Posted on Security, Strategy

Virtual Desktop Infrastructure: (Remote) Workers of the World Unite!

With the latest announcement of Google Chrome’s remote desktop application, it’s a great time to look at when and where virtual desktop infrastructure (VDI) makes sense.  While there are significant benefits to leveraging VDI, there are still some security risks associated with these implementations.

Well, let’s start with the security angle: 

While I do agree that in some cases, virtualized desktops do allow for centralized policies when it comes to configuration, patching, and in some cases DLP (where the data is locked down and the USB/Email capabilities associated with confidential data management is enforced at the endpoint).  But is this really any different from a good SSL VPN/two-factor authentication scenario?  Yes, you can argue that with virtual desktops, the data is technically isolated within the VM, and not resident on the desktop.  So yes, this would in fact be more secure from a DLP standpoint.

But what about viruses?  In order to make VDI effective, there must be endpoint (anti-x) installed, so that should a computer be infected (not everyone at the coffee shops are there to play nice), it does not spread to the host hypervisor and cross-contaminate the other VMs resident on the host.  But this should be standard policy for any environment, virtualized or not.

What about availability?

This is where I take a deep breath and hold it for a few seconds.  I’m going to assume that the infrastructure guys running the VM shop are rockstars and can indeed keep the environment up 24/7/365.  In this case, not an issue.  However, if this is not the case (and yes, accidents/ outages/ instability does happen), and you need to access your VDI and cannot connect due to a downed infrastructure, VDI is not so good.    The last thing you need is an executive who is working remotely between flights and trying to get a proposal or important document finished up and cannot access it.  Or in instances where it is used for retail applications -a beautiful example of VDI used effectively to deploy standardized environments across many locations-  should the virtual infrastructure go down during business hours, it could lead to significant loss of revenue, not to mention brand damage.  Such an occurrence would be a swift kill to any VDI project at that point, or will result in the adoption of unauthorized local file residency in which the point of securing those files behind a VDI is moot.

What’s in it for me?

My favorite point about virtual desktops is the flexibility it provides for employees.  I doubt I am alone in saying there have been times when I wanted to hurl my slow brick of a laptop out the 9th story window because my netbook or tablet can load faster.  There are also lots of rogue Mac/Linux users out there who are determined to install Fusion and run Outlook just to get around corporate policy.  So why not allow employees the choice of device?  We commuters despise lugging a heavy laptop daily where a netbook would do perfectly fine.  In some cases, if I plan to be in meetings all day, it would be great to bring a tablet so that I can quickly check emails to make sure everything is under control without having to boot up a laptop during breaks.  By allowing VDI policies, you could give employees a choice in device (some organizations go so far as to give employees an allowance to purchase hardware) and then install the VDI onto the device.  No more worrying about if someone’s kid gets online and floods the device with malware picked up from surfing unsecured.  The VDI at that point should (assuming the correct security policies are in place) protect the corporate infrastructure.  Employees are happy that they get the device they want, IT is less stressed about ordering and provisioning lots of laptops that need quick upgrading (and listening to grumpy employees complain about these devices), and the security folks are less worried about people trying to thwart their good intentions and policies.

So is VDI worth it?  In some cases, absolutely.  But it really comes down to identifying what your user profiles are.  If you have a significant ratio of mobile users (who work out of various offices depending on the day, sales reps, consultants, road warriors…) this could be a great option to help provide more security, but understanding that it is heavily reliant on the availability of the infrastructure.  It is also a great option for environments with telecommuters, as you can simply have them install a client and use their home computers reducing significant IT provisioning costs.  If your workforce is mostly in-house and you have a significant stock of hardware already up and running, the costs to switch over to a VDI model might not be for you.  In either case, I expect we will see more and more adoption of this type of service and the evolution of technologies to streamline the implementation and standardization.

2 thoughts on “Virtual Desktop Infrastructure: (Remote) Workers of the World Unite!

  1. Hi Andrea, I think many of your points are valid here and would imagine that all VDI vendors continue to explore ways to harden solutions and enhance robustness. One area that I think warrants discussion on this would be the internal and some external users accessing there VM’s through the non-traditional means ie laptops and desktops. Many large corporations lease hardware which result in large operation and IT costs. This is where Thin Clients will influence and are changing the PC market in the corporate world. Users now, with the use of Thin Clients can essentially utilize a “dumb” terminal to connect to their VM over multiple protocols and vendor solutions, without the worry of client malfunctions like drive replacements or bad motherboards, needing IT to the rescue. Having said that however, and what you have eluded to is that if your infrastructure does go down when using a Thin Client one would be left twiddling their thumbs until the environment is accessible again, With a notebook user, had their critical application go down there are other things the user can do, however with a Thin Client only, one would be kinda stuck, which from a productivity standpoint is the worse case scenario for any business.

    Thanks for sharing Andrea, great blog!

    Like

  2. Thanks for the comment! I absolutely plan to explore the idea of desktop vm’s more. In fact, once my laptop is up and running it is a perfect example of this (for those who are curious, I run an Alienware laptop with Ubuntu 11.10 and a VMware VM install of OSX for when I need to do creative things).

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s