VDI counter arguments – Security

 

PC vs virtual desktop is like cash vs a debit card

 

As CEO of Molten Technologies, an independent virtual desktop specialist, I often find myself enthusing about VDI, especially as a service, vs the traditional fat-client PC model and I have heard every push-back in the business (and some that ought not to be). In this series of articles, I will expose the most common and a few of my favourite rarer ones.

A statement like “but it isn’t sufficiently secure for our needs”, or an insinuation of the same, has been a part of a large number of my conversations about Desktops as a Service and even a surprisingly high proportion of my conversations about Virtual Desktop Infrastructure. Part of the problem is that there are a range of options and solutions which result in a range of different security outcomes (which is true of any technology). An additional part of the problem may also be that we have all become so used to laptops that we have forgotten what a dreadful architecture they embody from a security point of view (albeit that the risk is somewhat mitigated by the very mature ecosystem of security solutions that have grown up around them). Whatever the cause, I see a measure of security mistrust out there for virtual desktops that I find at odds with the technology’s ability, if set up correctly, to result in a substantially more secure answer than any laptop or even desktop estate that I have seen. I equate it to someone with piles of cash under their mattress at home picking holes in the security systems at the bank and saying that they don’t trust them.

Let’s start with the basics: running virtual desktops on a server in your data centre is, at it’s core, a better security answer than having physical PCs on the office desks and a giant leap above running them on a laptop in the airport. Using my analogy above, it is like carrying a debit card instead of all of your cash (data being the closest analogy to money here). It is relatively easy to lock virtual desktops down so that they don’t map local drives, thumb-drives and the like and to disable cut and paste with the local machine so that your precious data remains where it should be, in your data centre. I once heard of a very large and respected energy company that used to pour super-glue into the USB ports on some of their laptops to try to achieve this. Don’t get me started on the implications of a laptop out there connected to an untrusted network with your data on it and an intent to come and plug back into your network later. There is a different and less tasteful analogy I could use here, with an acronym very similar to, but slightly shorter than, VDI.

So virtual desktops have the inherent advantages that they stay permanently on your corporate network and in the datacentre, so what is the problem then, why the security concerns? Like most technologies, there are lots of choices and you can easily make them less secure if you set them up wrong. For example you could allow cut and paste to the local device, allow access to thumb drives or spool your print files through the local device. However, this is just a competence question and doesn’t really get to the heart of the problem. The crux becomes clear when we start to explore some of the flexibility that this new approach allows us, like accessing our corporate desktops from untrusted devices (e.g. Our home PCs) and having a third party host the desktops for us.

Access from an untrusted and uncontrolled device is unconscionable for most corporates in the fat-client PC model. It becomes possible with a virtual desktop because the untrusted device can remain outside of the corporate network even while it is controlling the corporate desktop, which is inside the network. This means we don’t have to worry about viruses, because the remoting protocol provides an effective security barrier and only allows through recognized commands. The question arises, “what happens if the uncontrolled device has a rogue key-logger?”. This is a risk, because it would allow a potential hacker access to user-name and password information. However, the risk is relatively easily managed with a second factor authentication (e.g. RSA token). This represents a substantial project if you don’t already do it, but it is hardly a reason to move away from virtual desktops.

Third party hosting, particularly if anyone mentions the word “cloud”, is probably the biggest challenge. I completely recognise that if we are talking pure cloud, where you don’t know where it is or what network it if on, this would be a problem for most corporates and I accept that. However, there are organisations that offer hosted virtual desktop solutions where you do get a fully network-segregated solution within your own “tenant” and some can even host it in your DC if you prefer (I should know, I run one of them). This way all the corporate security features are inhereted, with your firewalls, active-directory controls etc..

I am convinced that virtual desktops have the potential to be more secure than fat-client PCs if they are set up right and we avoid the temptation to let the flexibility they offer distract us from the security implications. The forward-thinking security teams out there are demanding this stuff and managing it appropriately rather than pushing back on it.

Advertisements
Posted in Cloud, DaaS, Desktop as a Service, desktop virtualisation, End User Computing Strategy, VDI, virtual desktops | 1 Comment

VDI counter-arguments – The Disconnected use-case

Disconnected

As CEO of Molten Technologies, an independent virtual desktop specialist, I often find myself enthusing about VDI, especially as a service, vs the traditional fat-client PC model and I have heard every push-back in the business (and some that ought not to be). In this series of articles, I will expose the most common and a few of my favourite rarer ones.

I wish I had a pound for every time someone has said to me “but it doesn’t work off-line, does it?”. 

