Skip to content
October 10, 2011 / Simon Crosby

VDwhy?

There was a lively attempt at a debate on twitter last week between myself, @VirtualTal, @ShawnBass, @brianmadden@cswolf@bsonposh@harrylabana and others about the value of VDI.  Because this needs more precision than 140 chars, let’s be crystal clear: I mean Virtual Desktop Infrastructure as invented by VMware but offered by many vendors: Windows client OS-based desktops, hosted centrally on a hypervisor, with a remoted desktop user experience (RDS, HDX, ICA, PCoIP…).  Optionally (eg: View) there is the opportunity to “check out” a virtual desktop VM to run it locally on a client hypervisor (VMware’s type-2 ACE, Workstation or Player for Windows, or Mac-based Fusion) then “check it in” at some later point. [This is an utterly daft idea – and not discussed in this post – if I have a decent laptop, why would I ever check-in my desktop and go back to VDI?].

If you’re after the short version, here’s the summary: I have not found a single desktop virtualization expert (that does not work for one of the DV vendors) who will put their err… cred, on the table to recommend VDI over other desktop virtualization technologies (other than for a narrow set of use cases).  In fact, the opposite is true: The leading voices in desktop virtualization think customers are being misled, and that it’s high time for the truth to out.  A leading Wall Street Bank CIO told me “I charge back VDI desktops at $150/month/user.  It’s a nightmare. We should spell it vDIE.”  VDI is a lot more expensive (than anything else), users don’t love it, it causes gray hairs for desktop admins, and it isn’t more secure.  Brian Madden recently wrote a “you use it, so pay for it, sucker” piece, which is excellent, though he is wrong on the presumed security benefits.

When I talk to CIOs, they all agree on two key drivers for desktop virtualization:

  1. The need for better desktop security, and
  2. Support for mobile devices.

Note that they don’t all say they need a better way to manage the desktop or even distribute apps.  Existing tools do pretty well, and after all why shouldn’t they?  It’s not a new problem.

There are three key arguments against VDI:

  1. It’s expensive, complex, and vastly complicates the role of desktop admins
  2. Technology exists that delivers the centralization benefits, at a fraction of the cost, in a way that is more useful to end-users: Microsoft RDS (Terminal Services) either as an app or a desktop abstraction.
  3. VDI isn’t more secure (than… anything else).  (Nor is RDS, though it is better than distributed desktops).

Before I dig in, let’s agree that there’s no way to deliver Windows apps to non-Windows clients other than centralized execution and a remoted experience.  And let’s agree that Windows Remote Desktop Services (RDS, Citrix XenApp, Quest vWorkSpace…) delivers apps just fine to a tablet, using the app metaphor that users expect.  Moreover a remoted Win 7 desktop on a tablet is … not fun (a finger is not a good mouse), so ignore it and give users the apps they want.   The data say this: The overwhelming majority of virtual desktops today are delivered using TS/RDS.  Very few enterprises have successfully rolled out VDI at a scale beyond a few thousand users, and those that have are beginning to wonder why.

The security arguments advanced in favor of VDI warrant a closer look:

  • Centralized desktop execution & data:  Less enterprise data roaming unprotected on laptops is a good thing.  And if data is client-side cached, it is encrypted at rest. But client-side encryption has been around forever, and VDI vendors appear to have belatedly re-invented it.   If you don’t have client security & backup procedures in place already, you deserve the pain that VDI will bring.
  • Secure centralized access control & auth: Rather than rely on a password on the device, the enterprise can use an access-time credential check.  The access/auth gateway can also provide single sign on to legacy, web and SaaS apps (see Citrix Cloud Gateway, VMware project Mirage).  Granular control of access and identity are powerful tools for enhancing security.  But they aren’t a feture of VDI.  Do it, and use RDS instead.
  • Single Golden Image desktops: Every employee runs “the same” approved golden OS image, and the desktop layers (OS, apps, user) are composed at login-time to deliver a ”new PC every day”, with the right apps and user customizations & data.  Each desktop starts clean, for each logon.    However, although this layer-cake story is seductive, it is basically untrue. And even if it were true, you would still need to manage scores of images for the (vast majority of) your (non-VDI) desktops.  But let’s be generous: The vendors are investing heavily, so let’s say they pull it off. The result: a bunch of new desktop layers to manage, store and dynamically compose in the hope that it all works.  More management – more oversight – more people, and technology that rips apart an OS in ways it was not designed to be.  Security – yes, job security for desktop admins.  Also late nights trying to make it all work.   And no more secure… (more below)
  • Audit control and compliance: Log everything.  Great, good stuff, no arguments.

The goal of the VDI vendors is to persuade customers that they will have more control and therefore more security, courtesy of more layers of virtualization.  There is a significant downside though: it requires new tools, infrastructure, and IT management skill-sets to separately manage the lifecycle of each desktop component and each layer of the infrastructure that runs them (servers, hypervisors, storage, networks, and IDAM).   Finally, it completely stymies the helpdesk.

Nonetheless, VDI is not more secure: Even if I log on to a pristine golden Windows desktop each day, the enterprise is still vulnerable to common vectors of attack: users click on bad links and open bad attachments – in an execution context where enterprise state is un-encrypted.  And a smart attacker will target VDI desktops specifically to get inside the enterprise data center.

VDI can deliver Win7 to the CEO’s iPad.  So can Windows RDS.   And I bet that an app experience is preferred.   Let’s be clear on cost too:  From the hundreds of customers I’ve spoken to, I’d guess that RDS infrastructure costs about one fifth to one tenth the cost of VDI to purchase and run.   And it works great.

New desktops and apps (x86 & mobile) need a GPU.  Unless you fancy racking server side GPUs so your users can use IE9, recognize that Microsoft’s path is clear, and responds to user demands: rich graphical apps & “desktops” are here to stay.  Deliver legacy 2D apps using TS/RDS, and let a rich client (x86 & mobile) with a GPU deliver what the user wants.

My recommendation: there’s enough discussion about the future of the desktop to argue for no change for now.  Most enterprises use XenApp/TS.  Continue.  Grow the footprint. Consult vendors, industry analysts and solution vendors. I’d recommend you go down a TS/RDS path to deliver apps to iPads, thin clients and desktops.  Use AppSense or RES to guarantee consistency (and more).  Use TS/RDS with Win7 UI for users that need a remoted desktop.   Meanwhile, figure out a plan for the 70-80% of users that will never use VDI, and start prototyping next-gen touch-enabled apps for your mobile clients.  Let the VDI mess sort itself out, and look to Win8 (which my friends at Microsoft call a “VDI killer”) to discern the Microsoft strategy (yup, years away, but that’s fine).

And after all that, what about those pressing security challenges?  Right, back to work…

 

19 Comments

Leave a Comment
  1. Craig Jeske (@CraigJeske) / Oct 11 2011 7:34 am

    Excellent list of opinions. I do differ slightly in my opinions around security but largely agree there as well. Desktop Virtualization as a desktop replacement for high end users is in its infancy (at best), and that is assuming we ever can or should get there. It is nice to hear more people pushing the applicaiton/RDS/TS/XenApp front. Give the user the ability to do their job as good or better as they did before and they will be happy. Give them a messed up interface because “I want VDI” (http://www.youtube.com/watch?v=eaIZ_2FHq10) and you’re set up for failure. People have been told that they want VDI when they really want apps on their shiny iPad. People want mobile workers and don’t always know there are other options.

    Great post Simon, I always enjoy reading your opinions and posts.

  2. Tal Klein (@VirtualTal) / Oct 11 2011 8:23 am

    I think you’ve covered the essence of the debate pretty well. I’ll try to address the points where I disagree in the order you wrote them. I’m in the process of writing a blog with a definitive perspective from Citrix, but that won’t be out until after Synergy Barcelona.

    Firstly I don’t think VDI as it’s defined today which is hypervisor-based remotely hosted desktops will ever be the defacto standard virtual desktop in the workplace. So if you feel like that’s what I’ve been evangelizing then I think you’ve got me figured all wrong.
    IMO there are two ways to go about desktop virtualization: Tactical and strategic.

