Having a look at all the vendors out there doing virtualisation, it seems like the common strategy is to be able to offer central virtualised application (ala Citrix published apps style) or centrally deployed virtual PC images (ala thin client / Sun Ray style). Even Google is in on the act, however, following a different path of making the browser the OS and pushing the apps into the cloud.
I do have a question to all the security architects, or the organisational IT strategists. Do you like the idea of pursuing such a virtualisation strategy, and if so, are security mitigations you are planning on deploying relevant in such an environment. Or more specifically, if you are planning on an organisational wide rollout out of a desktop DLP suite, will it be relevant if you are potentially heading back to a partial thin client model? When you make security strategies are you considering what the IT technology landscape may look like in 18 months? DLP may be a sensible solution today, but is it just a point in time solution. How long is it really going to roll out your DLP solution, compared to what you expected ( you know, before reality gets in the way). You may just be starting to get to the last of the DLP roll out (after probably being through a partial refresh of the product version and configuration) by the time your organisation starts heading down the virtual OS/apps/thin client path.
Maybe a better strategy, if you think you will be heading into the great virtualisation future, is to invest in education and culture change for the end users so that they start classifying (and shock, horror, taking ownership of) their electronic information. Purchase the right tools to make it easy for the end users to undertake the classification process and potentially pilot a ERM solution. Why? Because any classification of information is only going to make the push of virtualisation to the end points that much easier. There would be a good case to give thin clients/virtualised OS’s to those end users that deal with sensitive information (that has been classified, and because its been classified it so much easier to justify) first. Once you have such a configuration, then you can consider if DLP products offer any additional benefits to plug left over information leakage risks.
I think its more logical to try protect the information, at least at the individual file level by encryption, so that if the file leaks it is not a major concern.