Let’s start with the obvious. Yes, any on-line service requires a connection of some sort. Yes, virtual desktop infrastructure is fundamentally an on-line service. However, it is only on-line because we designed it that way, there is no technical reason why a virtual machine cannot run on a local fat-client and there are a number of solutions that can make that work for you. Complaining that VDI doesn’t work off-line is a bit like complaining that a weight-loss diet is too low in calories for training Olympic athletes. It is that way because it was meant to be. It isn’t a limitation it is a deliberate feature. Use VDI for user-groups

  • whose data you want to keep securely locked away inside your your network,
  • to whose machines you want to be able to send instant security patches even if their users are fast asleep with their machine turned off,
  • who will appreciate the freedom of being able to leave their heavy PC at work and still be able to access their corporate desktop at home,
  • for whom you don’t want to keep buying refreshed hardware every time Microsoft fancies rendering the old hardware obsolete.

If you have a user group that really requires off-line access, then consider a local hypervisor solution (some even have a check-in/check-out facility) or simply leave them using laptops.

Second, the great myth that the majority of knowledge-workers with laptops require off-line access to their desktop. There are those that do, so there is a genuine piece of work to do to sort the wheat from the chaff, but the vast majority absolutely do not. The laptop has become short-hand for “manager” and gets handed out as a perk in many organisations or to save the effort of having to think about it. I have even seen one example where a business gave their staff laptops because they wanted to be able shift people around the office occasionally and it makes desk-moves easier. Laptops get locked in pedestals at night, they get carried home to use at home (but not while driving or on the train) and they get chained to the top of the desk. When staff do use them while disconnected, they are usually reading emails, which they could just ask well do on a Blackberry. Ask yourself how many of your corporate applications work off-line. Personally, I travel regularly and I use an iPad and a virtual desktop. When I am disconnected I can still read or draft emails on the native iPad and when I get a decent connection (3G will do fine) I get the full power of my virtual desktop without having the weight and bulk of a laptop. The first day that I left the office without my heavy, bulky lap-top bag was an absolute joy.
 
Third, just because you can find one user-group that needs to keep their laptops, it doesn’t mean that VDI is a bad idea for everyone else (that would be like a tail wagging a dog). In the real world, you are never going to have VDI for 100% of your users. Some will only use a very limited number of applications and can use thin-clients accessing a virtualised application. These users don’t need a full desktop at all. Some will require a full desktop off-line and the right answer for them may be a laptop (perhaps running a local virtual machine). A great many others will likely benefit from a shift to VDI. A mixed estate is perfectly manageable, with the right tools, you can even keep consistent management processes across the estate.
My advice is rejoice in VDI as a flexible, secure, manageable, agile, cheap, performant and green alternative to PCs for a large number your staff without getting too upset if others require a different answer.
Posted in Uncategorized | 1 Comment

Virtual desktop benefits 4 – Green

Molten Technologies believes that Desktop as a Service (DaaS) based on Virtual Desktop Infrastructure (VDI) technology can, when done right and wrapped in the right commercial and service model, provide a different and better approach to corporate desktops.

We think VDI and DaaS should be:

  • Agile
  • Secure
  • Cost-effective
  • Green

We recognise that VDI might only be the right answer for a proportion of your staff and that “One size does not fit all” (see our previous DaaSler article), but it can add a great deal of value where it fits.

In this last in a series of four articles, we will pick-out some high-points of what we think customers of a good VDI or DaaS service should expect in terms of its environmental friendliness.

Green

 

Supports one machine for home and work

Many people who use a PC regularly at work, also have one at home (in some cases more than one). This is hugely environmentally inefficient as the impact of making new equipment is substantial. The idea that an individual could use a single machine, keep their personal data and applications on it locally and use it as an access device when at work is a neat response to this device proliferation and is supported by virtual desktop technology. For example, an organisation could run a “BYO” scheme in which employees bring their Macs or other personal laptops to work, connect them to a guest network and use them to access their virtual desktop for business. The device need not even be particularly powerful, even an iPad (depending on the type of users, they may want a bluetooth keyboard) or Android device can fulfill this role. The net result is fewer end-point devices and potentially thinner end-point devices. 

Enables efficient (deduplicated) storage

In a typical corporate office packed with PCs, their hard-discs are storing 80% duplicated data. Think about that for a minute, the same data is being stored over and over again on hundreds of hard-drives, just so that it is locally available to each processor on request. This is hugely inefficient and results in much more storage, in aggregate, than is actually necessary. Much of this duplication is down to the Windows image and the local applications, but some also comes from filestore as we email the same presentation out to twenty people or reply to an email chain twenty emails long (each one with another copy of the previous nineteen). With a virtual desktop configuration, all of that duplicated data is pulled together centrally and can be de-duplicated. Not only does this require a great deal less storage (which is therefore efficient) but it can be made to be very performant by keeping information that is requested regularly in memory cache or solid state storage rather than spinning disc.