    A tactical desktop virtualization initiative is a reactive attempt to solve unique IT cross-compatibility problems. It’s never a giant forward-looking directive but rather a technical band-aid (or in some cases a giant gauze that keeps a company’s insides from pouring out). Tactical uses for desktop virtualization run the gamut from supporting old legacy Windows applications whose developers have absconded (in this case solved by publishing the app on Windows Server through TS/XA/vW) to large M&A “integrations” that require IT to support concurrent XP and Win7 environments on the same physical hosts (VDI). These initiatives are owned by the desktop administration team and occasionally become strategic because of the utility gained from the tactical deployment.

    A strategic desktop virtualization initiative is something a company does in order to transform the delivery of IT because the traditional way of doing it has become unsustainable. There are lots of things that break the camel’s back here, but let me give an example of a transformative shift in IT that happened recently in Japan. Japan’s work culture has traditionally been very office-centric. The concept of working remotely was considered viable for outsourced contractors but not employees. An employee belonged in his office with his computer. Then 3/11 happened. All of a sudden people couldn’t get work done in the office. Companies that had BCDR (Business Continuity and Disaster Recovery) initiatives with remote work enablement managed to continue doing business while everything around them halted to a stop. As things settled down and started along the path back to normalcy, CIO’s in Japan were in the hot seat to come up with a solution to address a future 3/11. Desktop Virtualization became a natural fit – not only can it be an active/active BCDR mechanism but it also made it “ok” for people to work on remotely hosted centrally managed desktops. Now, not every strategic desktop virtualization initiative is rooted in BCDR – but to get there IT needs to truly shift the way it thinks about delivering services to end-users. It needs to be a holistic transformation that starts with a hybrid deployment and consists of various desktop virtualization delivery mechanisms.

    I’m not a big fan of the word FlexCast, but I am a big believer in the philosophy behind it: Different workloads require different desktops.

    VMware has been pitching VDI as a “cure-all” and that has caused a significant amount of poisoning in the marketplace because (I agree with you) VDI as defined by VMware is not the thing that will transform IT. This was largely the bit of frustration I was having on Twitter trying to explain that we need VDI, Virtual Desktop Infrastructure, to mean what it says. Today its definition does not include Type-1 hypervisors or TS-based desktops, even though today the latter account for the largest percentage of virtual desktops deployed in the market, and the first will likely account for the largest percentage of virtual desktops deployed in the future. As a result even people who are trying to launch strategic desktop virtualization initiatives end up failing if they try to implement a strict interpretation of VDI.

    My perspective is that desktop virtualization is about 2 things:

    1. Single image management*
    2. Flexible end-point types and locations

    *Note that when I say “single image management” I’m referring to the technology name. In reality this translates to “minimum image management”.

    The further you stray from these two points the less likely you are to succeed in a strategic desktop virtualization initiative.

    The reason I didn’t mention cost savings above is because I don’t think it plays a role up front other than maybe getting buyoff from a CxO who owns the budget, and I think budget alone is the wrong reason to get into this game. Desktop virtualization is a paradigm shift akin to migration from mainframes to microcomputers. Nobody asked if shifting to PC’s was going to save any money, it was a natural evolution of IT. That said, I think cost savings is an ultimate side-effect of shifting to desktop virtualization over time because of reductions in costs of supporting infrastructure, branch IT resources, end-point devices, change management, hardware refresh, and software update staging. There are many people out there who are looking to get the same simple cost savings from desktop virtualization that they achieved through server virtualization – that’s not going to happen. Desktop Virtualization is not about P2V, it’s about ITaaS.

    Speaking of side-effects, that’s also how we find our way at long last to security – my point here re: single image management is actually very simple: A few OS images administered by IT is a more secure scenario than having lots of OS images administered by end users. You’re more likely to be in an accident while driving your car than you are while riding the bus. The bus is not a tank and it’s not accident-proof, but statistically you’re safer on that bus than you are in your car. Same goes for single image managed virtual desktops vs. legacy desktops.

  3. Andrew MacLachlan / Oct 11 2011 11:07 am

    Again – Simon & Tal pretty much violently agreeing – and I again concur with both PoV.
    “Different workloads require different desktop” – this is 100% true and there can be no preferred order of the tech.
    I often ask customers whether a Ferrari is better than a Nissan. Invariably the answer is Ferrari. My response to that is “But I live in the desert” and ask the question again. In my car analogy, obviously the Nissan Patrol 4×4 is better for my transport use-case, but the manufacturer also produces some pretty decent track hardware (GTR) that will compete well with the Ferrari if that was my use-case. The Desktop Virtualization manufacturer that can cover the widest possible real-world use case, IMO, works. This is also true for car companies.

  4. Simon Crosby / Oct 11 2011 11:17 am

    Tal, great follow-up, thanks. And to be clear, I don’t think you’re the chap advancing a VDI only story at all. Indeed the richness of the Citrix solution set is its strength, and it is that richness that is driving customers toward the Citrix portfolio vs narrow “one-size fits all” solutions. For example, VMware, with a VDI-only approach, is seriously confused. They will never have a XenApp, and it looks as though they blew their chances at a XenClient, too. Each of the technologies has a role to play, but we must admit that today, even in the Citrix stack, they are relatively poorly integrated. So the IT manager needs N different consoles for N different delivery technologies, and they need an additional M for server side hypervisors, storage, networking… etc. This only increases the complexity and therefore the likelihood of failure, and it increases costs.

    When last did Microsoft Update crash your PC? Not for years. Did it break any apps? No. Existing tools such as SCCM solve a lot of problems already, in a reliable way.

    So, if security is not a value prop that you espouse (strangely, you did on twitter), and we agree to disagree on how to manage the images (say). Then the only value prop is delivery of apps to multiple endpoint devices. Fair enough. VDI doesn’t do that as well as TS. (And to be fair, let’s include XenApp’s VM hosted apps as a TS style solution, because it is – and simply solves the app-compat problem.

    By the way, thank you for engaging like this – it is awesome to see the leading vendor do so, and do so openly. I think Brian Gammage owes us all an explanation, since he’s now in charge of the desktop strategy. And saying “Microsoft announced what we expected for Win8″ doesn’t cut the mustard.

    Nothing in what I have said should be read as critical of Citrix or its portfolio. Where VDI has a use (and perhaps I need to list the use cases) it is a great tool. But it is no panacea and it is a major pain in the ass instead. VMware for sure owes us all a better explanation. I personally believe they really messed up on the client, because they dropped the ball in getting to a type 1 client hypervisor, and now Microsoft with Win8 will beat them to the punch. I think their investments are going heavily into Horizon (err… Mirage) and not into traditional Windows desktops on their type 2 client hypervisors. Lots of innovation server side, but that’s useful for both VDI and general Windows Server VMs..

    Anyway, thanks for the great follow up, and for getting involved. Thanks also for stepping up to articulate the Citrix position so clearly.

    Simon

  5. Dan / Oct 12 2011 9:04 am

    You mentioned “Desktop Virtualization as a desktop replacement for high end users” I just want to tell you it is here. Watch this video http://www.youtube.com/watch?v=H0FBpzPNfmU

    V3 Systems really does deliver a virtual desktop experience that is desktop-replacement grade.

  6. Derek Smith / Oct 12 2011 9:43 am

    Completely agree with your points and arguments re VDI, or more accurately, server hosted virtual desktop infrastructure. Very limited use case, and probably less expensive, and less complex alternatives.

    However, this statement is no longer accurate.

    “Before I dig in, let’s agree that there’s no way to deliver Windows apps to non-Windows clients other than centralized execution and a remoted experience.”

    Must disagree on this point. Windows and Windows applications (Linux too) can be launched on the Mac using Type 2 hypervisors technologies (i.e. VMW Fusion, Parallels, Oracle Virtual Box).

    However, these products and Apple lack any multi desktop / user management capabilities as they are intended for “one to one” use.

