VDwhy?
There was a lively attempt at a debate on twitter last week between myself, @VirtualTal, @ShawnBass, @brianmadden, @cswolf, @bsonposh, @harrylabana and others about the value of VDI. Because this needs more precision than 140 chars, let’s be crystal clear: I mean Virtual Desktop Infrastructure as invented by VMware but offered by many vendors: Windows client OS-based desktops, hosted centrally on a hypervisor, with a remoted desktop user experience (RDS, HDX, ICA, PCoIP…). Optionally (eg: View) there is the opportunity to “check out” a virtual desktop VM to run it locally on a client hypervisor (VMware’s type-2 ACE, Workstation or Player for Windows, or Mac-based Fusion) then “check it in” at some later point. [This is an utterly daft idea - and not discussed in this post - if I have a decent laptop, why would I ever check-in my desktop and go back to VDI?].
If you’re after the short version, here’s the summary: I have not found a single desktop virtualization expert (that does not work for one of the DV vendors) who will put their err… cred, on the table to recommend VDI over other desktop virtualization technologies (other than for a narrow set of use cases). In fact, the opposite is true: The leading voices in desktop virtualization think customers are being misled, and that it’s high time for the truth to out. A leading Wall Street Bank CIO told me “I charge back VDI desktops at $150/month/user. It’s a nightmare. We should spell it vDIE.” VDI is a lot more expensive (than anything else), users don’t love it, it causes gray hairs for desktop admins, and it isn’t more secure. Brian Madden recently wrote a “you use it, so pay for it, sucker” piece, which is excellent, though he is wrong on the presumed security benefits.
When I talk to CIOs, they all agree on two key drivers for desktop virtualization:
- The need for better desktop security, and
- Support for mobile devices.
Note that they don’t all say they need a better way to manage the desktop or even distribute apps. Existing tools do pretty well, and after all why shouldn’t they? It’s not a new problem.
There are three key arguments against VDI:
- It’s expensive, complex, and vastly complicates the role of desktop admins
- Technology exists that delivers the centralization benefits, at a fraction of the cost, in a way that is more useful to end-users: Microsoft RDS (Terminal Services) either as an app or a desktop abstraction.
- VDI isn’t more secure (than… anything else). (Nor is RDS, though it is better than distributed desktops).
Before I dig in, let’s agree that there’s no way to deliver Windows apps to non-Windows clients other than centralized execution and a remoted experience. And let’s agree that Windows Remote Desktop Services (RDS, Citrix XenApp, Quest vWorkSpace…) delivers apps just fine to a tablet, using the app metaphor that users expect. Moreover a remoted Win 7 desktop on a tablet is … not fun (a finger is not a good mouse), so ignore it and give users the apps they want. The data say this: The overwhelming majority of virtual desktops today are delivered using TS/RDS. Very few enterprises have successfully rolled out VDI at a scale beyond a few thousand users, and those that have are beginning to wonder why.
The security arguments advanced in favor of VDI warrant a closer look:
- Centralized desktop execution & data: Less enterprise data roaming unprotected on laptops is a good thing. And if data is client-side cached, it is encrypted at rest. But client-side encryption has been around forever, and VDI vendors appear to have belatedly re-invented it. If you don’t have client security & backup procedures in place already, you deserve the pain that VDI will bring.
- Secure centralized access control & auth: Rather than rely on a password on the device, the enterprise can use an access-time credential check. The access/auth gateway can also provide single sign on to legacy, web and SaaS apps (see Citrix Cloud Gateway, VMware project Mirage). Granular control of access and identity are powerful tools for enhancing security. But they aren’t a feture of VDI. Do it, and use RDS instead.
- Single Golden Image desktops: Every employee runs “the same” approved golden OS image, and the desktop layers (OS, apps, user) are composed at login-time to deliver a ”new PC every day”, with the right apps and user customizations & data. Each desktop starts clean, for each logon. However, although this layer-cake story is seductive, it is basically untrue. And even if it were true, you would still need to manage scores of images for the (vast majority of) your (non-VDI) desktops. But let’s be generous: The vendors are investing heavily, so let’s say they pull it off. The result: a bunch of new desktop layers to manage, store and dynamically compose in the hope that it all works. More management – more oversight – more people, and technology that rips apart an OS in ways it was not designed to be. Security – yes, job security for desktop admins. Also late nights trying to make it all work. And no more secure… (more below)
- Audit control and compliance: Log everything. Great, good stuff, no arguments.