Enables efficient server level virus protection

Talking to a potential client recently, they were bemoaning their virtual desktop infrastructure because it is “unable to cope” with the daily virus scan. This problem is avoidable on two fronts; first, randomize the timing of the scan so that each desktop scans at a different time of the day, rather than all kicking off at once; second (and in many ways better approach) stop scanning at the desktop level and scan at the server level. This again is much more efficient as it is effectively scanning many desktops at once “in bulk”. It uses less processing power and therefore less power, particularly when combined with the above point about reduplicated storage (because the storage only needs scanning once). 

Enables efficient pooled computing

The average PC isn’t working very hard most of time, it is inherently inefficient because its processor and memory are dedicated to an individual, whose demands are very “peaky”. When I log-in in the morning and open various applications, I want all the processing power I can get, because I am naturally impatient and I want to get going. But when I am writing a blog or making a phone-call, I am using little or no processing power and my machine is largely sitting idle (meanwhile, the person across the office from me is recalculating a large spreadsheet and needs all the processing power they can get). A compromise is made at the point of specifying the machine between cost and perfromance. This is a compromise which can be much more balanced in a virtual environment where compute resource is natually pooled. When I am not using my resources, they are available to the person across the room. This means that it is possible to get better performance from less hardware, which in turn is both more efficeint from the point of view of buying and powering the kit. 

Avoids the need to buy PCs for third parties

In all my conversations with potential clients about virtual desktops, this one keeps coming up as a hot-button; “I want to stop buying laptops for my third partes. It just feels wrong”. Well it is wrong, from an environmental point of view, because they already have PCs and it is a waste to be giving them new ones just so they can access your network securely. With a virtual desktop approach, third parties can access their virtual desktops from their own hardware. You will be happy avoiding the extra cost, they will be happy avoiding the need to carry two laptops and the planet will avoid the environmental cost of all that laptop manufacture. 

Thin clients last longer than PCs

One of the biggest environmental impacts of an electronic device is when it needs to be replaced with a new one. We are talking raw materials, manufacturing, packaging, distribution and recycling of the old device. Thin-client devices are simpler than PCs and lacking moving parts, like fans and hard-drives, so physically last longer. Also, because the OS and apications are running in the data centre, in. virtual desktop model, the local device remains independent of even the most major upgrade, a time when many fully-functioning PCs are replaced.

Extends the life of existing PCs

As noted above, one of the biggest environmental impacts of an electronic device is when it needs to be replaced. With a virtual desktop, the hardware is abstracted from the system and application software, so that major software upgrades can be managed independently of the hardware. What this means in practice is that when you come to do your next major Windows upgrade, for example, you can keep all your old desktops (or thin clients) and access the new service virtually. The same logic applies in the data-centre, as even the virtual desktop is running on a hypervisor layer that isolates it from the servers it is running on and it is therefore reasonable to run the servers to failure as well. As long as you maintain an “n+1” configuration for redundancy and high availability, this approach need not affect the availability of your service. 

Reduced Desktop power consumption

A typical thin-client uses about 10% of the power of a PC as it lacks a spinning hard-disk or a fan as well as typically running less-powerful processors. This dramatically reduces power consumption in the office and will also reduce the need for air-conditioning in most offices as PCs produce a lot of heat as they consume all that power. 

More power efficient overall (including DC)

We note above that thin clients are more power efficient than PCs, but what about the extra power being used in the data centre to run the virtual service? Even when we take a rounded view and draw-in the data centre power to the comparison, you should expect to see 70% savings. This is more variable than the thin-client numbers as it is dramatically affected by the density of desktops to servers and the level of storage deduplication you are able to achieve, but assuming you have these well optimized, 70% is achievable.

Reduced need for office cooling

As noted above, thin-client devices use about 10% of the power of PCs because of their lack of moving parts (e.g. fan and hard-disk) and because of their more parsimonious processors. Much of the power consumption of a PC ends up ultimately dissipating as heat, indeed a room full of PCs has a substantial impact on the calculations for a the air-conditioning unit for that new office. Even in an existing office, the air-conditioning wil have less work to do if you replace all of the PCs with thin-clients.

Posted in Cloud, desktop virtualisation, End User Computing Strategy, VDI | Leave a comment

Virtual desktop benefits 3 – Cost effective

Molten Technologies believes that Desktop as a Service (DaaS) based on Virtual Desktop Infrastructure (VDI) technology can, when done right and wrapped in the right commercial and service model, provide a different and better approach to corporate desktops.