    Opus from Orchard Parc solves this issue. One capability of Opus from Orchard Parc is “one to many” management of Windows on Mac. The benefits of VDI (i.e central management, data behind the firewall etc), plus a suite of management and automation tools, combined with local execution of the application to optimize performance (i.e. graphics, VoIP, locally installed apps) plus mobility.

    Big consideration with VDI is cost…..lots of capex involved, and damn, its complex. Opus uses a fraction of the data center infrastructure of VDI (i.e. servers, network, storage) so cost issues are less of a factor. And it’s much simpler to deploy.

    Based on the various arguments here, there are valid use case scenarios for all solutions including legacy PCs, TS, and VDI. It’s just not a one size fits all world.

    And lets not forget, not all innovation comes from the “big boys”.

  7. Andreas Groth / Oct 12 2011 10:25 am

    To me this boils down to: (and I’ll keep it short as I have the tendency to drivel on)
    – Are we trying to solve a problem which does not exists? No. (so I slightly disagree with how you portrait the current state of physical endpoints – time spent on image management is unsustainable for many of my clients)
    – Is the answer to the problem always VDI? No.
    – Can the answer be VDI? Yes, as a tactical solution for specific use cases where TS does not fit.
    – Can VDI be a strategic approach – yes, as a stepping stone (and I am aware of the inherent contradiction here) to enable logical separation of OS and app, mobile, user centric app delivery.
    – Why VDI as the “one fit all”: 1) because the VDI “vendor says so” – 2) because the clients prefers the simplicity of one architecture that can (potentially) cover all use cases (so both dubious but reality)

    Bottom line – I can’t fail VDI completely – VDI has a space as tactical building block alongside TS (and others) – combined as strategic hybrid approach to facilitate future app delivery models. (all simplified in the interest of time)

    Andy

  8. Icelus / Oct 13 2011 12:08 pm

    I used to rave on Brian Madden’s blog saying the only reason to use SHVD (VDI…) was for High Availability. Whether it’s a DR plan (ranging from PC outage to building outage), or just making your desktop available on a mobile device SHVD has you covered.

    Other than that, why does it make sense to have your desktop hosted on a server when server resources are blatantly more expensive than desktop resources, and what makes it more secure? The reason why SHVD are being pushed down our throats is because the big 3 vendors (Citrix, VMware, and MS) invested in server side execution first rather than client side execution. Citrix is years ahead of the competition with XenClient and even VC’s NxTop is years ahead of VMware and MS as well.

    http://www.brianmadden.com/blogs/brianmadden/archive/2011/07/28/desktop-virtualization-a-rainbow-of-complexity.aspx

    CHVD (Client Hosted Virtual Desktops) will take over the enterprise. I sure hope your Bromium product will be able to integrate with the current ecosystem (XenClient, NxTop, and OKL4/seL4). Who really cares about VMware’s MVP.

    I am eagerly awaiting your release. Especially since the Government Community Cloud is taking off, transforming the US and Canada for the better. I would like to see if Xen and Bromium would play a part in it.

    Kyle

  9. Guise Bule / Apr 3 2012 12:37 am

    Hello Simon and Tal,

    I have come here today to continue the argument that we had today on twitter, which was difficult to have in 140 characters to say the least.

    if I am honest I was more than a little disappointed with the stance the two of you have taken and particularly because you seem not to want to understand why the current Microsoft licensing regime financially hurts the virtual desktop space as badly as it does, or even acknowledge the damage it does. Its like you both sing off the Citrix/Microsoft song sheet perfectly.

    I also wish to take issue with your assertions that the non-persistent VDI model is less secure than its Terminal server equivalent, again these are wrong and I will lay out why I think so below.

    But before I do, I want to just say that I have always respected the two of you, your opinions and reading your thoughts, but after reading this blog post I have to conclude that you are just like all the rest, singing to your own bias and towing the line rather than encouraging debate.

    Shame on the two of you for not allowing a fair debate around the subject, shame on you for brushing aside our criticisms and objections with generalizations, mocking ridicule and witty put downs against anyone who dares to criticize what you are saying.

    If I did not know any better, I would say that you have a vested interest in aligning your words with the Microsoft/Citrix camp which is fine, its just something that should be publicly stated and preface your words.

    Clearly you are not blogging here as an independent mind, your assertions are just too far off the mark to be anything other than propaganda for one camp, they are clearly not a balanced or particularly informed and up to date view of the issues we discuss that seriously affect the VDI space in a financially negative way.

    Today gentleman, I am here to hold you to account for your words where no one else seems to want to or have the balls to.

    I realize you are both very influential and connected individuals, but like the great late Bernie Mac says : http://youtu.be/DWEIL1pV2NE?t=26s

    As I told you both today on twitter, its is practically impossible to convince a closed mind of anything, but I will try and I will also promise you that my mind will remain open and that if you are able to convince me that I am wrong, I will admit that I am wrong and eat my words.

    For transparency purposes and disclosure, I am the CEO of a cloud hosted VDI vendor (www.tucloud.com) and provider of professional services around the non-persistent VDI model.

    My largest hosted customers include the National Nuclear Security Administration and other Federal agencies which I am not at liberty to disclose, but also UCLA and some really cool organizations.

    My company is partnered up with SAIC the global defense contractor, we are their goto desktop virt people for Federal engagements, we are also partnered up with the Isreali Cyber Defense Institute on creating cyber defense tools using the non-persistent VDI model.

    I myself am the co-inventor of the Non-Persistent VDI Cyber Defense Platform, I co-invented the model with the Advanced Computing Team of Lawrence Livermore National Laboratory and I have seen our model flourish at an incredibly fast rate across the fed gov and mili defense sectors.

    When it comes to cloud hosted non-persistent VDI infrastructure, consider me the subject matter expert and if you do not believe me ask David Wen the Chief Scientist at SAIC, Joey Peleg the Director General of the Isreali Cyber Defense Institute, Tom Lash the Senior VP of Intelligence at SAIC or Robin Goldstone the Senior Staffer of the Advanced Computing Team at LLNL.

    tuCloud was the first company to put this model into production into any serious way and we are easily the market leaders in this field.

    In a nutshell, I am a cloud hosted VDI vendor although we LOVE NXtop and client-side hypervisors, we LOVE Teradici PCoIP, we LOVE every way of spinning a desktop OS regardless of how its done, we are not just all about VDI and banging the VDI drum.

    If I believe VDI is not appropriate for my customers, I will advise them into IDV or something else, I am not a single stack vendor, rather a platform-agnostic virtual desktop advisor and my mantra is “whatever is good for the customer is good for tuCloud”.

    Also before I begin I wish to address the comments you addressed towards me on twitter Simon, about the recent noise I have been making in the press.

    You accused me of being an idiot seeking PR and I am here to tell you that you have it wrong and that you owe it to the VDI space to give it a fair hearing instead of what you are doing now.

    And if you think this is all for PR you are nuts !

    For my public stance against Microsoft, I have exposed myself to public ridicule, attacks on my personal and professional character, belittlement of my comments and opinions and also of course I have completely fallen foul of the ‘Microsoft Club”.

    Lest any of you have forgotten the rules of the Microsoft Club, here they are again :

    1) You do not piss off the Microsoft Club.
    2) You do not let on that you are not pissing off the Microsoft Club.

    Rules set in stone over decades and woe betide those that break the rules, careers come to a rapid end, people get ostracized and it costs organizations serious money if they fight Microsoft, even when they are right.

    The Microsoft Club is made up of thugs who do not tolerate dissent and I have it on good authority from within Microsoft that I am officially Public Enemy Number One over there for shining a light on this licensing debacle.

    If you think I have exposed myself to this just to get some PR coverage, then you really must be mental, you would not wish the Microsoft Club’s vengeance on anyone, you KNOW this.

    Do you honestly believe that i have exposed myself to so much attack because I am over emotional, a lone crackpot with an emotionally loaded agenda ?

    Surely it has occurred to you that I just might be an educated person, an operator in our space with a point of view ? If it has, why do you continue to tar me with the PR hungry brush ?

