Hypervisors: Not Just for Servers Anymore
Traditionally found only in the data center, hypervisors are branching out into new territory: laptops. There, hypervisors' advantages are coming into sharper focus.
John Cook's workforce is going mobile. His users are traveling more than ever, forcing Cook to think about how to manage and provide critical security for a plethora of Windows XP laptops.
Cook is a systems administrator for Partnership for Strong Families, a non-profit organization providing children's services in North Florida. The partnership is involved with adoption, foster care, parenting classes and more. Given the sensitive nature of its work and its contract with the state, the organization must comply with the Health Insurance Portability and Accountability Act (HIPAA).
The old way of provisioning, maintaining and managing laptops wasn't working for Cook anymore, forcing him to look for new solutions. He found one in a bare-metal client hypervisor called NxTop, from start-up Virtual Computer Inc.
"We're looking at changing the paradigm on which we work," says Cook. "We're not going to house people in individual offices anymore; we're going to put them on the road so they can better serve the kids and get their jobs done."
Cook adds that with those requirements, deciding on Virtual Computer didn't take long. "The implementation of NxTop just seemed to cover a lot of the bases for us," he explains. "We can put out a standardized image for [users], replace stuff-if they screw up the image or get a virus or something like that, we can update and reload their machines in pretty short order, without having to drive a hundred miles to go fix them."
The explosion of the laptop market is one of the driving factors behind bare-metal client hypervisors like NxTop, as companies try to find a way to move the hypervisor's well-known advantages out to user devices. And before much longer, bare-metal client hypervisors will not only run on laptops, but on cell phones and smartphones as well.
Until recently, the only type of client hypervisor available was a Type-2, or hosted, hypervisor. Type-2 hypervisors, like Parallels for Mac, VMware Fusion and Microsoft Virtual PC, are dependent on the host operating system to function; as such, their performance and functionality is limited.
No such limitations occur with bare-metal, or Type-1, hypervisors, which sit on the hardware-the "bare-metal"-at a level below the OS. Their many advantages are why most of the major virtualization platform vendors are working feverishly to get them out the door.
The list of companies developing a bare-metal client hypervisor is growing (see "Client Hypervisor Breakdown" for more information). It includes:
- Citrix Systems Inc. XenClient-formerly code-named "Project Independence"-is expected to be available by the end of the year, said Citrix Vice President of Advanced Products Ian Pratt at the Citrix Synergy conference in May.
- VMware Inc. Its bare-metal client hypervisor will be available sometime in 2009 as well, confirms Raj Mallempati, group product manager for VMware's Desktop Business Unit. However, Mallempati would not specify a more specific time frame.
- Neocleus Inc. An Israeli-based start-up, Neocleus is in the beta-testing phase for its client hypervisor and management framework, called NeoSphere. NeoSphere was demonstrated at Citrix Synergy, and the company said in a press release that it would be available sometime that month. At press time, however, NeoSphere had not yet been released.
- Red Hat Inc. CTO Brian Stevens says his company is working on a bare-metal hypervisor, but few details have been released at this point. Red Hat has announced a desktop virtualization manager, indicating that the client hypervisor may not be far behind.
In contrast, Microsoft has announced no plans for a Type-1 client hypervisor.
Interestingly, the first company to market with a bare-metal client hypervisor isn't known as a virtualization player. Phoenix Technologies Ltd., which made its bones as a Basic Input/Output System (BIOS) developer, branched out from that narrow niche into virtualization when it released HyperSpace last January.
Phoenix positions HyperSpace as a consumer-rather than a business-technology. The company chiefly sees HyperSpace as providing an "instant-on" environment in which users can, for example, navigate a Web browser or check e-mail before Windows boots. Instead of having to wait minutes for the OS to load, users can be working in seconds. Another major benefit the company claims is better power management, leading to longer battery life.
According to Phoenix CTO Dr. Gaurav Banga, the company saw the benefits of client-side virtualization some time ago. "We started off saying: 'We need a portion of the computer that's well-behaved and predictable-an iPhone-like experience that doesn't cause trouble.'"
Those requirements led Phoenix to develop an "instant-on, hardened environment," Banga says. "Virtualization was a natural for that."
Banga does not give specific numbers on HyperSpace users, but acknowledges that uptake has been slow. He expects steady growth, however, as the general user community starts to see the benefits of instant-on and security.
As a consumer technology, HyperSpace also has to be fast. Banga says it is. "We worked on minimizing it down to a point where it's hard for users to know they're using a hypervisor," he explains. "It's pretty much the same [performance] as a native machine."
Phoenix has taken note of the buzz growing around business uses for bare-metal client hypervisors and sees "enormous" potential down the line, Banga says.
The focus will remain on consumers for now, but Banga says Phoenix is conducting research on management of client devices, which would place it squarely in the business space.
For the big players, the management piece is just as important-or even more so-than the hypervisor itself, and figures to be the primary initial battleground. That's because at this stage, virtual desktop infrastructure (VDI) appears to be the main use-case for the bare-metal client. "The client hypervisor platform is a very critical component for the overall desktop virtualization solution," says VMware's Mallempati.
