As Business Development Director of Molten Technologies, I spend a lot of time with clients discussing what they want to achieve from Desktop Virtualisation and which of the multitude of solutions out there they should choose.
One Size never fits all
A consistent theme during these conversations is that a single solution will almost NEVER fit all the use cases in a single client. Even in relatively small deployments, there will be a number of different groups of people that use their desktops in a variety of different ways – accessing different applications and data, working from different locations and doing a wide variety of different roles.
There are some very clever and useful technologies out there today, that can be generically grouped under the heading ‘Desktop Virtualisation’. Solutions such as application virtualisation, application streaming, desktop presentation, local hypervisors and (coming soon) rich web applications such as HTML5, can be excellent solutions for the right use cases.
It is my supposition however that, today – now, VDI is the right solution for most of the people, most of the time.
So in the real world, why are organisations choosing VDI?
Given that an organisation probably still has legacy applications that require it to provide (usually Windows) desktops, why choose VDI over the alternatives?
Clearly different organisations have different priorities. It is however possible to identify some consistent themes from those organisations who have taken the plunge and built, or bought, VDI.
1. ‘Normal OS’ with ‘Normal apps’ – but in the DC, without changing anything else
It comes down to the real world of IT management in most organisations – they typically have A LOT of applications, some of which are very specialist and often quite old. In an ideal world these applications would have all been migrated to newer platforms years ago – but in the real world people have built processes and tools to manage them. Whilst not perfect, these management systems work and are a known problem.
VDI divides the problem of change into bite sized chunks, offering an organisation the opportunity to get the great benefits of virtualisation (remote access, security, cost … yes, cost), without having to change anything else. Better still, assuming some users will still need laptops (in 100% of cases so far in my experience), the existing tools and processes work in exactly the same way for laptops, desktops and VDI VM’s. Electronic software distribution tools, such as SCCM or LANDESK do not even recognize that the some of the Win 7 desktops it ‘sees’ are virtual machines (they are full Windows 7 desktops after all), whilst others are physical desktops or laptops.
Having given users what they want, the IT department then has time to go and fix those underlying process issues in a controlled and systematic way. These changes are often more complex (and so costly to do) than building the VDI environment itself.
It is a huge volume of change, all at the same time, which kills many IT projects. This is especially acute in desktop virtualisation projects that try to do too much, too soon.
This is the key reason why application virtualisation is not ‘king of the hill’ in the desktop virtualisation world – and in my opinion, never will be. Application virtualisation forces the organisation to go ’all in’ on a change process that can represents a significant effort, even if they only ever intend to virtualize a small controlled set of applications.
I was with a public sector client recently who are 20 months into their desktop virtualisation project (a mix of application virtualisation and RDSH’s), but only now have enough of their core applications packaged to begin their user roll-out. The client sponsor, a very experienced CIO (who inherited the project), commented to me that in his experience “the people who are doing desktop virtualisation now are all doing VDI”.
My perspective on security is that it largely comes down to human behaviour.
Moving the desktop OS into the data centre, without doubt makes it easier to update and patch the software image – and importantly – easier to guarantee that each desktop has received the update (VM’s are always accessible, never leave the corporate – so updates always work, to every machine). It should be remembered that VDI VM’s are still Windows machines and still have to be managed, so you are not necessarily managing less images – it is just much easier to manage the ones you have.
A client in a large financial institution recently recounted that his last 5 security breaches had been caused by laptops that had ‘brought in’ some form of mal-ware after being used externally, because they had not been on the ‘home’ network recently and so had not received the latest security updates .
This form of breach just can’t happen in a VDI environment – the VM desktop never leaves the network, so it always receives the latest update, as soon as it is released, and it is far less likely to be ‘attacked’ (never say never, of course) because it is hosted inside the corporate security zone.
From a human behavior perspective, because the VM image is completely separated from the end-point device there is no data retained on that end-point. This removes the possibility for bad luck and bad judgment to put your corporate data at risk.
I remember the celebrated case of an RAF officer in the 1990’s quite literally having the ‘Plans for the Gulf War’ stolen, as they were on a laptop in his car. That career limiting (ending?) event is simply impossible in a VDI environment – the device might still be stolen, but no data will be lost with the device.
3. People can use whatever device they want
A big driver for VDI has been the desire to bring and use an iPad at work. It is, of course, equally true for almost every other type of device. The IT department literally no longer cares which device people use – they are all ‘untrusted’ devices that the IT department neither owns nor manages.
This works particularly well for contractors – several of our corporate clients make regular use of consultants and their default method of granting these folks access to their environment is to issue them with a laptop. This is very expensive for the organisation (even if occasionally get them back at end of the contract) and a real pain (literally) for the consultants themselves, as they now have TWO laptops in their bag (because they almost always carry their own laptop too).
In a VDI environment, the organisation simply issues the consultant a URL, username and password, allowing them to access their desktop from their own ‘untrusted’ laptop.
…and they can install what they like – on the local device, of course, not their VM image (although possible, still generally a very bad idea) as the local device is theirs and (see above) the IT department no longer cares what they do with it.
4. Instant ‘snow storm’ solutions
This is a great real world feature of VDI – the ability of people to log-on from anywhere, from any device means that everyone can suddenly change location and log-on their desktop with no pre-planning required.
So when the roads are suddenly impassable and no-one can get to the office, the business impact can be dramatically reduced.
This benefit can also be extended into all the various disaster recovery solutions and provision. For instance, several of our clients pay substantial sums for the provision DR office space, with PC’s pre-loaded with their image, sitting waiting for an event that (hopefully) never happens. VDI offers the opportunity to remove, or at least dramatically reduce, these costs.