We think VDI and DaaS should be:

  • Agile
  • Secure
  • Cost-effective
  • Green

We recognise that VDI might only be the right answer for a proportion of your staff and that “One size does not fit all” (see our previous DaaSler article), but it can add a great deal of value where it fits.

In this third of a series of four articles, we will pick-out some high-points of what we think customers of a good VDI or DaaS service should expect in terms of cost effectiveness and how it can save you money.

Cost effective

 

Reduced “at elbow” support

With a virtual desktop, the end-user is typically either using a thin-client or their own machine, either under an employee Bring Your Own (BYO) scheme or because they are from a third-party using a third-party machine. The fact that a portion of your end-users that previously required a corporate PC are now using their own machines is a bit of a “no-brainer” when considering reduced at-elbow support (you will need to consider the HR and contractual implications of this change; these are typically simplified if it is optional). In addition, thin-clients are simpler devices than PCs; they lack spinning hard-discs and fans, which are among the most common components to fail in a PC. They are also un-personalised, so a user can sit down in front of any thin-client device it doesn’t need to be the one they used the day before. Therefore, thin-clients tend to go wrong less often than PCs and when they do, a user can take another from the stationary cupboard and continue to work almost immediately. While this may have a modest impact in a single big office, the savings across multiple smaller regional locations can be substantial.

 

 Reduced OS and software issues

PC hardware varies and hardware manufacturers like to differentiate their products with useful extra features. The problem is that these differences and features often reduce the stability of the platform. How many times have you closed the lid on a laptop to find that it is set-up to hibernate when you do so? How often does it cleanly recover from hibernation? In my experience, it is all to common for a laptop to fail to recover properly from sleep or hibernation and both the OS and the applications are left in a tangle. With a virtual desktop, the hardware is running in a controlled data-centre environment and the OS and applications are isolated from the hardware by the hypervisor layer. The result is that the user experiences increased stability and reduced glitches, reboots and software issues.

 

Resilient hardware

It has been standard practice for many years to build key data-centre systems with resilient hardware so that even if there is an individual component failure, the system remains available. This allows for the replacement of the failed component while the system is still available, so that the resilience is maintained. This sort of architecture is not used for PCs, which typically have any number of components that would cause a system-down if they failed. You should expect virtual desktop infrastructure, whether being provided as a service or in-house, to be fully resilient giving three nines (99.9%) availability, which is substantially more than is achievable with a PC estate (I have seen claims of four nines; this can be done, but it is expensive and only necesary for specific cases). Although virtual desktops still require an endpoint device, thin clients are more reliable than PCs (see Reduced “at elbow” support). 

 

Easier routine patches and upgrades

Most corporate PCs have a standard start-up routine that includes checking that they are connected to the network and then immediately checking for emergency and other patches and scanning for viruses. If they are not connected, they will have to scan without the latest security patches and run without them until they are able to connect. Therefore, at any one time, a traditional PC estate will be in various states of patch, which can make emergency patching very challenging to manage. Virtual desktops need never be disconnected from the network or powered-down, so patches can be implemented and rolled-out consistently across the estate quickly at any time, day or night, and need not disrupt the users. In addition, depending on your technology choices, virtual desktops may offer tools for managing pools of desktops with standard “gold pattern” images which can save substantial time and effort.

 

Extend life of existing desktop hardware

The refresh of desktop hardware is rarely associated with it ceasing to function and much more commonly aligned with some sort of operating system upgrade (e.g. Windows 7 roll-out) or application upgrade as the old hardware struggles to cope with the demands of the new software. With a virtual desktop, the demands on the local hardware are greatly reduced and there is no need for it to be running the latest operating system; there are even tools available to effectively reduce an old PC to a thin-client, at least from a software perspective. Therefore, a new or upgraded virtual desktop solution can be rolled-out on existing hardware, extending it’s life. You should expect to be able to access your virtual desktops from very basic old machines and experience improved performance (especially if they are struggling today). One potential watch-point here is peripherals; the desktop hardware must be able to support the required peripherals (e.g. Video camera, microphone).

 

Reduced power consumption

A typical thin-client uses about 10% of the power of a PC as it lacks a spinning hard-disk or a fan as well as typically running less-powerful processors. This dramatically reduces power consumption in the office and will also reduce the need for air-conditioning as PCs produce a lot of heat as they consume all that power. Even when we take a rounded view and draw-in the data centre power to the comparison, you should expect to see 70% savings. This is a little more contentious as it is dramatically affected by the density of desktops to servers and the level of storage deduplication you are able to achieve, but assuming you have these well optimized, 70% is achievable.

