Virtualization in the chip changes the security game

I have been diving into desktop virtualization lately. I still have some customer interviews to go, but already I have heard surprising results and possibilities. Early customer feedback is a preference for enhanced virtualization support in the hardware - removing software layers of VMs, hypervisors, OSs, etc to achieve performance, management and ease of deployment benefits. There are also security benefits. Traditional vendors believe they can run in a VM where hardware virtualization keeps security isolated from the rest of the user environment. Security technologies such as AV and IPS can do their thing without fear of being disabled or subverted by attackers. That would solve a problem for the security vendors and end-users.

In an interconnected world customers, partners, employees just use a browser interface for conducting business. The business cares about the confidentiality and integrity of the transactions, which today takes the form of enforcing security configuration policies. If my browser-based business application is running in a VM, why would IT care about all of that traditional security stuff? If the application becomes infected then the end-point VM just disappears, taking the attack with it and not impacting the user's machine. If some other active user application becomes infected, hardware virtualization isolates the attack from the business interface that IT is concerned about. There is more potential here that the big vendors have yet to address.

Some organizations are going to great pains to use NAC/NAP to evaluate various end-point security profiles. IT can use NAC/NAP and SSL pre-connect actions to confirm the presence of a supported VM to ensure an isolated business environment. With endpoint virtualization, perhaps traditional security just doesn't matter.