    Anyway, back to your assertions and your words :

    “There are three key arguments against VDI:”

    1) It’s expensive, complex, and vastly complicates the role of desktop admins.

    BULLSHIT GENERALIZATION. More explained below.

    2) “Technology exists that delivers the centralization benefits, at a fraction of the cost, in a way that is more useful to end-users: Microsoft RDS (Terminal Services) either as an app or a desktop abstraction. ”

    BULLSHIT GENERALIZATION. Its only more cost effective because Microsoft refuse to properly license the VDI model in a way that lets us compete on a level playing field, more below.

    3) VDI isn’t more secure (than… anything else). (Nor is RDS, though it is better than distributed desktops).

    BULLSHIT. Of COURSE it is, especially from a cybersec perspective. More below.

    These kinds of objections to VDI you list above are generally given by either IDV vendors, TS/RDS vendors, third party commentators of our space or people who do not manage large scale non-p VDI professionally, and they are generally given to tech buyers who do not really know the difference either way.

    All three of the arguments above are KIND OF true in a general sense, but we all know why it is wrong to generalize do we not ? Do I need to explain why ?

    Please say so if I do, I am happy to enlighten.

    MANAGING VDI INFRASTRUCTURES : I am somebody who owns very large scale VDI infrastructure of the non-persistent type and I can tell you that we find it a breeze to manage, practically all of the technical support tickets we get are password changes, honestly.

    User Password changes.

    If the thing is set up properly, the infra designed and delivered properly and you are on top of image management, then its a breeze to run these large scale infrastructures. Maybe not as easy as IDV at the same scale because there is a LOT less server infra, but much easier than running a traditional desktop estate or a TS/RDS estate for sure.

    Furthermore if you really believe that managing an estate of non-persistent VDI desktops is more costly and complicated than running a while bunch of persistent TS equivalents, then you are deluded, you are welcome to talk to my sys engineers, they are happy with our setup and they also happen to also run an large TS estate, our legacy business, they are people who KNOW, not people who speculate and then pass on second hand information.

    We have established the processes and corporate culture in order to manage large scale VDI and have been doing it for so long we are good at it. If any of you do find it expensive and complicated, then let tuCloud host your desktops for 25 USD per user per month, we would love to.

    Also I am puzzled as to why you think VDI causes issues for sys admins or help desks, I can only think you are referring to those who have never seen a VDI infrastructure, if you are then I can refer you to the excellent observation Albert Einstein has made on the same subject : “Everybody is a genius, but if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid.”

    ON THE SUBJECT OF VIRTUALIZATION LAYERING : You are calling the layer cake story untrue and making it out to be much more complicated than it is, for those of you who wish to learn more about the layer cake story, see my podcast and article on The Magic of Non-Persistency by clicking on the following link, its a little simplistic but its aimed at newcomers to the idea : http://bit.ly/Hca8vK

    Just to comment further on this topic, I do believe gentleman that you have no idea of what you are talking about, the desktop virtualization space is becoming VERY skilled at layering applications and user personas onto non-persistent virtual desktops, we are LIGHT YEARS ahead of where we were last year and every day we get better and better at it.

    There are a huge number of tech vendors who facilitate this gentle art and some very skilled practitioners who specialize in making the non-persistent desktop adopt an air of persistency. Whilst it is true to say that there are not very many of them (new model, early adopter market), there soon will be as the model gains traction.

    Layering on non-persistent desktops is the future of VDI and something we all take very seriously and believe in, its just the TS/RDS guys who struggle with the concept as they are trapped in an antiquated mode of thinking and the persistent mentality.

    If you consider that best practice is to virtualize all apps and as something we do anyway, then its not too difficult a stretch to virtualize the user personalization layer and apply that upon login, it really isn’t and its nowhere near as tricky as you make out, it can even be automated.

    ON THE SUBJECT OF COST AND MICROSOFT LICENSING : If anyone generally believes that VDI is expensive just because it is and not because of Microsoft deliberately inflicting bizarre and unreasonable licensing restrictions around the use of the technology, then you are misinformed and deluded. The ONLY reason VDI is more expensive than TS/RDS is because of the Microsoft licensing, they tilt the balance towards the TS/RDS model because it does not threaten their OEM’s and because they are not ready to launch the vertically integrated monopolistic HVD platform that is Azure/InLine/Windows8/Office365.

    I can do VDI at 20 USD a seat and still make money, licenses for tech have come down a LOT since last year or the four years before that.

    If anyone ever says to you that VDI is more expensive than TS/RDS you should tell them why, its because Microsoft WANT it to be more expensive, no other reason.

    On a level licensing playing field we would pull the pants off you TS/RDS guys and you know it, as it stands we cannot do multi-tenancy because Microsoft do not let us and you need Software Assurance in place to do proper desktop OS HVD.

    This is what all the stink is about at the moment and why Simon has written this blog post, its part of a wider Microsoft offensive on the VDI model and all the publicity around licensing at the moment, of course getting them to admit this is next to impossible, they love a smokescreen.

    ON THE SUBJECT OF SECURITY : Shame on you for making the case that TS/RDS is more secure than non-persistent VDI ! And this coming from a man who supposedly runs a security company focused on desktop virtualization. I say supposedly because you are in stealth mode and who knows what you guys are really doing, comments like the ones you make about the TS/RDS model being secure are not only misguided but untruthful, I will forgive you on the basis that you may just not know what you are talking about, but then again you run a desktop virt security company so one must assume you actually do which is even worse.

    You ask for a use case where VDIaaS is required and TSaaS will not do ?

    You ask for evidence that VDIaaS is more secure than TSaaS ?

    Let me give you the fastest growing use case and the most damning evidence of my claims that I can see in our space right now, which specifically happens to concern the niche tuCloud is in.

    Non-Persistent VDI as a CyberDefense Tool : Hands down the most adopted VDI model of 2012 and I expect this to accelerate through 2013 and onwards as we all grapple with the fallout of five long years of successful cyber attacks on the Western world, attacks which threaten the long term prosperity of the Western world.

    Here is what is happening : High security organizations get attacked, typically these attacks are focused on the individual via the open internet in the form of the Advanced Persistent Threat and when they realize they shut down all internet access to their local machines which causes huge user pushback, because we want internet, we need internet to conduct our jobs and lead our lives these days.

    Over time they open up internet to local PC’s under user pushback and over time they get attacked again and repeat the cycle, its a reactive response to dealing with cyber security attacks on desktop infrastructure.

    No matter what these guys do to protect those persistent desktop OS’s, they cannot protect them if they are connected to the open internet.

    To organizations like these, the tuCloud non-persistent hosted VDI model is a godsend, literally a godsend, my Federal agency customers and their cybersec teams tell me this.

    Its a beautiful scenario because not only does it work in terms of stemming the flow of attacks against their core infrastructure, but it also gives the users exactly what they want and also happens to be the easiest and most cost-effective type of desktop to deploy from a HVD perspective.

    You simply provide users with a non-persistent hosted virtual desktop on which they can conduct their risky internet facing activity and completely lock down their local machines to internet access.

    When attacks come, they come on tuCloud infrastructure and away from the primary infra that holds all your IP and secret stuff, furthermore thanks to the Isreali’s and SAIC we are getting very good at wrapping deep packet/content inspection and intrusion detection (think CloudShield) around these non-persistent VDI infrastructures, so when attacks do occur we know where they are going to happen, we can identify quickly and easily who has been attacked and how.

    We are calling this battlespace awareness.

    The attack is contained to that one users VM and on a wider scale contained within the private non-persistent VDI cloud we have built for that purpose and that has a proper cybersec team sitting on top of it in the NOC.

    Technically for this model to work you cannot use Terminal Services, forget squeezing a whole bunch of users onto a persistent server OS and separating those personalities, forget creating the illusion of non-persistence using roaming profiles or any of the tricks TS merchants use to properly separate personalities on the same box.

    Forget the clever Microsoft tech that partitions users on the same box and secures those partitions.