 

Optimise office space (hot-desks and home working)

Office space optimisation is a tough nut to crack and no single technical solution is going to make it “go away”, as there are team-working dynamics, HR considerations and a whole raft of other people-related issues to consider. However, having a desktop solution that gives a seamless and personalized experience wherever you access it from, is a very strong start. This gives the business the maximum flexibility to support hot-desking and home-working without having to worry about the technical infrastructure implications. Thin clients remain unpersonalised, as the users virtual desktop looks the same to them wherever they access it from, without them having to physically move a PC around. Because the virtual desktop remains permanently inside the corporate network, securely accessible via a remoting protocol, the end-user can use an insecure network to access it, like home or a coffee shop. This remains secure as no data passes between the machines othe than screen shots and key-strokes. 

 

Simplified office networking

Many corporate office networks are relatively expensive to set up, particularly for smaller regional offices. It is cheaper, faster and easier to set up smaller, regional offices (or shops) with simple Internet connections. The components are more widely available and much cheaper as you can effectively use domestic equipment. The challenge is typically that sensitive customer data cannot be sent over the Internet and a traditional PC desktop model typically sends the data down to the PC either in a “client/server” application or simply via email. With a virtual desktop, sensitive customer data is retained centrally, the local devices are relatively dumb and the communication between the two can be easily locked-down and encrypted. The watch-point here is printing as, even with a virtual  desktop, if you want to print locally, a spool file will still need to be sent to the local printer so you will need some mechanism for handling that securely.

 

Avoids need to buy PCs for third parties

PCs for third parties is one of the most obvious business-cases for VDI and is often the first (and sometimes the only) area to be implemented. Many corporates currently buy laptops for their third-parties as a mechanism for giving them secure and controlled access to the network and applications they need to do their job. The problem is that this is expensive and puts both the asset and your data/IP in the hands of individuals outside of your organisation and possibly even outside of your geography. Sending them a link for a virtual desktop will be cheaper than buying them a laptop and both the asset and the data/IP remain securely inside your data centre.

 

Cheaper and lower risk major upgrades

Major operating system (OS) upgrades are often associated with hardware refresh because older portions of the desktop hardware estate are too slow and have too little memory to run the new OS and associated applications. This adds complexity and risk to the upgrade implementation project because it means a visit to every desk in every office at the moment of software upgrade. This, in turn, means long implementations with long periods of parallel running and substantially increased risk. A virtual desktop solution allows the new software to become accessible from the old hardware, so that the implementation can become as simple as receiving an email with a your new log-in details. This also means that the old hardware and software remains in place as a fall-back if there is a problem with the new solution or if there a small number of rarely-used applications that have yet to be tested on the new platform. Future upgrades, once the estate is virtual, are greatly simified and remain distinct from hardware refresh cycles.

Posted in Cloud, desktop virtualisation, End User Computing Strategy, Uncategorized, VDI | Leave a comment

Virtual desktop benefits 2 – Security

Molten Technologies believes that Desktop as a Service (DaaS) based on Virtual Desktop Infrastructure (VDI) technology can, when done right and wrapped in the right commercial and service model, provide a different and better approach to corporate desktops.

We think VDI and DaaS should be:

  • Agile
  • Secure
  • Cost-effective
  • Green

We recognise that VDI might only be the right answer for a proportion of your staff and that “One size does not fit all” (see our previous DaaSler article), but it can add a great deal of value where it fits.

In this second of a series of four articles, we will pick-out some high-points of what we think customers of a good VDI or DaaS service should expect in terms of Security. 

Security
 
Data secure from laptop theft or loss
Data remains securely inside your corporate network in the data centre, inside your firewall rules and is not sent down to the “end-point device” which the end-user is touching (e.g. laptop, iPad or other tablet, MacBook etc). The only communication with the data centre is keystrokes and mouse data in one direction and screen updates in the other and even these can be simply encrypted. So if someone loses a laptop while traveling, they may lose their personal information, if it is their personal machine, but they will not put your corporate data at risk.
 
Data secure from “thumb drive” theft
It is relatively straightforward to lock-down a VDI service such that it simply does not map to any local drives and therefore when someone inserts a “thumb drive” or “memory stick” into the end-point device (e.g. PC or thin client), then only thing they have access to is the local machine which has no corporate data on it. The “PC” is now a virtual machine in the data centre where it is safe from thumb-drives and the like.
 
IP secure in third party or offshore teams
With data and applications residing safely in the data centre and third parties accessing locked-down desktops remotely, your IP can be managed much more securely than in a traditional PC environment. Add tools for “sniffing” data removal and key logging so that any suspected incidents can be easily followed up and you can have confidence in your IP security. Even an overseas third party can work on data while it remains locally in your data centre and never leaves your national boundaries.
 
