Virtualization Is Vital For Business PCs

With a long history of virtualization, innovation, and a clear vision for the future, the Intel vPro® platform offers businesses more secure and performant solutions for today's challenges.

Virtualization is no new kid on the block. And neither is Intel. We have a long history of enabling virtualized workloads in the data center, which form the foundation of the cloud.

Client virtualization also provides a couple of key advantages for business PCs and IT:

  • Compatibility to run different operating systems or modified versions of the same operating system
  • Isolation between workloads running on the same PC for better security and resilience

With the demands of modern apps and emerging workloads for business needs, client virtualization can help deliver these experiences with the required performance and security.

In the Business Client Group at Intel, we work closely with customers and partners to understand their needs and their emergent usage models for virtualization. Over the past several years, we have seen companies turn to client virtualization to allow for application compatibility, enhanced security, and productivity. Building on Intel's experience in the data center, the Intel vPro platform helps achieve better security through virtualization with business-class performance that enables various workloads running on the same machine.

As this blog post will explain, the Intel vPro platform has built-in features that enable client virtualization in several ways, including the performant execution of virtualized workloads and the protection of assets that reside in memory. It is an integrated platform that delivers the latest PC technology in one validated solution built for both IT and end-users. These features also provide additional hardware security, making Intel vPro platform–based PCs less vulnerable to attack than those protected by software-only security solutions.

Why Intel vPro technology for virtualization

Several virtualization capabilities available on the Intel vPro platform help ensure security from the silicon through the software stack (see Figure 1). These capabilities can be used effectively with the broad base of virtualization-capable systems in an enterprise setting.

In the example shown in Figure 1, the user has access to a Windows 10 virtual machine (VM), a Windows 7 VM for legacy applications, , and a Linux subsystem VM for Ubuntu and Red Hat workloads. This flexible and extensible model supports a wide range of standard or custom applications for different types of enterprise users (such as knowledge workers, developers, and accountants). There might also be several instances of the same operating system, like Windows 10, to run different workloads for increased security through isolation.

Moreover, workload isolation, enabled by Intel® Hardware Shield on the Intel vPro platform, fundamentally reduces the attack surface and the ability for malware to persist and spread across resources. Memory has always been a weak link in the traditional compute stack, and it houses sensitive information. For example, login credentials stored in memory can be accessed on a less secure VM. When we depend on isolation for security, better protecting memory becomes even more critical. At Intel, we understand that critical assets reside in memory, and we have a robust roadmap to support workload isolation.

Mary at Work
Figure 1: Virtualization helps enterprise workers achieve application compatibility and flexibility: virtualization-based security is continuously evolving to support various scenarios and help ensure a seamless integration.

Evolution of commercial use cases with virtualization

Today we use virtualization-based security with prominent operating system vendors like Microsoft as part of security-enabled PCs with Intel Hardware Shield. The security features of Intel Hardware Shield allow enterprise customers to get platform visibility, hardware-based isolation to protect their credentials, browser isolation, and hypervisor protection against malware executing code (see Figure 1).

As a result of the COVID-19 pandemic, the number of remote workers has grown exponentially, and we expect an increase in personal use of work PCs. Currently, IT regulates personal use through policies. Ideally, IT would be able to isolate personal and work use to prevent business data from being exfiltrated and mitigate the of business workspace being vulnerable due to personal use of the applications, like social media and browsing history. This is especially valuable when employees and systems need to comply with industry standards and regulations, like the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI) standards (see Figure 2).

In this example, the two VMs might be running the same operating system, but one is dedicated to working with applications like SAP® solutions, and the other is dedicated to working with social media and other personal applications.

Mary with two personas
Figure 2: Virtualization helps create isolated VMs for work and personal use—if a work PC needs to comply with specific regulations, then having it isolated from any other activity allows enforcement of those policies and guidelines, while allowing different policies for personal use.

Another use case for isolating workloads on the same PC is with gig workers. Instead of having to carry multiple PCs for different workloads, virtualization supports separate workspaces and multiple gigs with private and confidential transactions, built-in privacy and security, capabilities, and the right performance and user experience. Consider a psychologist contracting with different hospitals and clinics who need to ensure that she meets the compliance requirements for each of her clients. With virtualized workloads, she can do multiple jobs on the same PC (see Figure 3).

