With the latest announcement of Google Chrome’s remote desktop application, it’s a great time to look at when and where virtual desktop infrastructure (VDI) makes sense. While there are significant benefits to leveraging VDI, there are still some security risks associated with these implementations.
Well, let’s start with the security angle:
While I do agree that in some cases, virtualized desktops do allow for centralized policies when it comes to configuration, patching, and in some cases DLP (where the data is locked down and the USB/Email capabilities associated with confidential data management is enforced at the endpoint). But is this really any different from a good SSL VPN/two-factor authentication scenario? Yes, you can argue that with virtual desktops, the data is technically isolated within the VM, and not resident on the desktop. So yes, this would in fact be more secure from a DLP standpoint.
But what about viruses? In order to make VDI effective, there must be endpoint (anti-x) installed, so that should a computer be infected (not everyone at the coffee shops are there to play nice), it does not spread to the host hypervisor and cross-contaminate the other VMs resident on the host. But this should be standard policy for any environment, virtualized or not.
What about availability?
This is where I take a deep breath and hold it for a few seconds. I’m going to assume that the infrastructure guys running the VM shop are rockstars and can indeed keep the environment up 24/7/365. In this case, not an issue. However, if this is not the case (and yes, accidents/ outages/ instability does happen), and you need to access your VDI and cannot connect due to a downed infrastructure, VDI is not so good. The last thing you need is an executive who is working remotely between flights and trying to get a proposal or important document finished up and cannot access it. Or in instances where it is used for retail applications -a beautiful example of VDI used effectively to deploy standardized environments across many locations- should the virtual infrastructure go down during business hours, it could lead to significant loss of revenue, not to mention brand damage. Such an occurrence would be a swift kill to any VDI project at that point, or will result in the adoption of unauthorized local file residency in which the point of securing those files behind a VDI is moot.
What’s in it for me?
My favorite point about virtual desktops is the flexibility it provides for employees. I doubt I am alone in saying there have been times when I wanted to hurl my slow brick of a laptop out the 9th story window because my netbook or tablet can load faster. There are also lots of rogue Mac/Linux users out there who are determined to install Fusion and run Outlook just to get around corporate policy. So why not allow employees the choice of device? We commuters despise lugging a heavy laptop daily where a netbook would do perfectly fine. In some cases, if I plan to be in meetings all day, it would be great to bring a tablet so that I can quickly check emails to make sure everything is under control without having to boot up a laptop during breaks. By allowing VDI policies, you could give employees a choice in device (some organizations go so far as to give employees an allowance to purchase hardware) and then install the VDI onto the device. No more worrying about if someone’s kid gets online and floods the device with malware picked up from surfing unsecured. The VDI at that point should (assuming the correct security policies are in place) protect the corporate infrastructure. Employees are happy that they get the device they want, IT is less stressed about ordering and provisioning lots of laptops that need quick upgrading (and listening to grumpy employees complain about these devices), and the security folks are less worried about people trying to thwart their good intentions and policies.
So is VDI worth it? In some cases, absolutely. But it really comes down to identifying what your user profiles are. If you have a significant ratio of mobile users (who work out of various offices depending on the day, sales reps, consultants, road warriors…) this could be a great option to help provide more security, but understanding that it is heavily reliant on the availability of the infrastructure. It is also a great option for environments with telecommuters, as you can simply have them install a client and use their home computers reducing significant IT provisioning costs. If your workforce is mostly in-house and you have a significant stock of hardware already up and running, the costs to switch over to a VDI model might not be for you. In either case, I expect we will see more and more adoption of this type of service and the evolution of technologies to streamline the implementation and standardization.