Can lock out email and internet
Typically, third parties will use their own hardware and possibly even their own network connections to access the service (if they are accessing from their offices, for example), so it is sometimes possible to take the concept of desktop lockdown a stage further than usual. Not only can you remove administrator access to a third party desktop (so they can no longer install their own applications) but you can also remove a web browser from the build and even email (these being on their own physical PC through their direct employer) leaving only the bare essential applications required to do the job. Without a local drive, administrator access, internet access or email, a third party handling sensitive data is restricted to using only the applications that you have provided for them. They can do their job, but that is all.
 
Secure access from insecure networks
The remoting protocol associated with a virtual desktop (RDP for example, although there are more sophisticated examples) takes keyboard and mouse inputs from the end-point device (e.g. PC, Mac, Thin client or Tablet) and returns screen updates. The end-point device (which could be the users own PC, iPad or MacBook) does not need to directly access the corporate network in order to connect to a virtual desktop on that network. The remoting protocol provides a secure link or isolation layer between the two and prevents the infection of the corporate network by virus or other attack from the network local to the end-point. This has implications for travelers, home-workers, third parties working from their own offices, business continuity and even new corporate offices because it means that end-points no longer require either a corporate LAN or a Secure VPN and can therefore save costs, improve usability and increase security at the same time.
 
Support BYO devices securely
In the same way as virtual desktops keep the “PC” safely locked away in a data centre with the remoting protocol acting as a isolation layer so the the end-point device can be on an insecure network (see above), so the device itself can be untrusted. This is a complicated way of saying that you can access your corporate desktop securely from any machine that happens to be handy. Want to bring you MacBook to work and be able to work on it? Want to allow third parties to work on their own machines? Want to allow the senior executives to use iPads (or Android devices or frankly anything else the comes along)? You are in luck. As long as it has an Internet connection and a remoting protocol (and they pretty much all do), it can be used to access your virtual desktop (this not true of all virtual desktop products all of the time, so be careful; for example, it took 18 months for Citrix to announce it’s support for the iPad).
 
Supports two factor authentication
Many organizations already use two-factor authentication to require a user to remember their password and be in possession of a physical token (for example) before they gain access to the system. This capability becomes increasingly important when users can gain access from unknown devices and locations because someone could be watching them type their password either physically (by standing behind them) or electronically (using a key-logger, for example).
 
Supports key logging and data loss “sniffing”
There are a range of technologies available targeted at protecting an organisation’s sensitive data and IP. Think about what sort of protection you need and whether it is compatible with the desktop virtualisation or VDI technology you are considering. Most will work with a full VDI solution where each user has a dedicated VM, because most types of software will be agnostic under those circumstances as to whether it is running in a virtual environment or a physical PC. A couple of examples that we have seen are key logging and data loss “sniffing”. Key logging simply records every key-stroke and button-press made by each user and enables an extremely accurate post-event evaluation of events and, if necessary, legal investigation. While it is not actively preventative, staff and third parties who know that they are being key-logged may be more inclined to behave themselves. Data loss “sniffing” is software that is able to be “taught” what sort of data you consider sensitive (and easy example might be customer account numbers, because they are a very specific format) and it looks for such data leaving the network, raising alerts or logs as instructed.
 
PC remains inside corporate network
A first sight, this seems a bit obvious given that the desktops are inside the data centre, but it is worth drawing this out and thinking it through to see if there are any associated simplifications or security improvements that can be driven out from this configuration. A laptop is designed to connect to insecure networks, defend itself as best it can and then return to the host network, bringing virus risk with it. Virtual desktops never get exposed to an external network (or a thumb-drive etc as discussed above). This is an inherent benefit of the virtual desktop solution, as it will be more secure than a laptop as a result, but it could also lead to a rethink of virus protection for example (could you run virus scans at the server level rather than on each desktop?) or firewall protection (does each desktop require its own firewall?).
 
Secure from endpoint viruses
As discussed above under “Secure access from insecure networks” and “Support BYO devices securely” the remoting protocol acts as an isolation layer so that anything undesirable on the access device, such as a virus, remains there and unable to travel back to the desktop. In a world where Stuxnet as been defined as the world’s first weapon’s grade virus and computer viruses are allegedly being created by governments as well as their enemies, this is an extremely key capability of a virtual desktop.
Posted in desktop virtualisation, VDI | Leave a comment

Virtual desktop benefits: 1 – Agility

Molten Technologies believes that Desktop as a Service (DaaS) based on Virtual Desktop Infrastructure (VDI) technology can, when done right and wrapped in the right commercial and service model, provide a different and better approach to corporate desktops.

