Bromium announced the latest release of its micro-virtualization desktop security tool, vSentry 2.0, with improvements around mobile connections, document sharing and Intel support.
Bromium vSentry is a unique approach to desktop security that uses micro-virtualization to isolate application threads to protect the host from malware. The product treats everything as untrusted while allowing only certain functions on the host to interact with the thread. In this manner, it can allow malware to execute fully without ever actually compromising a system -- and still gives users full access to the sites and files they need.
Building on the 1.0 release, Bromium has reduced the size of its code base by developing the entire tool around Xen. Prior to this, there were other components that were needed to provide a certain level of functionality, but Xen has progressed to the point where it can now be used for everything vSentry needs to do. With Xen, vSentry can take advantage of processors that support Intel's VT-d solution, which enables the isolation and management of device access to virtual machines (VMs).
Making secure mobile connections
This release focuses on two main factors: secure mobility and safe collaboration. Bromium's emphasis on secure mobility aims to protect endpoints on untrusted networks (which, one could argue, are all non-data-center networks).
Q&A with Bromium's Simon Crosby
Read what former Citrix CTO Simon Crosby had to say about Bromium vSentry
According to Bromium, it's increasingly possible that so-called "captive portals," like those shown when the user connects to hotel or airport Wi-Fi, can introduce malware to a system before it even connects to the Internet. That means that companies routing all Internet traffic through the corporate VPN could deal with compromised machines right out of the gate.
With vSentry, users can safely connect using these portals -- even if there is malware. That's because the malware never affects the host itself, just the micro-VM that is thrown away when the window or thread is closed.
The safe-collaboration aspect of vSentry is an interesting one. We've all received a Word document with a warning that says the document has code in it that could potentially be unsafe. This message is designed to let the user intelligently decide whether or not the document is safe to open, but it rarely works that way. Instead, users are trained to click on the Enable button without regard for what could be going on behind the scenes. Think of all the times you, the IT admin, click "OK" or "Next" without thinking about what's actually on the screen.
Bromium vSentry 2.0 has addressed this problem by adding functionality to treat all Office and PDF content as untrusted content while still giving users the ability to use the application the way they want or need to. This works in much the same way as a browser session, where the code is allowed to execute, but it only exists inside the micro-VM.
Bromium vSentry and Haswell
The last improvement, and probably the most important in the grand scheme, is that Bromium vSentry has been written to take advantage of Intel's new Haswell architecture. The Haswell architecture allows virtualization of the VT technology (aka nested VMs or VMCS Shadowing), which provides efficient use of vSentry inside VMs.
The challenge up to this point has been that Bromium's micro-hypervisor (microvisor) requires direct control of VT, which it can easily get on physical machines but cannot get when there is another hypervisor in the way. VMware ESX does have functionality that emulates VT to a VM so that vSentry would work, but there is a severe performance hit. Haswell changes that and tips the scales back into vSentry's favor.
The technology behind Haswell will be available only in desktop processors at release, so vSentry will work only for virtual desktops running desktop machines in, say, VMware Fusion. As client hypervisors come to support it, vSentry will work on their VMs. Of course, that means there is still a lack of VDI support, but that should change as the Haswell technology works its way into the next generation of server processors.
Bromium vSentry works on physical desktops and servers today, so you can provide a secure, virtual desktop if you deliver it from a physical Remote Desktop Services server. The future looks bright, though, and once it's possible to deliver vSentry to any desktop -- physical or virtual -- there is no reason to avoid it.