Figure 3: Gig worker with one machine but multiple jobs and personas

There are other virtualization models, such as virtual desktop infrastructure (VDI), that can also be rendered on the PC, along with the native workloads. Such models require continuous network connectivity, latency considerations,, and the virtualization capabilities of the server rather than the client. The Intel vPro platform provides the hardware foundation to run these diverse workloads and meet the evolving demands of business users.

Performance is paramount

Performance is also a key component to enable more secure, virtualized workloads on business PCs. With the increased memory and faster caches available with modern Intel processors, the Intel vPro platform delivers the accelerated performance needed for demanding security workloads. Multiple security agents running on a PC can tax performance and impact productivity. We collaborate closely with OEMs, operating system vendors,, and software developers to enable hardware support that helps reduce this side effect, keep systems more secure, and deliver broader app compatibility.

For example, the performance of Windows 10 systems with virtualization-based security can be dramatically improved when coupled with a feature of Intel Hardware Shield that optimizes the operations that need to be emulated by the hypervisor to instead use the hardware. To learn more about how this Intel Hardware Shield feature, known as Mode-Based Execution Control (MBEC), works to enable virtualization-based protection of code integrity, check out this article from Microsoft.

Increased functionality for better user experiences

We know that CPU virtualization is critical, but it is not the only thing that matters to the overall user experience. That's why we designed the Intel vPro platform as a holistic and integrated solution to enable better virtualization and user experiences. This encompasses all the essential features associated with the platform, including compute, graphics, input/output (I/O), and storage. When running multiple VMs, it's necessary for common applications, like video and audio conferencing, to have strong graphics and artificial intelligence (AI)/machine learning (ML) support within the VM. We work with partners on software and hardware-based optimizations to deliver better graphics and audio support on each VM on the platform.

Resiliency

Finally, the sophistication and ubiquity of cyberattacks these days means that it's not a question of if but when any given system will be attacked. When such attacks occur, a primary concern is how fast you can get your systems back up and running. Virtualization is one more capability that supports resiliency. For the virtualized workloads that are compromised, the goal would be to resolve without impacting other workloads on the same system quickly. Having these independently isolated workspaces can help reduce support costs and the overall cost of maintenance. Reduced downtime and efficient, up-to-date workloads can help provide an optimal business user experience.

Conclusion

For more than a decade, the Intel vPro platform has successfully served a robust customer base, gathering knowledge and insight into the everyday needs of businesses. Our story does not end here. We want to show you how our workloads are further amplified and work best with cloud client-virtualization models. As we progress to the next generation of the cloud-to-client-to-edge model, we continue to explore how we can provide ubiquitous computing without compromising traditional enterprise security tenets. We are continuously innovating the Intel vPro platform based on our understanding of our customers' needs to address current and future challenges. We invite you to join us on our journey.

We’re happy to connect on LinkedIn to continue this conversation.

To learn more about Intel vPro technology, visit intel.com/vpro.
To learn more about Intel Hardware Shield, visit intel.com/hardwareshield.
Contact your Intel sales rep for more information.

Notices and Disclaimers
Intel technologies may require enabled hardware, software, or service activation. No product or component can be absolutely secure. Your costs and results may vary.
Intel Pro is a trademark of Intel Corporation or its subsidiaries.
© Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others.
Published on Categories Enterprise, SecurityTags , ,
Abhilasha Bhargav-Spantzel

About Abhilasha Bhargav-Spantzel

Abhilasha Bhargav-Spantzel is a Principal Engineer at Intel, focusing on hardware-based security product architecture. She joined Intel in 2007 after completing her doctorate from Purdue University, where she focused on identity and privacy protection using cryptography and biometrics. Abhilasha drives thought leadership and the future evolution of cyber security platform through innovation, architecture and education. She has given numerous talks at conferences and universities as part of distinguished lecture series and workshops. She has written five book chapters and 30+ ACM and IEEE articles and has 25+ patents. Abhilasha leads multiple diversity and inclusion efforts and actively drives retention and development of women in technology.