Client-Side Virtualization Part III: HAL 9000, Hosted Virtual Desktops, and the Death Star

Systems and security management is difficult, ineffective, costly and becoming ever more so in increasingly distributed, heterogeneous, complex, and mobile computing environments…

• 98% of all external attacks take advantage of poorly administered, misconfigured, and unmanaged systems (Source: Verizon Data Breach Investigations Report 2009)
• A locked down and well managed PC can cost 42% less than an unmanaged one (Source: Gartner – The Total Cost of Ownership: 2008 Update)
• The direct costs incurred in a “somewhat managed” PC are only slightly lower than the direct costs of an unmanaged PC, because of expenses to maintain underutilized or dysfunctional management systems (Source: Gartner – The Total Cost of Ownership: 2008 Update)

The benefits provided by server virtualization are being realized as server consolidation has enabled cost reduction and efficiencies in data center/server management. This is of course leading many to ask the question “why can we not virtualize our desktops as well?”

Server virtualization and desktop virtualization are radically different. As mentioned in a previous post (here) Consolidation is the major benefit or “killer app” for server/data center virtualization. Standardization is the major benefit or “killer app” for client-side virtualization.

IT has been attempting to implement a standard or common operating environment since the introduction of the PC, unfortunately “standardization” comes at a cost and in many use cases is ineffective, either because of the impact on the user population or the underlying management infrastructure doesn’t support modern distributed IT architectures.

There is no question that the user population is becoming more distributed and more technically savvy. Additionally the demands of the business to take advantage of new computing models, the increasingly hostile threat environment and regulatory pressures are taxing already overworked and under resourced IT department so it is natural for organizations to look for alternatives. Unfortunately unlike server virtualization, desktop virtualization, in whatever form it takes, has a long way to go to meet the demands of the majority of enterprises.

Hosted Virtual Desktops (on-premise)

Virtual desktop images are stored in a data center and provided to a client via the network/internet. The virtual machine will include the entire desktop “stack” from operating system to applications to user preferences. Management is provided centrally through the virtual desktop infrastructure. The promise is that the VDI will replace the need for the myriad systems and security management technologies that are currently deployed. No more demands for traditional desktop management tools like OS provisioning, patch management, anti-virus, personal firewalls, encryption, software distribution, and on and on and on…it is a pleasant fantasy to dream of a return to the thin-client model, but it isn’t realistic in most cases.

First there is the inherent cost and complexity in simply implementing the virtual desktop infrastructure. In many cases the back end requirements for storage, networking, connection brokers, and management systems can be 4-10x as expensive as traditional solutions (see figure 1 below).

Second the reality is that regardless of the marketing hype, media frenzy, and analyst misinformation these systems still require real-time systems and security management. Centralizing the desktop image does not magically protect it from viruses, intrusion attempts, system compromises, or operational failures. It does, however, allow for rapid recovery or return to homeostasis if an event warrants such action.

Third is that even if one could efficiently and with limited costs implement virtual desktops the user population would still be unable to work offline or in a disconnected fashion. Additionally most users would never allow themselves to be deprived of personal computing power, so a thin-client model would only work in those situations in which the user populations required little more than access to a single or small set of corporate applications and the devices themselves had “always-on” static network connectivity.

Fourth, and most importantly, is that VDI now introduces a single point of failure. As an attacker I no longer need to compromise a large set of disparate and globally distributed computing devices I can now attack the central core – perhaps a small ray-shielded thermal exhaust port that leads directly from the organizations perimeter into the heart of its colossal VDI. If one could breach the port, then the resulting chain reaction would destroy the entire organizations desktop infrastructure.

Benefits: Centralized management and control of standardized desktops

Challenges: Initial costs can be 4-10x as much as traditional desktop infrastructures. Limited to no support for mobile workers. No offline support. Still requires systems and security management technologies to maintain the health and security of systems “in-use”

Appropriate use case: Call-centers, bank tellers, kiosks, or other environments with limited demand for personal computing power and no need for mobile computing

Hosted Virtual Desktops (off-premise, hosted by 3rd party provider)

Hoff recently posted on his blog some thoughts on desktop as a service (DaaS), in which he stated (here)…

It makes a lot of sense for lots of reasons and despite my lack of hands-on exposure to the technology, it sure looks like we have the technical capability to do this today…I could totally see how Amazon could offer the same sorts of workstation utility as they do for server instances. Will DaaS be the next frontier of consolidation in the enterprise? If you’re considering hosting your service instances elsewhere, why not your desktops? Citrix and VMware (as examples) seem to think you might…

Migrating desktops to a 3rd party service provider would lessen the burden of internal VDI deployments but would increase the potential for operational failures and removes all visibility and control. Not only do we know have no ability to audit a 3rd party cloud computing infrastructure, we also now lack the ability to audit desktops that access 3rd party data.

Benefits: Outsource desktop management and responsibility to 3rd party thereby reducing desktop management and/or VDI implementation and maintenance costs

Challenges: Current models still require internal infrastructure and IT operational management of directory services, applications, user provisioning, authentication, etc…limited to no support for mobile workers. No offline support. Still requires systems and security management technologies to maintain the health and security of systems “in-use”

Appropriate use case: Call-centers, bank tellers, kiosks, or other environments with limited demand for personal computing power and no need for mobile computing

Bottom line: In some select situations hosted virtual desktops hold promise for improved efficiencies, lower cost and improved security and systems management. It has benefits for software distribution and OS deployment models, but its effectiveness is limited to those environments that can adopt a thin-client model, require limited to no offline support, and can enforce strict usage policies on their user population so that the lack of personal computing power does not impact productivity or user satisfaction.