During my freelancing time over the last couple of years, I’ve been trying different setups that would satisfy my wish to use a single laptop for different clients whilst maintaining proper security.
After all, I do not want to explain my client that their servers got infected with Crapware because I felt the need to run Spotify on my laptop or visiting an infected site that one time.
Naturally as a infrastructure guy, I run a lot of virtual machines. The Vagrant + Virtualbox is a very good fit for puppet development work.
I tried running some of the ‘production’ work in VM’s, but it never really panned out. Having a dedicated homebanking VM or a ‘Client X VPN VM’ just was too much a different workflow to feel natural and effective.
So now I decided to split workloads in set of task with a similar security need / boundary and create VM’s for that.
To improve the security in the virtual machines, there is only limited VMWare filesharing between the VM and the host OS, only a specific folder. Also, I disabled drop and drop + copy and paste support in the VMWare options.
I try to minimize risk in the host operating system, by perfoming the least amount of tasks directly in this layer. I suspect I can further reduce the tasks that I run in the host OS with a future generation of hardware.
Currently I still do puppet development / testing in the host OS. Running the virtualbox VMs nested in a VMware VM leaves me too much of a performance penalty.
The biggest limitation I’ve run into is video support in the OS X virtual machine. Video does work OK enough but it lacks proper retina support, so screen elements are really tiny or kind of blurry as before retina. Not a show stopper though.
Will report in a couple of weeks or so how well it went.