    The Terminal Server slice model does not work for this purpose for a number of reasons, firstly its just too damn risky. If you are going to separate personalities properly, give them a completely separate VM, am talking 1:1 VDI images here, if you even consider using a the TS model to create the illusion of this then you are just not serious about security full stop.

    Effective isolation of personalities on the same infrastructure is required and this cannot be done using the TS/RDS model with a bunch of users all crammed onto a server OS image, to do so its counterproductive from a security perspective.

    From a hosted desktop perspective, the VDI non-persistent model is hands down more secure than the TS model inherently by design and any proper risk analysis conducted by desktop virt aware cybersec professionals will raise these concerns.

    This is why our Fed gov and enterprise customers and our partners over at SAIC and the Isreali Cyber Defense Institute are working with us to build this kind of desktop cloud for their customers, none of them are asking for a terminal server slice desktop rig, none of them and they clearly understand the differences between TS/RDS and VDI unlike small businesses.

    Then you have to consider that Terminal Services has been around for ever, its how administrators have always logged into remote servers and its only recently that this tech has been used to actually deploy desktops to desktop users.

    Because its been around for a long time, the number of people who know how to exploit this model is quite sizable, for sure there are lots of old warhorses out there who think they can properly secure an MS server OS and the individual personalities contained on it, but there as just as many guys out there who can exploit one and much in the same way that we cannot protect persistent desktop OS’s, are we really and truly in a position where we can protect persistent server OS’s against attack in a better way ?

    No. Server OS’s get owned all day every day and hacker collectives do it for fun, when was it ever a good idea to cram a bunch of desktop users onto one ? Oh right yeah, Microsoft’s idea.

    Considering they defined the future of the desktop OS back in the day, its a little schizophrenic of them don’t you think ?

    If you are a cyber sec guy looking at the TS model and the VDI model of hosting desktops, you are going to choose the VDI model every time, its inherently more secure as a model.

    Nobody who knows what TS is wants a slice of server disguised as a desktop, when users learn that they are using server slices they feel deceived and rightly so, for TS vendors have deceived them on the basis that users are dumb and do not know what they want.

    Can you imagine how angry users get when they realise they are sharing disguised server images with a whole bunch of other people, instead of the desktops they think they have ? Very.

    When cybersec people look at TS, ones whose job it is to defend infrastructures which include TS and VDI rigs, they will choose non-persistent VDI every time, its just a lot more inherently secure than TS could ever be and for you to claim that its not is incredibly misleading Simon.

    You touch briefly on the subject of non-persistency in your points above when you talk briefly about ‘Golden Image Instances’, what we call non-persistent desktops, except that when you talk about them in an incredibly misleading and simplistic way.

    What is not to like from a security perspective about desktops that are freshly cut from a golden image for one time use and then destroyed after use ? What is not to like about malware not being destroyed after every session ? What is not to like about malware not being able to get a foothold on anything more than one user session in one dedicated VM ? Nothing is the answer, there is nothing not to like from a security perspective, it makes PERFECT sense.

    Remember, we cannot protect the persistent traditional desktop OS, we have never been able to properly protect it, why do you think we can now ?

    And what about all your talk about managing multiple images that results in more management, more people and more money ? Its just plain bullshit and smokescreen.

    Our single largest user has more than 25k users and runs one golden image, our second and third largest users run roughly 5k users each on one golden image. Take it from someone who runs more of these desktops than anyone else on the planet, its easy to run golden images and manage them, a LOT easier than running a whole bunch of server OS images or persistent VM images.

    Why on earth would you believe otherwise unless you are being poorly advised ? Take it from someone who really knows, your words are deeply misleading to those who do not.

    ON THE SUBJECT OF CENTRALIZED DESKTOP EXECUTION & DATA : Honestly what are you talking about ? Your comments apply equally to TS/RDS and any cybersec guy worth his salt knows that we cannot protect the endpoint if its running a persistent desktop OS. Endpoint security is a running joke, don’t believe me ? Take one look at the proliferation of botnets and four years worth of cyber attacks against the Western world.

    ON THE SUBJECT OF MOST VENDORS DELIVERING TS/RDS : Well of course they do, Microsoft do not let them do anything else as you well know, saying more deliver TS than VDI is misleading because of this, if your left foot is nailed to the floor, all the right foot can do is walk in circles.

    Seriously, this is not an argument and to make it one ignores the undeniable truth that Microsoft does not like and will not allow VDIaaS to gain a proper foothold in the market, hence the no multi-tenant rule and no Win7 on SPLA.

    Adoption of TS/RDS by hosted virtual desktop providers and their customers is not driven by technical choice, because the tech is better or less complex than VDI, its driven by the fact that Microsoft DO NOT LET them deliver VDIaaS.

    The only place where this is not the case is in the enterprise market where the players hold SA licensing, then they can do VDIaaS as much as they want and they are, in that space nobody is adopting TSaaS in a big way, they want something better and Microsoft let them.

    What Microsoft do not allow is the small business to adopt VDIaaS and herin lies the great hypocrisy, it begs the question “if big business can do VDIaaS, why can the small business not?”.

    Because Microsoft are not ready to launch their own Azure based VDIaaS platform is why !

    Do you honestly believe that when they are ready to launch their own hosted desktop platform, a vertically integrated platform with all the bells and whistles, that they will deliver slices of server and call them desktops ? Like TS and RDS now ?

    Really ? Do you ? In your heart of hearts ? Of course not, they own the desktop do they not ?

    Most vendors deliver TS/RDS right now because they have NO CHOICE, its either build a business around the model or nothing and I will tell you something else, when they are ready to properly sell cloud hosted desktops off Azure, what do you think will happen to all the TS/RDS merchants ?

    Early retirement, the only reason they let you host those server slices disguised as desktops is because they want the HVD business for themselves, they are all about cloud now remember and THEY KNOW the desktop is dying, but then plan to leverage their legacy desktop monopoly into another monopoly built around Azure hosted VDI.

    ON THE SUBJECT OF WALL STREET : “A leading Wall Street Bank CIO told me “I charge back VDI desktops at $150/month/user. It’s a nightmare.”

    I expect it is if you are paying 150 per month per user, but if he really is then the man should not be in his job, I have never seen a more expensive per user VDI cost, even with virtualization layering technology, deep packet/content inspection and intrusion detection wrapped around it.

    NOBODY pays $150 per month per user for VDI instances and if they do then they are idiots and are being ripped off massively. WHY would it cost him so much ?

    FINALLY ON THE SUBJECT OF YOUR RECOMMENDATIONS : “there’s enough discussion about the future of the desktop to argue for no change for now.”

    NO there isn’t and what little conversation there is, is being stamped on by blog posts like this which over generalize and mislead the non-informed reader.

    Every indication is that there needs to be a LOT of conversation around the future of the desktop right now, even though you choose to ignore the fact. Every indication is that there are a LOT of people who want to have this conversation and they look at the thought leaders to do most of the speaking for them.

    Do you really believe this blog post Simon does these people a service ?

    We need to have continued conversations around the way desktop are delivered and safer more secure ways to deliver them, I honestly cannot believe someone in the desktop virtualization security field would write this kind of blog post.

    This blog post only makes sense Simon if you are singing what your masters (sorry, I meant friends) at Citrix and Microsoft have asked you to sing and toeing the TS/RDS line.

    I really do not mean to disagree with you so much, I really wish I did not have to. You really are somebody who (in theory) should be respected and listened to in our space, but when you write blog posts like this you draw a line in the sand and let every informed person know which side you are on.

    We urgently need to continue the conversations around the change that is happening within the desktop space and we urgently need to bring all stakeholders into these conversations rather than feed them server slices disguised as desktops until MS are ready for HVD prime time.

    What is good for the desktop user is good for the desktop space Simon and this blog post does not fall into either of those categories.

    Furthermore I am terribly disappointed than nobody else has held you to account for these words you have written when you so blatantly leave yourself open to criticism in them from those of us that do know what is going on.

    I do look forward to your response, I am at my best when responding to others criticisms of my own words and as I told you, I am perfectly happy to eat my own words if I am wrong.

