When Simon Crosby speaks, people pay attention -- not only because the former Citrix CTO knows a thing or two about...
virtualization, but because at any moment, he could say something that he probably shouldn't.
The ship called VDI has left the port.
co-founder, Bromium, Inc.
So, when Crosby stepped down from Citrix Systems, Inc one year ago to co-found a new company called Bromium, Inc. with two other lauded technologists, Xen founder Ian Pratt and Gaurav Banga, the creator of Phoenix Hyperspace, the desktop virtualization industry took notice.
Many wondered if their vision could lead to the next big thing.
While that remains to be seen, plenty of people believe in Bromium's goal of delivering trustworthy desktop infrastructure for the cloud era. So far, the company has raised over $35 million in funding, has 40 employees worldwide and a beta micro-virtualization technology called Microvisor that's ripe for testing.
Crosby spoke with SearchVirtualDesktop.com about Bromium's innovation and provided his views on the state of the desktop industry, virtual desktop infrastructure (VDI) and security.
Q: Tell me what you've been up to for the past year.
Simon Crosby: Well, we have discovered that there is this impedance mismatch between our humanity and computer systems, and there are three ways that this is true.
One is that you and I are gullible, and at some point, we will click on a bad document or attachment because we naturally want to trust.
Another is that humans write the codes, tens of millions of lines of code, so the bad guy will always get in. There will always be another bug.
The third is how humans respond to that. IT says, "Oh crap, what do we do now?" We put up walls to try to protect ourselves. The problem is that putting up a wall makes IT the barrier. …
But we will always have to go outside of that wall to stay competitive. Big-walled gardens are a barrier to a more productive enterprise. It isn't IT's fault; it is what they have to do. That is the mismatch.
Q: How do you intend to address this dilemma?
SC: What we learned from first-generation virtualization is that it creates a hard barrier. Now we will use that magic of hardware virtualization and apply it within the OS at the task level, so every time you open a document, click on a link or open an attachment, that task will invisibly be isolated within a micro-VM, through a Microvisor.
On [Intel-VT based] PCs with 4 GB of memory, we can easily create hundreds of [micro-VMs] within a second. We create excruciatingly granular isolation using hardware.
For example, you click on a Facebook URL and, instantly and invisibly, a micro-VM grabs that task and isolates it.
Q: The system constantly spins up these micro-VMs. That must cause some latency.
SC: No, none. We can micro-virtualize instances faster than the user can detect. That is the progress here; the whole thing would fail if that were not the case. That is why virtual desktops fail: because it interrupts the user experience.
Everything in this system is native. You put it on a PC that is no older than two years, with 2 GB of memory and you have a system that is naturally resilient to malware. …
This is, we believe, the right way to build isolation into future software systems. You really want hardware as your backdrop when you are changing domains. How the OS and the hardware interface [with our technology] is under 10,000 lines of code, designed to be opened and hardened.
With this approach you can move from a desktop with trusted and untrusted data to a system that is naturally resistant to attack. It naturally cleans itself, so the image always stays gold.
Q: I thought that Bromium was working on a cloud-related security technology, but you have described a local desktop virtualization technology.
SC: It has sort of served us that everyone thought we were doing cloud -- but we weren't. Today, everyone is off building private clouds because enterprise IT likes VMware and they think it is more secure than public cloud, but if you have 10,000 employees, you have that many unsecured access points to your private cloud. …
And if the client device has ever walked into Starbucks, can you ever trust it again? No, you should reimage that machine because after the user opens their device and uses the public Wi-Fi … you are done. This whole problem of consumerization is a problem of the public cloud walking in through the front door.
Q: But your technology would secure devices in a way that makes it safe to use cloud apps. In a roundabout way, the technology is related to cloud.
SC: Yes, in that way.
Q: Can it only be used on a laptop or a PC, or would you apply this technology to other devices -- iPads and netbooks?
SC: The technology relies on hardware virtualization, on x86-specific systems. The technique is applicable on any of those systems, so you could use it for an x86 server, but we aren't focused on that. … But you could use the technology to protect server hosted Remote Desktop Services (RDS) and Terminal Services.
Q: How is the Microvisor managed?
SC: Everything is native here, so you could use your existing Systems Center, write policies about things you trust, and you don't describe the things you don't trust because that is infinite. …
You end up creating a system that naturally deals with trust or non-trust without creating new management headaches for IT. It's the type of system that a user wants to use, and you don't need to bother with virtual desktops.
Q: Are you saying that this eliminates the need for virtual desktops?
SC: The ship called VDI has left the port. People are already using it, and there are some good use cases for compliance or security or for [remote employees], but there are many non-use cases. For instance, you don't know how else to manage physical desktops, so you go with virtual desktops. That's a bad approach because it's expensive and virtual desktops are still vulnerable to attacks.
You want something that is naturally resilient, that you already have all the management tools for so that you don't need all of these new management layers.
Q: When you left Citrix, it seemed that you didn't have as much faith in the XenDesktop VDI model as you had for client virtualization and XenClient. Is that where you stand now?
SC: Yes. With XenClient we built a very secure client hypervisor and then had the profound realization that we were still invading the user experience. And if I am an attacker, I will still be able to send an attack to the corporate VM.
We try to police things based on how we think things should be policed, but the bad guys are smarter than that. Still, we just keep building walls that are out of date.
Q: I would expect an endpoint security company like Symantec to step up to the plate with something similar to what Bromium will offer. Are you prepared to take on the big-name competitors?
SC: There is a huge collision on the horizon; the endpoint security guys are running out of juice … the whole model is falling apart and everyone knows that. They are under substantial pressure from a pricing standpoint, and then you have the virtual desktop guys saying they offer a better infrastructure [than the traditional desktop model].
We have come out of the desktop and hypervisor world and have built a more secure system. But I don't think of us as endpoint security software because we aren't about detection, alerts or remediation. We have a system that is naturally better. It isn't a product that meets the same market need of endpoint security, though. Endpoint security offers things that we don't -- alerts and crypto and other things that people still need.
[Microvisor] is the next generation. … It is transformational in terms of the design principles. It is a radically new architecture that takes a different approach, and it will take time to settle into people's head. That's why we are talking about it now, before we talk about a product.
We have a beta program now, and we want people to test it and tell us what they think. … We won't release a [generally available product] until it is awesome.
Bromium's Microvisor is deployed as a small MSI package that extends a single, natively installed Windows desktop. When a micro-VM executes, any changes it attempts to make to its view of the IT provisioned "golden" Windows image are Copy on Write (CoW). That means if an attacker were to change a Windows kernel memory page, it only modifies an instantly created local copy of that page, not the original.
Each micro-VM has a view of the file system that contains just the files it needs (or least privilege) with CoW update semantics.
When a user closes a window, the Microvisor kills the task's memory image and uses policy to determine whether to persist any new files. The Microvisor ensures that untrusted files can only be accessed from a micro-VM.
The Microvisor also restricts micro-VM access to network services: Untrustworthy tasks cannot access trusted networks or "high value" Software as a Service/Remote Desktop Services applications, and access to "high value" sites over an untrustworthy network requires a secure end-to-end VPN.