The goal of the VDI vendors is to persuade customers that they will have more control and therefore more security, courtesy of more layers of virtualization. There is a significant downside though: it requires new tools, infrastructure, and IT management skill-sets to separately manage the lifecycle of each desktop component and each layer of the infrastructure that runs them (servers, hypervisors, storage, networks, and IDAM). Finally, it completely stymies the helpdesk.
Nonetheless, VDI is not more secure: Even if I log on to a pristine golden Windows desktop each day, the enterprise is still vulnerable to common vectors of attack: users click on bad links and open bad attachments – in an execution context where enterprise state is un-encrypted. And a smart attacker will target VDI desktops specifically to get inside the enterprise data center.
VDI can deliver Win7 to the CEO’s iPad. So can Windows RDS. And I bet that an app experience is preferred. Let’s be clear on cost too: From the hundreds of customers I’ve spoken to, I’d guess that RDS infrastructure costs about one fifth to one tenth the cost of VDI to purchase and run. And it works great.
New desktops and apps (x86 & mobile) need a GPU. Unless you fancy racking server side GPUs so your users can use IE9, recognize that Microsoft’s path is clear, and responds to user demands: rich graphical apps & “desktops” are here to stay. Deliver legacy 2D apps using TS/RDS, and let a rich client (x86 & mobile) with a GPU deliver what the user wants.
My recommendation: there’s enough discussion about the future of the desktop to argue for no change for now. Most enterprises use XenApp/TS. Continue. Grow the footprint. Consult vendors, industry analysts and solution vendors. I’d recommend you go down a TS/RDS path to deliver apps to iPads, thin clients and desktops. Use AppSense or RES to guarantee consistency (and more). Use TS/RDS with Win7 UI for users that need a remoted desktop. Meanwhile, figure out a plan for the 70-80% of users that will never use VDI, and start prototyping next-gen touch-enabled apps for your mobile clients. Let the VDI mess sort itself out, and look to Win8 (which my friends at Microsoft call a “VDI killer”) to discern the Microsoft strategy (yup, years away, but that’s fine).
And after all that, what about those pressing security challenges? Right, back to work…
12 Comments
Leave a CommentTrackbacks
- Building Desktop as a Service in the Cloud « Roshan Ratnayake – Solution Architect
- VDI – Success or Failure? – or – Why “VDI-bashing” is popular…. | Virtualization Matrix - Agnostic Vendor Comparison: vSphere, Hyper-V, XenServer
- Desktop virtualization is not a "free pass" for lack of desktop management – Brian Madden (blog) « Desktops
- How server virtualization killed VDI « speakvirtual
Excellent list of opinions. I do differ slightly in my opinions around security but largely agree there as well. Desktop Virtualization as a desktop replacement for high end users is in its infancy (at best), and that is assuming we ever can or should get there. It is nice to hear more people pushing the applicaiton/RDS/TS/XenApp front. Give the user the ability to do their job as good or better as they did before and they will be happy. Give them a messed up interface because “I want VDI” (http://www.youtube.com/watch?v=eaIZ_2FHq10) and you’re set up for failure. People have been told that they want VDI when they really want apps on their shiny iPad. People want mobile workers and don’t always know there are other options.
Great post Simon, I always enjoy reading your opinions and posts.
You mentioned “Desktop Virtualization as a desktop replacement for high end users” I just want to tell you it is here. Watch this video http://www.youtube.com/watch?v=H0FBpzPNfmU
V3 Systems really does deliver a virtual desktop experience that is desktop-replacement grade.
I think you’ve covered the essence of the debate pretty well. I’ll try to address the points where I disagree in the order you wrote them. I’m in the process of writing a blog with a definitive perspective from Citrix, but that won’t be out until after Synergy Barcelona.