    One last comment on Derek Smiths comment “And lets not forget, not all innovation comes from the “big boys”. ”

    No it doesn’t, it rarely does, it comes from the little guys, guys like me who get bought by the big boys precisely because they are innovative.

    The problem with billion dollar big boy companies is that vested interests protecting revenue streams within stifle innovation and anything that may disrupt said revenue streams, its only when little guys truly innovate in a disruptive fashion that they get bought.

    Lets not confuse the two hey.

  10. Guise Bule / Apr 3 2012 1:47 pm

    Hello Simon and Tal,

    I have come here today to continue the argument that we had today on twitter, which was difficult to have in 140 characters to say the least.

    if I am honest I was more than a little disappointed with the stance the two of you have taken and particularly because you seem not to want to understand why the current Microsoft licensing regime financially hurts the virtual desktop space as badly as it does, or even acknowledge the damage it does. Its like you both sing off the Citrix/Microsoft song sheet perfectly.

    I also wish to take issue with your assertions that the non-persistent VDI model is less secure than its Terminal server equivalent, again these are wrong and I will lay out why I think so below.

    But before I do, I want to just say that I have always respected the two of you, your opinions and reading your thoughts, but after reading this blog post I have to conclude that you are just like all the rest, singing to your own bias and towing the line rather than encouraging debate.

    Shame on the two of you for not allowing a fair debate around the subject, shame on you for brushing aside our criticisms and objections with generalizations, mocking ridicule and witty put downs against anyone who dares to criticize what you are saying.

    If I did not know any better, I would say that you have a vested interest in aligning your words with the Microsoft/Citrix camp which is fine, its just something that should be publicly stated and preface your words.

    Clearly you are not blogging here as an independent mind, your assertions are just too far off the mark to be anything other than propaganda for one camp, they are clearly not a balanced or particularly informed and up to date view of the issues we discuss that seriously affect the VDI space in a financially negative way.

    Today gentleman, I am here to hold you to account for your words where no one else seems to want to or have the balls to.

    I realize you are both very influential and connected individuals, but like the great late Bernie Mac says : http://youtu.be/DWEIL1pV2NE?t=26s

    As I told you both today on twitter, its is practically impossible to convince a closed mind of anything, but I will try and I will also promise you that my mind will remain open and that if you are able to convince me that I am wrong, I will admit that I am wrong and eat my words.

    For transparency purposes and disclosure, I am the CEO of a cloud hosted VDI vendor (www.tucloud.com) and provider of professional services around the non-persistent VDI model.

    My largest hosted customers include the National Nuclear Security Administration and other Federal agencies which I am not at liberty to disclose, but also UCLA and some really cool organizations.

    My company is partnered up with SAIC the global defense contractor, we are their goto desktop virt people for Federal engagements, we are also partnered up with the Isreali Cyber Defense Institute on creating cyber defense tools using the non-persistent VDI model.

    I myself am the co-inventor of the Non-Persistent VDI Cyber Defense Platform, I co-invented the model with the Advanced Computing Team of Lawrence Livermore National Laboratory and I have seen our model flourish at an incredibly fast rate across the fed gov and mili defense sectors.

    When it comes to cloud hosted non-persistent VDI infrastructure, consider me the subject matter expert and if you do not believe me ask David Wen the Chief Scientist at SAIC, Joey Peleg the Director General of the Isreali Cyber Defense Institute, Tom Lash the Senior VP of Intelligence at SAIC or Robin Goldstone the Senior Staffer of the Advanced Computing Team at LLNL.

    tuCloud was the first company to put this model into production into any serious way and we are easily the market leaders in this field.

    In a nutshell, I am a cloud hosted VDI vendor although we LOVE NXtop and client-side hypervisors, we LOVE Teradici PCoIP, we LOVE every way of spinning a desktop OS regardless of how its done, we are not just all about VDI and banging the VDI drum.

    If I believe VDI is not appropriate for my customers, I will advise them into IDV or something else, I am not a single stack vendor, rather a platform-agnostic virtual desktop advisor and my mantra is “whatever is good for the customer is good for tuCloud”.

    Also before I begin I wish to address the comments you addressed towards me on twitter Simon, about the recent noise I have been making in the press.

    You accused me of being an idiot seeking PR and I am here to tell you that you have it wrong and that you owe it to the VDI space to give it a fair hearing instead of what you are doing now.

    And if you think this is all for PR you are nuts !

    For my public stance against Microsoft, I have exposed myself to public ridicule, attacks on my personal and professional character, belittlement of my comments and opinions and also of course I have completely fallen foul of the ‘Microsoft Club”.

    Lest any of you have forgotten the rules of the Microsoft Club, here they are again :

    1) You do not piss off the Microsoft Club.
    2) You do not let on that you are not pissing off the Microsoft Club.

    Rules set in stone over decades and woe betide those that break the rules, careers come to a rapid end, people get ostracized and it costs organizations serious money if they fight Microsoft, even when they are right.

    The Microsoft Club is made up of thugs who do not tolerate dissent and I have it on good authority from within Microsoft that I am officially Public Enemy Number One over there for shining a light on this licensing debacle.

    If you think I have exposed myself to this just to get some PR coverage, then you really must be mental, you would not wish the Microsoft Club’s vengeance on anyone, you KNOW this.

    Do you honestly believe that i have exposed myself to so much attack because I am over emotional, a lone crackpot with an emotionally loaded agenda ?

    Surely it has occurred to you that I just might be an educated person, an operator in our space with a point of view ? If it has, why do you continue to tar me with the PR hungry brush ?

    Anyway, back to your assertions and your words :

    “There are three key arguments against VDI:”

    1) It’s expensive, complex, and vastly complicates the role of desktop admins.

    BULLSHIT GENERALIZATION. More explained below.

    2) “Technology exists that delivers the centralization benefits, at a fraction of the cost, in a way that is more useful to end-users: Microsoft RDS (Terminal Services) either as an app or a desktop abstraction. ”

    BULLSHIT GENERALIZATION. Its only more cost effective because Microsoft refuse to properly license the VDI model in a way that lets us compete on a level playing field, more below.

    3) VDI isn’t more secure (than… anything else). (Nor is RDS, though it is better than distributed desktops).

    BULLSHIT. Of COURSE it is, especially from a cybersec perspective. More below.

    These kinds of objections to VDI you list above are generally given by either IDV vendors, TS/RDS vendors, third party commentators of our space or people who do not manage large scale non-p VDI professionally, and they are generally given to tech buyers who do not really know the difference either way.

    All three of the arguments above are KIND OF true in a general sense, but we all know why it is wrong to generalize do we not ? Do I need to explain why ?

    Please say so if I do, I am happy to enlighten.

    MANAGING VDI INFRASTRUCTURES : I am somebody who owns very large scale VDI infrastructure of the non-persistent type and I can tell you that we find it a breeze to manage, practically all of the technical support tickets we get are password changes, honestly.

    User Password changes.

    If the thing is set up properly, the infra designed and delivered properly and you are on top of image management, then its a breeze to run these large scale infrastructures. Maybe not as easy as IDV at the same scale because there is a LOT less server infra, but much easier than running a traditional desktop estate or a TS/RDS estate for sure.

    Furthermore if you really believe that managing an estate of non-persistent VDI desktops is more costly and complicated than running a while bunch of persistent TS equivalents, then you are deluded, you are welcome to talk to my sys engineers, they are happy with our setup and they also happen to also run an large TS estate, our legacy business, they are people who KNOW, not people who speculate and then pass on second hand information.

    We have established the processes and corporate culture in order to manage large scale VDI and have been doing it for so long we are good at it. If any of you do find it expensive and complicated, then let tuCloud host your desktops for 25 USD per user per month, we would love to.

    Also I am puzzled as to why you think VDI causes issues for sys admins or help desks, I can only think you are referring to those who have never seen a VDI infrastructure, if you are then I can refer you to the excellent observation Albert Einstein has made on the same subject : “Everybody is a genius, but if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid.”

