In a service-based grid, the data to be processed are usually moved to the service. However this is not always possible for security and data privacy reasons, as in biomedical grids processing patients' data. The other way, moving services to the location of the data, brings challenges in dealing with heterogeneity of deployment environments. A solution for this problem is proposed in this paper, based on services deployed in hardware virtual machines. Such setting allows a user to download all needed grid services into a tightly controlled environment, possibly even disconnected from the network, thus creating a ``sealed grid'' for processing sensitive data.