We think VDI and DaaS should be:

  • Agile
  • Secure
  • Cost-effective
  • Green

We recognise that VDI might only be the right answer for a proportion of your staff and that “One size does not fit all” (see our previous DaaSler article), but it can add a great deal of value where it fits.

In this first of a series of four articles, we will pick-out some high-points of what we think customers of a good VDI or DaaS service should expect in terms of Agility. 

 Molten Benefits - Ability

Temporary capacity for projects/mergers
Do you have a project starting up with fifty or more third parties and are wondering how to give them secure access certain parts of your corporate network? Providing them with a virtual desktop can be done much more quickly and cost-effectively than buying them all a laptop. Or, have you recently bought another organisation and need to get them onto your IT as fast as possible, even from their existing office and network?
A good DaaS provider can provide short-term arrangements, either hosted or in your data centre, fast and securely with minimum hassle and cost to you.

Business Continuity
Virtual desktops should be accessible from almost any connected device securely over the internet from any connected location (this isn’t true of every single technology, but it is rapidly getting there). Your people could work from home, a hotel or seamlessly from an alternative office. Their virtual desktop is device independent, so wherever they log-in from, they get the full desktop experience as if they were using a local PC, but without being tied-down.

Speed to value
A DaaS provider will have a service up and running already, which should give you a fast-track to a proven design and possibly even spare capacity already built. This will enable you to get going very rapidly. Even if you want to host your VDI service in your own data centre, using a proven architecture and build process will get you to results in record time and at very low risk.

Access from anywhere on any device
Virtual desktops should be accessible from almost any connected device securely over the internet from any connected location (this isn’t true of every single technology, but it is rapidly getting there). Supported devices include PCs, MacBooks, netbooks, thin clients, iPads and other tablets, iPhones and Android devices. The service requires a connection, but will operate well over 3G or WiFi and uses less bandwidth than a locally installed application. Your local machine is operating as a remote control for a distant PC and data is not downloaded over your connection, improving speed and security.

Upgrade software quickly at low risk
Because the virtual PC is hosted in a data centre rather than on a local device, it is always connected and is device independent. Therefore, even major upgrades can be done overnight without impact to the local hardware (e.g. thin client or BYO PC). If you are considering a Windows 7 upgrade, for example, you can provide your staff with a virtual desktop running the new operating system and they can initially access it from their existing hardware. You can then swap-out the hardware at your convenience or when it fails. In the meantime, they have a fall-back mechanism because their old PC remains active on their desk.

Support BYO PCs securely
The concept of bring your own (BYO) computing has been around for a while. There is always a challenge around securely supporting the corporate applications and networks on an unknown or wide variety of devices. A virtual desktop is ideal for this model, because the end-point-device does not need to be on a trusted network, it can access the virtual desktop securely over the Internet. Essentially, it is operating as a remote control for a PC in a secure data centre, rather than having direct access. This makes it relatively easy to lock down the connection and keep viruses out and data in.

Capex/Opex flexibility (buy or rent)
Look for a flexible financial model allowing you to either buy the hardware and licenses required to build a service, so that the asset belongs to you and you can write it off over a period (this is typically the model used for deployments in a client’s own data centre). Under this model, your DaaS provider should still be able to run the service for you and sign up to an SLA. They might also offer a model in which you effectively rent capacity within their data centres (look for full network segregation and retaining control over security through your AD and firewall rules).

Flexibly hosting in your DC or theirs (or mix)
Look for a flexible hosting model allowing the virtual desktop infrastructure to be hosted in your provider’s data centres or your own. Clients choosing to host in their own DCs typically do so for the performance and connectivity advantages of having the virtual desktops running physically close to the applications that they are accessing (this typically provides an improvement on where they are today as physical PCs are rarely located in the data centre). Clients choosing to host in a service provider’s locations do so for the freedom to flex both volume and processing power up and down to suit their business needs (as the service provider can re-use extra capacity for other clients). Some clients even choose a mix such as 80% in their own DC and 20% in the provider’s DC as a swing capacity that they may call on if they need it. Some also offer a disaster recovery capacity in their data centres, so that if our clients experience a data centre level failure, they have the peace of mind of knowing that they can still get their virtual machines up and running quickly.

