bluebay2014 - Fotolia

Tip

Micro VM vendors to evaluate for your isolation, security needs

Amazon, HP, Qubes OS and Authentic8 provide micro VM-based technologies that help increase VM security through isolation techniques, but use varying hypervisors and OSes.

When IT administrators hear the term micro VM for the first time, it's easy to assume that micro VM technology is simply tiny VMs similar to the Nano Server VMs that Microsoft once supported. In reality, micro VMs are something quite different.

Micro VMs are available to sandbox applications in a way that prevents overall system harm from malicious code. There are several vendors who offer micro VM products, such as HP Inc.'s Bromium and Amazon's Firecracker, but the scope of these products varies widely from one vendor to the next.

This technology uses a container architecture to provide added isolation in each VM instance. Bromium, Firecracker, Qubes OS and Authentic8 are four micro VM vendors that admins should consider.

Bromium

Bromium is most-familiar micro VM vendor. Like other micro VM products, Bromium uses virtualization to shield desktops from running risky code from the web.

However, there is one key difference between how Bromium works compared to some of its competitors. Most micro VM products encapsulate all processes or web-related processes inside of a micro VM. Though this approach is effective, it is also heavy-handed and can get in admins' way because it limits what the processes can do and how admins can interact with those processes. Bromium combines micro VM protection with a whitelist of activities that are safe.

Therefore, if admins visit a mainstream, reputable website, Bromium lets the activity proceed as usual. Though if admins visit a lesser-known website or opens a suspicious email attachment, Bromium will encapsulate the web activity inside of a micro VM to protect admins' systems.

Firecracker

Another option for admins who want to use micro VMs is Amazon's Firecracker. Amazon initially created Firecracker, but the project eventually turned into an open source initiative and is available on GitHub.

The main reason for using micro VMs is to improve security.

Firecracker blurs the lines between VMs and containers. Similar to a container, Firecracker is very lightweight and offers fast application startup. However, applications run inside of KVM VMs, unlike a container.

Because Firecracker depends on the KVM hypervisor, admins can only use it in Linux, though guest OSes are also supported. Firecracker is extremely flexible in terms of hardware support: It works on Intel, AMD and ARM processors. Firecracker can also scale to accommodate thousands of micro VMs.

Qubes OS

Qubes OS is another micro VM option that uses Xen-based virtualization to create a series of lightweight VMs known as qubes, which serve a variety of purposes. These qubes can run system services, applications or groups of applications. Incidentally, Qubes OS is available for free.

Admins can assign a level of trust to each qube, which range from implicit trust to completely untrusted. This means admins can fully trust key OS components as well as deem a VM that runs a web browser untrustworthy.

One of the key differences between Qubes OS and other micro VM products is that Qubes OS is a desktop OS, not an add-on product.

The idea of switching to a different OS to gain micro VM functionality might seem unjustified, but the idea isn't as uncommon as it sounds. The main reason to use micro VMs is to improve security and Qubes OS was specifically designed with security in mind, which makes it one of the most secure OSes available.

Because of how the virtualization stack works, the Qubes OS is able to run Windows and Linux applications side by side on the same computer.

Authentic8

Though not a traditional micro VM product, Authentic8 makes web browsing more secure through browser isolation. In this case, Authentic8 hosts browser sessions in micro VMs or containers within its own cloud service, Authentic8 Silo Cloud Browser. The company designed its browser to reduce risk when web browsing.

Rather than enabling untrusted website code to run on admin desktops, Authentic8's servers act as a web browsing proxy. Web access is actually performed by a temporary micro VM within the Authentic8 cloud, thereby insulating admins from any malicious code.

When admins complete their web browsing session, Authentica8's servers delete the temporary VM that handled web requests. The server only retains an admin's profile and preferences from one session to the next.

Dig Deeper on Containers and virtualization