IBM Secure Enterprise Desktop

An enterprise application of the IBM ZTIC

Today’s ever more professional attacks against corporate desktop or laptop computers are posing a particular problem for maintaining the integrity of enterprise-class personal computer systems and the ata they contain. Significant cost and energy are directed towards installing hardened, enterprise-ready software packages, including operating system, application software and security packages, onto dedicated enterprise computing hardware. Regardless, however, attackers against corporate computers are increasingly gleaning information by way of malicious software attacks.

Basic concept

That is why the enterprise edition of the IBM ZTIC (eZTIC) has been designed to be the single device required for booting a PC and for establishing a secured iSCSI connection to the back-end server with full control over all data flowing between server and PC. By doing so, the user is alleviated of having to check the correctness of the security server (TLS certificate) to which it is connected: The eZTIC establishes direct, secure iSCSI sessions with known, preconfigured enterprise servers maintaining the user’s operating system images. Thus, all security-critical operations occur only under full user and server control. To be able to deploy the operating system image on a large variety of computers, an abstraction layer — called hypervisor — is needed to hide to the image the specificities of a given computer. A small trusted hypervisor is loaded from the enterprise server into the computer once the SCSI connection is established.


Malicious software (either in the network or on the user’s PC) cannot interfere with the data transmitted between eZTIC and backend server. Any malicious software possibly present on the PC will be rendered inactive once the PC boots using the secure bootloader injected into the PC when it boots with the eZTIC attached. If the PC does not boot with the secure bootloader provided by the eZTIC, the user notices this on the built-in display. This way, the IBM Secure Enterprise Desktop solution converts any ‘bring-your-own’ device into a corporate desktop PC — without the need for any installation or administration overhead.

Streaming hypervisor

The second key feature of the solution is the streaming hypervisor that loads the enterprise operating system’s disk blocks on demand only. This way, an enterprise software stack can be operational on a completely blank (empty disk) PC within 2 minutes after boot via the eZTIC. This solution has been demonstrated with a Linux KVM but can also be incorporated into hypervisor software stacks of other virtualization solutions.

Secure Enterprise Desktop: Basic Concept ‘Bring-Your-Own’

Secure Enterprise Desktop


    1. M. Baentsch, P. Scotton, T. Gschwind
      Secure Enterprise Desktop. Using private workstations for business purposes – securely.
      In: ERCIM news, Special issue on Cybercrime and Privacy Issues, No. 90, pp. 24-26, 2012.
    2. M. Baentsch, P. Buhler, L. Garces-Erice, T. Gschwind, F. Horing, M. Kuyper, A. Schade, P. Scotton, P. Urbanetz
      IBM Secure Enterprise Desktop.
      IBM Journal of Research and Development 58(1) pp. 10:1 - 10:11, 2014.