At Virtual Computer, management is the No. 1 priority, says Doug Lane, senior director of product management and marketing. "A large portion of the customer population has a lot of challenges around the management aspect of PCs, both in terms of keeping them up to date and in synch, and in making sure that data is backed up," he explains. "So if there's ever any issue with the PC from a functionality standpoint, they can quickly restore the user-[and] not just to a base copy of Windows, but with all the user-specific settings and data and so forth."
Cook, of Partnership for Strong Families, describes how he manages his VDI environment with NxTop's management framework, NxTop Center (see Figure 1). "With NxTop Center, you can publish images to groups or down to individuals if you want, and customize and push them out as soon as the users connect to the network," he says. "[Then you can] make fixes and run the updates. You can run all your Windows updates on your NxTop image and then, when they connect, it does all that stuff in the background for you."
Cook, in fact, likes updating through NxTop more than using Microsoft, he says. "We manage updates through Windows Update Server, but that's a little hit and miss sometimes," he adds.
The second priority for Virtual Computer, and the other emerging focus for Type-1 client hypervisors, is security. "As companies become more and more mobile, it becomes increasingly common for sensitive data to go walking out the door on somebody's laptop," says Virtual Computer's Lane. "If you have thousands of users, the chances of that data being lost at some point are pretty high, and it tends to be a pretty big deal from a PR and security standpoint."
[Click on image for larger view.]
|Figure 1.An architectural overview of NxTop, a bare-metal client hypervisor. |
NxTop and the other bare-metal client hypervisors offer full disk encryption to deal with that problem. Data protection is a chief concern of Partnership for Strong Families, and encrypting all of a disk's contents meets a core HIPAA requirement. "So if a machine got stolen, none of the information could be accessed," Cook explains. "That's a biggie with us; we really have to protect the records like they're our own."
Peter Bloom, director of product marketing for XenClient, says Citrix also places high value on the security aspect. "You can have a much more locked-down business environment and [a separate] personal environment with [a users'] own applications and data. The hypervisor allows us to enable those two environments," he says.
Disk encryption programs are currently available from third parties, as well as in the Windows Vista Ultimate and Enterprise Editions, but Bloom believes XenClient will help speed the adoption of encryption. "I believe the majority of systems today aren't using encryption. It becomes easy to do it with a bare-metal hypervisor," he explains. "And, if you're not encrypting things, you're open to a wide variety of attacks."
Client hypervisors can solve another insecure aspect of Windows, too: the ability to steal passwords. With a Type-1 hypervisor, users log into the hypervisor rather than the OS, which eliminates that attack vector. "From a security standpoint, it's a big one, because any Windows machine can be compromised by popping a Linux disk in there and changing the password or bypassing it altogether. This prevents that from happening," Cook says.
The Killer App
Beyond security and management, the ability to run multiple OSes or two different versions of the same OS should appeal to businesses. "I think the real killer app for client hypervisors is just having multiple environments, whether it's a personal environment on an employee-owned PC or even a corporate-owned PC that has its own security profile," Lane says. "[There will be an] ability for the end user to perform certain functions that are treated and secured differently from a separate [business] environment. It may be a different OS, or the same OS that's been locked down to corporate standards."
Citrix's Bloom agrees. "If your business environment is locked down, and the user's personal environment gets hit with spyware or malware, it won't affect the business environment. You can still get your work done," he notes.
Not everyone believes that running multiple OSes will be the bare-metal client hypervisor's big draw. Prominent virtualization blogger Brian Madden writes: "To me, the big advantage of the client hypervisor is that it will hide the real client hardware from the guest OS, thus allowing a single Windows disk image to run on different devices from different manufacturers."
One User, Many Endpoints
VMware sees a similar future. "It's part of our vClient initiative," Mallempati says. "The personal desktop experience needs to follow the end user across different devices and different networks. We don't believe that devices need to be locked down to one single OS. The best world, from an end-user point of view, is the ability to use multiple OSes or multiple devices and get a [similar] experience pretty much using any device at any given point in time," he adds.
One thing everyone can agree on is that bare-metal client hypervisors aren't going away. "I'm absolutely convinced within the next four to five years, a significant number of laptops that focus on the business side of things will come with a hypervisor," predicts Mallempati. "It's a win for the end customer, it's a win for the PC/OEM vendor and, obviously, [it's a win] for the application vendor itself."
For Citrix, XenClient is generating excitement even in pre-shipping mode, Bloom says. "Everyone's eager [to get XenClient]-customers, our field partners-we're getting inundated with requests. We're blown away by the interest in the technology," he says.
At Partnership for Strong Families, using NxTop leads Cook to believe that client hypervisors will be ubiquitous within five years. "It makes your images hardware-agnostic, so it really doesn't matter what kind of machines you buy to replace [older hardware]. You don't have to keep all Dells, all HPs, all Lenovos or whatever. If it'll run the hypervisor, then you can put your image on it like it was just any one of your other machines," he explains.
That means real financial savings-a concern in any environment, but especially in today's economy. "Everybody's in the [financial] crunch now," Cook says. "We're a state contractor, and we're into the crunch, too. Everybody's talking about how to slim down the operations and cut back on staff."
Using bare-metal client hypervisors may even alleviate that issue, Cook asserts. "The truth of the matter is, everything's getting more complex. You still need the staff. You just have to manage them better and utilize their time better," he explains. "[With client hypervisors] you're not wasting time re-imaging machines and tweaking machines for different people and such, so you've got more time to manage the other stuff that's important."