IBM puts secure Windows, Linux in the cloud via USB

IBM has demonstrated prototype security technology that lets people load a cloud-hosted Windows or Linux operating system onto a client PC using a USB stick.

IBM has shown off prototype technology that lets people boot a secure cloud-based version of Windows or Linux from a USB stick. Image credit: Jack Clark

IBM designed the Secure Enterprise Desktop technology for businesses that want to secure employee-owned devices while making sure that all the company's data is backed up to a corporate or IBM-operated datacentre. Bring your own device (BYOD) is an thorny topic for IT managers under pressure to allow corporate use of devices owned by employees.

IBM's Secure Enterprise Desktop technology was shown to ZDNet UK at CeBIT in Hanover on Wednesday. It uses a USB stick with its own HTTPS stack, bootloader and proprietary code to create a secure connection between a partitioned drive on the client computer and a remotely located server. IBM was hoping to find businesses at the show to test the prototype and ultimately buy the service.

USB device 

The bootloader is run from a processor on the USB device. If the client PC is compromised at a deep level, the user is protected, according to IBM. The technology cuts out the host operating system and hardware, and authenticates directly to a secure server.

"You take a computer, you boot from this device, this device establishes via its own processor a connection to the server, then there's a two-way authentication so the server knows who you are and you know the server is the server," Paolo Scotton, a computer security scientist at IBM's research labs in Zurich, told ZDNet UK. "Once you establish this connection you download a small [kernel-based virtual machine] hypervisor."

Once the hypervisor is downloaded, the computer lets the user select a Linux or Windows operating system to be provisioned from the remotely hosted server. IBM has developed a driver for the kernel-based virtual machine (KVM) hypervisor that "monitors access from the OS to the disk and brings down only the blocks that are needed", Scotton said, which helps the operating system be more responsive.

As the user performs actions on the client device data is written in an AES-256 encrypted format to the partitioned disk and any changes are replicated back to the cloud-hosted operating system. If the USB stick is removed, the operating system instantly shuts down as the connection to the remote server has been cut. If this happens, the person can re-insert the stick, which then re-authenticates with the server and lets the person use the OS again.

There is also an option to download the host operating system from the cloud so the person can use the client PC without an internet connection. Over a gigabit connection a full download of a populated Windows 7 operating system should take around 10 minutes, Scotton said.

On the infrastructure side, the technology requires a Linux server with Apache and OpenLDAP, an open-source implementation of the Lightweight Directory Access Protocol, which can be hosted either in an IBM or private datacentre. The client side requires a Windows or Linux computer with a 64-bit processor.

IBM is experimenting with a BitTorrent-based method for letting multiple distributed servers collectively pass the OS image to the client computer. This speeds loading times and adds redundancy, Scotton said. The technology is innately scalable, he said, as the OS is accessed on a block-by-block basis.

IBM hopes to release the technology as a commercial product within a year, and is looking for businesses to carry out test pilots, ZDNet UK understands.