virtualization supports the creation and loading of a software stack — including the OS, applications and encryption credentials — on portable media that Marines can carry while forward-deployed or in the field. The media can range from a removable hard drive the size of a small notebook to a memory stick the size of a pack of gum. The soldier can then plug the device into any system and boot it up, gaining access to a secure virtual desktop prepopulated with apps pertinent to the mission. Possible applications range from Microsoft Office files and Internet Explorer to geo-referencing and geospatial software, Brodhun says.
Virtualized desktop sessions can be managed across the network anywhere in the world from an enterprise data center, pushing out patches, updating software and setting policies centrally. Each desktop is fully encrypted to Federal Information Processing Standard 140-2 and leaves no trace footprint on the host machine after a session ends.
“Virtual desktops are inherently more secure than static notebooks,” says Ed Albanese, senior product manager for VMware desktop products. “If you lose a notebook, someone can eventually get through security and access the data on the system. Virtualization allows you to host applications and data in a secure data center thousands of miles away, and you can secure the connection through encryption and deactivation. If you are compromised, an administrator can send a kill command and turn the software into an encrypted glob of goo.”
Other security measures include copy protection — by which the portable media cannot be replicated — and a network quarantine feature that locks down virtual machines, preventing them from connecting to the enterprise network.
As with any new technology, some early issues must be resolved and they are chiefly cultural, says IDC’s McCarthy. From a cost perspective, he says, agencies must make sure to consider manageability and security against likely return on investment.
“IT managers should do a detailed analysis before deciding to take a desktop virtualization approach,” he says, because they will need to weigh infrastructure investment costs relative to costs of maintaining their current systems. McCarthy also stresses the importance of getting buy-in from end users — the people who would be giving up control over their systems in favor of a centrally managed virtual solution. “You need to make sure what you are giving them is very solid and reliable.”