    ON THE SUBJECT OF VIRTUALIZATION LAYERING : You are calling the layer cake story untrue and making it out to be much more complicated than it is, for those of you who wish to learn more about the layer cake story, see my podcast and article on The Magic of Non-Persistency by clicking on the following link, its a little simplistic but its aimed at newcomers to the idea : http://bit.ly/Hca8vK

    Just to comment further on this topic, I do believe gentleman that you have no idea of what you are talking about, the desktop virtualization space is becoming VERY skilled at layering applications and user personas onto non-persistent virtual desktops, we are LIGHT YEARS ahead of where we were last year and every day we get better and better at it.

    There are a huge number of tech vendors who facilitate this gentle art and some very skilled practitioners who specialize in making the non-persistent desktop adopt an air of persistency. Whilst it is true to say that there are not very many of them (new model, early adopter market), there soon will be as the model gains traction.

    Layering on non-persistent desktops is the future of VDI and something we all take very seriously and believe in, its just the TS/RDS guys who struggle with the concept as they are trapped in an antiquated mode of thinking and the persistent mentality.

    If you consider that best practice is to virtualize all apps and as something we do anyway, then its not too difficult a stretch to virtualize the user personalization layer and apply that upon login, it really isn’t and its nowhere near as tricky as you make out, it can even be automated.

    ON THE SUBJECT OF COST AND MICROSOFT LICENSING : If anyone generally believes that VDI is expensive just because it is and not because of Microsoft deliberately inflicting bizarre and unreasonable licensing restrictions around the use of the technology, then you are misinformed and deluded. The ONLY reason VDI is more expensive than TS/RDS is because of the Microsoft licensing, they tilt the balance towards the TS/RDS model because it does not threaten their OEM’s and because they are not ready to launch the vertically integrated monopolistic HVD platform that is Azure/InLine/Windows8/Office365.

    I can do VDI at 20 USD a seat and still make money, licenses for tech have come down a LOT since last year or the four years before that.

    If anyone ever says to you that VDI is more expensive than TS/RDS you should tell them why, its because Microsoft WANT it to be more expensive, no other reason.

    On a level licensing playing field we would pull the pants off you TS/RDS guys and you know it, as it stands we cannot do multi-tenancy because Microsoft do not let us and you need Software Assurance in place to do proper desktop OS HVD.

    This is what all the stink is about at the moment and why Simon has written this blog post, its part of a wider Microsoft offensive on the VDI model and all the publicity around licensing at the moment, of course getting them to admit this is next to impossible, they love a smokescreen.

    ON THE SUBJECT OF SECURITY : Shame on you for making the case that TS/RDS is more secure than non-persistent VDI ! And this coming from a man who supposedly runs a security company focused on desktop virtualization. I say supposedly because you are in stealth mode and who knows what you guys are really doing, comments like the ones you make about the TS/RDS model being secure are not only misguided but untruthful, I will forgive you on the basis that you may just not know what you are talking about, but then again you run a desktop virt security company so one must assume you actually do which is even worse.

    You ask for a use case where VDIaaS is required and TSaaS will not do ?

    You ask for evidence that VDIaaS is more secure than TSaaS ?

    Let me give you the fastest growing use case and the most damning evidence of my claims that I can see in our space right now, which specifically happens to concern the niche tuCloud is in.

    Non-Persistent VDI as a CyberDefense Tool : Hands down the most adopted VDI model of 2012 and I expect this to accelerate through 2013 and onwards as we all grapple with the fallout of five long years of successful cyber attacks on the Western world, attacks which threaten the long term prosperity of the Western world.

    Here is what is happening : High security organizations get attacked, typically these attacks are focused on the individual via the open internet in the form of the Advanced Persistent Threat and when they realize they shut down all internet access to their local machines which causes huge user pushback, because we want internet, we need internet to conduct our jobs and lead our lives these days.

    Over time they open up internet to local PC’s under user pushback and over time they get attacked again and repeat the cycle, its a reactive response to dealing with cyber security attacks on desktop infrastructure.

    No matter what these guys do to protect those persistent desktop OS’s, they cannot protect them if they are connected to the open internet.

    To organizations like these, the tuCloud non-persistent hosted VDI model is a godsend, literally a godsend, my Federal agency customers and their cybersec teams tell me this.

    Its a beautiful scenario because not only does it work in terms of stemming the flow of attacks against their core infrastructure, but it also gives the users exactly what they want and also happens to be the easiest and most cost-effective type of desktop to deploy from a HVD perspective.

    You simply provide users with a non-persistent hosted virtual desktop on which they can conduct their risky internet facing activity and completely lock down their local machines to internet access.

    When attacks come, they come on tuCloud infrastructure and away from the primary infra that holds all your IP and secret stuff, furthermore thanks to the Isreali’s and SAIC we are getting very good at wrapping deep packet/content inspection and intrusion detection (think CloudShield) around these non-persistent VDI infrastructures, so when attacks do occur we know where they are going to happen, we can identify quickly and easily who has been attacked and how.

    We are calling this battlespace awareness.

    The attack is contained to that one users VM and on a wider scale contained within the private non-persistent VDI cloud we have built for that purpose and that has a proper cybersec team sitting on top of it in the NOC.

    Technically for this model to work you cannot use Terminal Services, forget squeezing a whole bunch of users onto a persistent server OS and separating those personalities, forget creating the illusion of non-persistence using roaming profiles or any of the tricks TS merchants use to properly separate personalities on the same box.

    Forget the clever Microsoft tech that partitions users on the same box and secures those partitions.

    The Terminal Server slice model does not work for this purpose for a number of reasons, firstly its just too damn risky. If you are going to separate personalities properly, give them a completely separate VM, am talking 1:1 VDI images here, if you even consider using a the TS model to create the illusion of this then you are just not serious about security full stop.

    Effective isolation of personalities on the same infrastructure is required and this cannot be done using the TS/RDS model with a bunch of users all crammed onto a server OS image, to do so its counterproductive from a security perspective.

    From a hosted desktop perspective, the VDI non-persistent model is hands down more secure than the TS model inherently by design and any proper risk analysis conducted by desktop virt aware cybersec professionals will raise these concerns.

    This is why our Fed gov and enterprise customers and our partners over at SAIC and the Isreali Cyber Defense Institute are working with us to build this kind of desktop cloud for their customers, none of them are asking for a terminal server slice desktop rig, none of them and they clearly understand the differences between TS/RDS and VDI unlike small businesses.

    Then you have to consider that Terminal Services has been around for ever, its how administrators have always logged into remote servers and its only recently that this tech has been used to actually deploy desktops to desktop users.

    Because its been around for a long time, the number of people who know how to exploit this model is quite sizable, for sure there are lots of old warhorses out there who think they can properly secure an MS server OS and the individual personalities contained on it, but there as just as many guys out there who can exploit one and much in the same way that we cannot protect persistent desktop OS’s, are we really and truly in a position where we can protect persistent server OS’s against attack in a better way ?

    No. Server OS’s get owned all day every day and hacker collectives do it for fun, when was it ever a good idea to cram a bunch of desktop users onto one ? Oh right yeah, Microsoft’s idea.

    Considering they defined the future of the desktop OS back in the day, its a little schizophrenic of them don’t you think ?

    If you are a cyber sec guy looking at the TS model and the VDI model of hosting desktops, you are going to choose the VDI model every time, its inherently more secure as a model.

    Nobody who knows what TS is wants a slice of server disguised as a desktop, when users learn that they are using server slices they feel deceived and rightly so, for TS vendors have deceived them on the basis that users are dumb and do not know what they want.

    Can you imagine how angry users get when they realise they are sharing disguised server images with a whole bunch of other people, instead of the desktops they think they have ? Very.

    When cybersec people look at TS, ones whose job it is to defend infrastructures which include TS and VDI rigs, they will choose non-persistent VDI every time, its just a lot more inherently secure than TS could ever be and for you to claim that its not is incredibly misleading Simon.

    You touch briefly on the subject of non-persistency in your points above when you talk briefly about ‘Golden Image Instances’, what we call non-persistent desktops, except that when you talk about them in an incredibly misleading and simplistic way.