Flex up or down to suit your business
Particularly when hosting in a DaaS provider’s data centres, you should look for tremendous flexibility because they can re-use unwanted capacity for other clients. In a virtual world, compute power flexibility can present itself as either “a number of desktops” or as “the processing power, memory and storage associated with each desktop”. Both are flexible, so you can increase or decrease your number of staff safe in the knowledge that your desktop capability and costs will scale smoothly. In addition, your DaaS provider might even monitor the actual usage of your various staff-groups to determine whether the individuals need more power and performance or whether there is over-capacity in the system, thus giving you the ability to dynamically control their performance experience (e.g. business is slow, save some money; sales team struggling to cope with demand, improve response times and thus their throughput).

Open or close offices quickly
With a virtual desktop solution, the office networking and local devices are as simple and generic as possible; almost anything that is there will do. If you are starting from scratch, the technically simplest Internet connection (although perhaps two of them for resilience) and thin-client solution will do. It is cheap, fast and non-specialist. Regional offices and come and go quickly and cheaply without drama or excessive cost and delay.

Posted in Uncategorized | Leave a comment

Eating the elephant of VDI

Eating the elephant one bite at a time A great deal has been written about why virtual desktops are the right answer for business and that this is the year for explosive deployment. A fair amount has also been written about how, despite increases in deployments, the explosion always seems to be just around the corner. As CEO of Molten Technologies, a VDI specialist and virtual desktop service provider, Robin Tapp has an interesting perspective on the situation.

There is no doubt that virtual desktop technology is “hot” right now. The technology industry is tripping over itself to announce solutions, partnerships and innovative offerings. The analysts are making ever-increasing predictions about scale and pace. Almost every organisation out there when asked the question “are you looking into some sort of virtualisation of the desktop” will reply with a firm positive.  Everyone is at least considering it, many are beginning to pilot it and some are even rolling it out to certain user groups.
 
Scale deployment, however, seems to be taking a little bit longer than many have predicted and quite a few hoped. Some of the early predictions would have it nearly wall-to-wall by now. So is there a problem? Does it deliver less than predicted? Or is business just too slow to pick up on something obviously wonderful? The answer is complex and varies business by business, but there are some patterns emerging.
 
Goal/business driver complexity
Sometimes my conversations on the potential benefits of virtual desktops with business or IT leaders can seem a bit like opening Pandora’s box. Once you start to challenge the previously accepted model of the physical PC for each user, the possibilities seem endless. A brief, and non-exhaustive, list of impacted areas includes:-
– Security (e.g. no data on the end-point)
– Major upgrade risk and cost reduction (splits hardware and OS upgrade)
– Office space savings (enables hot-desking)
– Speed to open new offices (less kit in the office, e.g. thin clients and internet access)
– Business continuity (can be accessed from home or another office easily)
– Enables bring you own computing models (e.g. for third parties)
– Supports iPads or MacBooks for the Board
– Maintenance advantages (e.g. patches can be applied overnight)
I could go on and many clients do. The issue with all this is that if a business works all of these through to their logical conclusion before doing anything, it will take years and create a massive change programme.
 
Technical complexity
There are a number of flavours of virtualisation out there in the desktop space and some lack of consistency about what to call them (have you seen the “desktop virtualisation” vs “virtual desktop infrastructure” discussions?). There are also a very large number of technical solutions all claiming to solve every issue you have ever heard of with the words “desktop” and “virtualisation” in the title. So it is easy to see why businesses get confused by the various offerings on the market and how they compare to each other. This can cause some decision-making delays, but more importantly, it can mean that a bad experience in with one technology or provider can lead to wider than appropriate applications of the lessons learned. Other providers or technologies which might inherently solve that problem run the risk of being discounted because they have the same word in the title.
 
Scale of investment
Most of the solutions on the market today, require a fairly substantial up-front investment from the client. In many cases, it involves buying the server, networking and storage infrastructure to host the desktops and all the associated licences as well as paying for a third party to put it all together and run a project to implement it. Depending on the size of the business, this can run into millions of pounds, so you can see why it is a decision that one might want to take some time over.
 
In summary then, when considering virtual desktops it is complex to work out what you are trying to achieve and complex to work out how to achieve it and then it is expensive to implement. No wonder the implementation “explosion” hasn’t happened yet, despite lots of good reasons why it might be the right thing to do.
 
My advice (which the more observant of you will notice is self-serving, but no less genuine for that, we set up Molten Technologies specifically to meet this need so no wonder that it does so) is:-
– Find an independent specialist to advise you.
– Start with the simple use-cases with the best benefits
(Eat the elephant one bite at at time).
– Go with a hosted solution if you can (to reduce up-front investment and so that you don’t need to worry about the technical solution as long as it meets its SLAs) or follow a step-by-step deployment approach that delivers a positive business case at each step.
Posted in Cloud, desktop virtualisation, End User Computing Strategy, VDI | Leave a comment