- Imitate hardware - a complete "computer within a computer", high overhead
- Emulation - instruction-for-instruction imitation of CPU, devices, memory, etc.
- Pros: very accurate, reliable, and secure
- Cons: very slow
- Virtualization - take some shortcuts where possible, imitate the rest
- Pros: reasonably fast
- Cons: can sometimes be breached, not all hardware can be used
- Imitate an operating system - just enough isolation to fool programs, low overhead
- Full environment - "container"
- Pros: highly flexible and "multi-purpose"
- Cons: difficult to set up and maintain
- Single application - "sandbox"
- Pros: simple maintenance and deployment
- Cons: keeping many of them organized is a chore in its own right
There are also several technologies that combine both categories, such as QEMU's "user mode" wrappers that provide architecture instruction set translation like emulators, but don't emulate any hardware and so behave like sandboxes.
I've tried just about every solution under the sun at this point (pun not intended; if you get the reference then you're my new best friend), and the following flowchart is based on my own experiences for what works and what doesn't in any given situation. Note that I do not attempt to account for very special-purpose cases like cloud computing infrastructure- these are orders of magnitude greater in complexity, and would require a chart far more complex that what can fit here:
Feel free to use / distribute / wipe your a** with the chart as you choose. It's also worth noting that two of my personal favorites, FreeBSD jails and Solaris containers, are not listed here. They require some higher-level specialist and/or institutional knowledge that your typical organization will likely not have on staff. They're also more powerful than any of the other container / sandbox solutions mentioned above, with the *possible* exception of Parallels Virtuozzo. Sorry, lxc and Docker- you're just not there quite yet, in my own humble opinion.