    What is not to like from a security perspective about desktops that are freshly cut from a golden image for one time use and then destroyed after use ? What is not to like about malware not being destroyed after every session ? What is not to like about malware not being able to get a foothold on anything more than one user session in one dedicated VM ? Nothing is the answer, there is nothing not to like from a security perspective, it makes PERFECT sense.

    Remember, we cannot protect the persistent traditional desktop OS, we have never been able to properly protect it, why do you think we can now ?

    And what about all your talk about managing multiple images that results in more management, more people and more money ? Its just plain bullshit and smokescreen.

    Our single largest user has more than 25k users and runs one golden image, our second and third largest users run roughly 5k users each on one golden image. Take it from someone who runs more of these desktops than anyone else on the planet, its easy to run golden images and manage them, a LOT easier than running a whole bunch of server OS images or persistent VM images.

    Why on earth would you believe otherwise unless you are being poorly advised ? Take it from someone who really knows, your words are deeply misleading to those who do not.

    ON THE SUBJECT OF CENTRALIZED DESKTOP EXECUTION & DATA : Honestly what are you talking about ? Your comments apply equally to TS/RDS and any cybersec guy worth his salt knows that we cannot protect the endpoint if its running a persistent desktop OS. Endpoint security is a running joke, don’t believe me ? Take one look at the proliferation of botnets and four years worth of cyber attacks against the Western world.

    ON THE SUBJECT OF MOST VENDORS DELIVERING TS/RDS : Well of course they do, Microsoft do not let them do anything else as you well know, saying more deliver TS than VDI is misleading because of this, if your left foot is nailed to the floor, all the right foot can do is walk in circles.

    Seriously, this is not an argument and to make it one ignores the undeniable truth that Microsoft does not like and will not allow VDIaaS to gain a proper foothold in the market, hence the no multi-tenant rule and no Win7 on SPLA.

    Adoption of TS/RDS by hosted virtual desktop providers and their customers is not driven by technical choice, because the tech is better or less complex than VDI, its driven by the fact that Microsoft DO NOT LET them deliver VDIaaS.

    The only place where this is not the case is in the enterprise market where the players hold SA licensing, then they can do VDIaaS as much as they want and they are, in that space nobody is adopting TSaaS in a big way, they want something better and Microsoft let them.

    What Microsoft do not allow is the small business to adopt VDIaaS and herin lies the great hypocrisy, it begs the question “if big business can do VDIaaS, why can the small business not?”.

    Because Microsoft are not ready to launch their own Azure based VDIaaS platform is why !

    Do you honestly believe that when they are ready to launch their own hosted desktop platform, a vertically integrated platform with all the bells and whistles, that they will deliver slices of server and call them desktops ? Like TS and RDS now ?

    Really ? Do you ? In your heart of hearts ? Of course not, they own the desktop do they not ?

    Most vendors deliver TS/RDS right now because they have NO CHOICE, its either build a business around the model or nothing and I will tell you something else, when they are ready to properly sell cloud hosted desktops off Azure, what do you think will happen to all the TS/RDS merchants ?

    Early retirement, the only reason they let you host those server slices disguised as desktops is because they want the HVD business for themselves, they are all about cloud now remember and THEY KNOW the desktop is dying, but then plan to leverage their legacy desktop monopoly into another monopoly built around Azure hosted VDI.

    ON THE SUBJECT OF WALL STREET : “A leading Wall Street Bank CIO told me “I charge back VDI desktops at $150/month/user. It’s a nightmare.”

    I expect it is if you are paying 150 per month per user, but if he really is then the man should not be in his job, I have never seen a more expensive per user VDI cost, even with virtualization layering technology, deep packet/content inspection and intrusion detection wrapped around it.

    NOBODY pays $150 per month per user for VDI instances and if they do then they are idiots and are being ripped off massively. WHY would it cost him so much ?

    FINALLY ON THE SUBJECT OF YOUR RECOMMENDATIONS : “there’s enough discussion about the future of the desktop to argue for no change for now.”

    NO there isn’t and what little conversation there is, is being stamped on by blog posts like this which over generalize and mislead the non-informed reader.

    Every indication is that there needs to be a LOT of conversation around the future of the desktop right now, even though you choose to ignore the fact. Every indication is that there are a LOT of people who want to have this conversation and they look at the thought leaders to do most of the speaking for them.

    Do you really believe this blog post Simon does these people a service ?

    We need to have continued conversations around the way desktop are delivered and safer more secure ways to deliver them, I honestly cannot believe someone in the desktop virtualization security field would write this kind of blog post.

    This blog post only makes sense Simon if you are singing what your masters (sorry, I meant friends) at Citrix and Microsoft have asked you to sing and toeing the TS/RDS line.

    I really do not mean to disagree with you so much, I really wish I did not have to. You really are somebody who (in theory) should be respected and listened to in our space, but when you write blog posts like this you draw a line in the sand and let every informed person know which side you are on.

    We urgently need to continue the conversations around the change that is happening within the desktop space and we urgently need to bring all stakeholders into these conversations rather than feed them server slices disguised as desktops until MS are ready for HVD prime time.

    What is good for the desktop user is good for the desktop space Simon and this blog post does not fall into either of those categories.

    Furthermore I am terribly disappointed than nobody else has held you to account for these words you have written when you so blatantly leave yourself open to criticism in them from those of us that do know what is going on.

    I do look forward to your response, I am at my best when responding to others criticisms of my own words and as I told you, I am perfectly happy to eat my own words if I am wrong.

    One last comment on Derek Smiths comment “And lets not forget, not all innovation comes from the “big boys”. ”

    No it doesn’t, it rarely does, it comes from the little guys, guys like me who get bought by the big boys precisely because they are innovative.

    The problem with billion dollar big boy companies is that vested interests protecting revenue streams within stifle innovation and anything that may disrupt said revenue streams, its only when little guys truly innovate in a disruptive fashion that they get bought.

    Lets not confuse the two hey.

  11. Steve Kaplan (@ROIdude) / Apr 3 2012 2:56 pm

    Simon,

    You say, “I have not found a single desktop virtualization expert (that does not work for one of the DV vendors) who will put their err… cred, on the table to recommend VDI over other desktop virtualization technologies…”. I personally am not an engineer – but the top guy I know in the space is my brother, Alan, who was our senior engineer at RYNO (the first Citrix Partner of the Year for the US), technical editor of the First Official Citrix Guide and architect and lead implementer for the first complete SBC implementation for a Fortune 1000 company (ABM Industries — the implementation was featured in Citrix advertisements in media such as the WSJ, BusinessWeek and Fortune Magazine as well as at Citrix iForum and other venues).

    Alan is a principal in a small professional services company now, but he has completely abandoned the XenApp/TS model and only will implement XD. He has several reasons, but overall it comes down to simplicity. He likes the XD VDI environment because it’s simpler for administraters and simpler for users.

  12. Guise Bule / Apr 3 2012 4:10 pm

    I call Stram Man,

    A straw man argument is one which misrepresents opposition to an extreme position by excluding the middle ground.

    The middle ground here is to seek a more balanced form of licensing which does its job.

  13. it guy / Apr 10 2012 12:15 pm

    Check out the vdi delusion by brian madden on amazon. I think it is the straw that broke the camels back as far as a “ko” for vdi. It has started a firestorm in the it community….everone is raving about it. It backs up all the arguments against vdi with facts. Great read.

Trackbacks

  1. Building Desktop as a Service in the Cloud « Roshan Ratnayake – Solution Architect
  2. VDI – Success or Failure? – or – Why “VDI-bashing” is popular…. | Virtualization Matrix - Agnostic Vendor Comparison: vSphere, Hyper-V, XenServer
  3. Desktop virtualization is not a "free pass" for lack of desktop management – Brian Madden (blog) « Desktops
  4. How server virtualization killed VDI « speakvirtual
  5. VDIaaS is a pain in the aaS « A Collection of Bromides on Infrastructure
  6. Crossing the Hellespont « A Collection of Bromides on Infrastructure

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 21,776 other followers

%d bloggers like this: