I’ve been hearing a lot about Virtual Desktops lately (VDIs), and am struggling to figure out how interested you all really are in using them.
For those of you who don’t track these things, a VDI is an application of virtualization where you run a bunch of desktop images on a central server, and employees or external users connect via secure clients from whatever system they have handy.
From a security standpoint this can be pretty sweet. Depending on how you configure them, VDIs can be on-demand, non-persistent, and totally locked down. We can use all sorts of whitelisting and monitoring technologies to protect them – even the persistent ones. There are also implementations for deploying individual apps instead of entire desktops. And we can support access from anywhere, on any device.
I use a version of this myself sometimes, when I spin up a virtual Windows instance on AWS to perform some research or testing I don’t want touching my local machine.
Virtual desktops can be a good way to allow untrusted systems access to hardened resources, although you still need to worry about compromise of the endpoint leading to lost credentials and screen scraping/keyboard sniffing. But there are technologies (admittedly not perfect ones) to further reduce those risks.
Some of the vendors I talk with on the security side expect to see broad adoption, but I’m not convinced. I can’t blame them – I do talk to plenty of security departments which are drooling over these things, and plenty of end user organizations which claim they’ll be all over them like a frat boy on a fire hydrant. My gut feeling, though, is that virtual desktop use will grow, but be constrained to particular scenarios where these things make sense.
I know what you’re thinking, “no sh* Sherlock”, but we tend to cater to a … more discerning reader. I have spoken with both user and vendor organizations which expect widespread and pervasive deployment.
So I need your opinions. Here are the scenarios I see:
- To support remote access. Probably ephemeral desktops. Different options for general users and IT admin.
- For guest/contractor/physician access to a limited subset of apps. This includes things like docs connecting to check lab results.
- Call centers and other untrusted internal users.
- As needed to support legacy apps on tablets.
- For users you want to let use unsupported hardware, but probably only for a subset of your apps.
That covers a fair number of desktops, but only a fraction of what some other analyst types are calling for.
What do you think? Are your companies really putting muscle behind virtual desktops on a large scale? I think I know the answer, but want a sanity check for my ego here.
Thanks…
Reader interactions
10 Replies to “Is the Virtual Desktop Hype Real?”
These are being used with protected data for business process outsourced off-shore users and employee and contingent worker BYOD.
Late reply, but our focus for VDI is Remote Access. We just can’t satisfy the auditors anymore when random-home-machine-X has full access to the network via VPN. Instituting NAC controls on the VPN server is probably harder and more difficult to support than VDI in the long-run.
With an existing Citrix infrastructure, extending to a Secure Access Gateway is relatively easy, and the Citrix Viewer/Receiver on the iDevices (and Droid soon) really is the cat’s meow. We use domain user/password plus SecurID (gasp!) for authentication, and publish a few apps directly plus some user-specific desktops.
The responses so far are pretty consistent- in terms of actual use, it tends to be smaller projects for remote access or mobile devices (iPads, who are we kidding).
Plus controlled guest access, like physician portals.
Some people are thinking of going all the way, but… probably not.
Thanks everyone, this really helped a ton!
We have about 80 VDI users in a company of almost 500 users (and about 150 of 180 servers virtual). We rolled it out in part to support a DR/BCP project in the last few years; VDI is very cool. In part, we also rolled it out to better support more uniform remote connectivity (though we still have SSLVPN and thick-client VPN connections lingering).
Unfortunately, we’re definitely going to end up limiting such rollout to persons who normally don’t need a mobile device and don’t have special needs (i.e. they’re local administrators for a reason). Half my team runs virtual desktops (not me, I demand ability to install things on my own) and about half of them don’t like it.
Some concerns:
– really helps if you already have a desktop engineering role/team who already centrally manages non-local-admin workstations. E.g. we’re hoping to slowly migrate away from Altiris to VDI as much as possible. Really is a big technical leap for desktop support.
– performance is a huge issue, so you still really need netops who can handle the iron in the server room properly.
– Ever tell a QSA you don’t run AV on a desktop that is in-scope of PCI because it’s a VM and doing that too much is a huge hit on disk I/O? It’s fun. 🙂
– Virtualization of systems and things like switches and AV and other security items is a huge technical leap for people, including myself. It’s hard to think in the hypervisor as opposed to physical devices with special-use software running on it. I think we’ll end up being far more dependent on software to do things right…which feels awfully smarmy…much like relying on a huge McAfee/Symantec installation suite to do your work for you (and knowing it doesn’t TRULY work that way). The abstraction layer is going to be a long-term issue for both security and admins.
Not many orgs we’ve talked to over the last 2 years do some of the things we do as far as DR/BCP and VDI, so I’d not be surprised if your feedback rate is selective. VDI is a big buy-in up front…
Do I think there will be broad adoption? Not really, especially in my SMB space. In my opinion, it’s just too much technology on top of too much technology…and understanding that is going to be painful for many of today’s admins. There’s a reason *nix people love scalpel-like tools…that is lost the more you pile on.
Rich, here are 3 scenarios involving a lot of different types of users – two in state gov and one in banking. Hope it helps.
http://www.eweek.com/c/a/IT-Infrastructure/VMware-Unidesk-Enable-Ohio-DoDDs-Deployment-of-1500-Virtual-Desktops-525260/
http://www.zdnet.com/blog/virtualization/department-of-children-and-families-in-wisconsin-unidesk-customer-profile/2679
http://www.crn.com/news/data-center/229200058/startup-unidesk-tackles-vdi-management-challenges.htm;jsessionid=BfhVSjcPeoNvyf2RQ1-Lpg**.ecappj01
I’m a contractor and I’ve seen many implementations… nearly all of them have been for supporting Remote Desktop. It’s a great tool for doing this, I’ve seen many companies infected by users who vpn into the company networks. Virtual Desktops will mitigate this, but like you said there are ways to reduce this risk (Some AV vendors provide free home licenses up to the number of corporate licenses you buy).
I’ve seen virtual desktops deployed in DR implementations too. This is an excellent way of quickly getting a business back online of a disaster. I live in Brisbane and the company i was working for was evacuated, DR set up would have gone a lot more smoothly if we had Virtual Desktops set up at our DR sire…. Needless to say, this is now being implemented.
Virtual Applications are something I could see being used too. As IT department lose control of application licensing virtual apps could solve the problem of knowing how many are being used etc.
I for one think they are great, but ensuring you have the right infrastructure in place is key. Good Networks and some meaty back end servers are required.
Rich –
There absolutely are large companies putting significant “muscle” behind desktop virtualization. There is a lot of complexity within the umbrella of desktop virtualization, so it may appear that adoption is slow.
You are right on in that there is a lot of educational marketing material out there and that makes it hard to tell what is actually going on in the marketplace.
Michael Fox
Author, DeMystifying the Virtual Desktop
Dood. VMware View on the iPad2. Duh.
this ia kind of like the old school concept of main frame stuff spun a new way.
I’ve done some of this and in the right setting this is a pretty sweet deal, but if you have any questionable paths or performance in your network it will be spotted quickly.
I also set up a Windows Domain Controller SBS 2008 and did this running the central apps on the server, and essentially using the workstations as dumb terminals. I used redirected folders for desktops, start menus and documents and roaming profiles. so the desktop, although it does have an install of windows, does everything through the network.
Gig-e is a requirement, but if you’ve got good flow and one beast of a server it’s pretty slick. I ran productivity apps (office etc) in virtuals running from the server. so the client machines didn’t run anything.
I also use Parallels and VMWare. But for me the PC power hasn’t been enough to satisfy me running virts. I would like to virtualize everything, so I run a thin O/S and load up whatever image from a menu. so all of its virtual, but there’s just enough delay doing this it didn’t work for me.
Probably nothing of the comments you were looking for, just something I thought about reading this.
We will see some companies deploy this on a larger scale, however I too believe that generally it will only be a fraction of the total number of desktops that will be VDI.
BYOD might be a driver for some, but I have my doubts on that too.
It must also be supplemented by hosted shared apps/desktops instead of “just” VDI – that will provide better scale and economy while still providing many of the same benefits and controls.