Firstly I don’t think VDI as it’s defined today which is hypervisor-based remotely hosted desktops will ever be the defacto standard virtual desktop in the workplace. So if you feel like that’s what I’ve been evangelizing then I think you’ve got me figured all wrong.
IMO there are two ways to go about desktop virtualization: Tactical and strategic.
A tactical desktop virtualization initiative is a reactive attempt to solve unique IT cross-compatibility problems. It’s never a giant forward-looking directive but rather a technical band-aid (or in some cases a giant gauze that keeps a company’s insides from pouring out). Tactical uses for desktop virtualization run the gamut from supporting old legacy Windows applications whose developers have absconded (in this case solved by publishing the app on Windows Server through TS/XA/vW) to large M&A “integrations” that require IT to support concurrent XP and Win7 environments on the same physical hosts (VDI). These initiatives are owned by the desktop administration team and occasionally become strategic because of the utility gained from the tactical deployment.
A strategic desktop virtualization initiative is something a company does in order to transform the delivery of IT because the traditional way of doing it has become unsustainable. There are lots of things that break the camel’s back here, but let me give an example of a transformative shift in IT that happened recently in Japan. Japan’s work culture has traditionally been very office-centric. The concept of working remotely was considered viable for outsourced contractors but not employees. An employee belonged in his office with his computer. Then 3/11 happened. All of a sudden people couldn’t get work done in the office. Companies that had BCDR (Business Continuity and Disaster Recovery) initiatives with remote work enablement managed to continue doing business while everything around them halted to a stop. As things settled down and started along the path back to normalcy, CIO’s in Japan were in the hot seat to come up with a solution to address a future 3/11. Desktop Virtualization became a natural fit – not only can it be an active/active BCDR mechanism but it also made it “ok” for people to work on remotely hosted centrally managed desktops. Now, not every strategic desktop virtualization initiative is rooted in BCDR – but to get there IT needs to truly shift the way it thinks about delivering services to end-users. It needs to be a holistic transformation that starts with a hybrid deployment and consists of various desktop virtualization delivery mechanisms.
I’m not a big fan of the word FlexCast, but I am a big believer in the philosophy behind it: Different workloads require different desktops.
VMware has been pitching VDI as a “cure-all” and that has caused a significant amount of poisoning in the marketplace because (I agree with you) VDI as defined by VMware is not the thing that will transform IT. This was largely the bit of frustration I was having on Twitter trying to explain that we need VDI, Virtual Desktop Infrastructure, to mean what it says. Today its definition does not include Type-1 hypervisors or TS-based desktops, even though today the latter account for the largest percentage of virtual desktops deployed in the market, and the first will likely account for the largest percentage of virtual desktops deployed in the future. As a result even people who are trying to launch strategic desktop virtualization initiatives end up failing if they try to implement a strict interpretation of VDI.
My perspective is that desktop virtualization is about 2 things:
1. Single image management*
2. Flexible end-point types and locations
*Note that when I say “single image management” I’m referring to the technology name. In reality this translates to “minimum image management”.
The further you stray from these two points the less likely you are to succeed in a strategic desktop virtualization initiative.
The reason I didn’t mention cost savings above is because I don’t think it plays a role up front other than maybe getting buyoff from a CxO who owns the budget, and I think budget alone is the wrong reason to get into this game. Desktop virtualization is a paradigm shift akin to migration from mainframes to microcomputers. Nobody asked if shifting to PC’s was going to save any money, it was a natural evolution of IT. That said, I think cost savings is an ultimate side-effect of shifting to desktop virtualization over time because of reductions in costs of supporting infrastructure, branch IT resources, end-point devices, change management, hardware refresh, and software update staging. There are many people out there who are looking to get the same simple cost savings from desktop virtualization that they achieved through server virtualization – that’s not going to happen. Desktop Virtualization is not about P2V, it’s about ITaaS.
Speaking of side-effects, that’s also how we find our way at long last to security – my point here re: single image management is actually very simple: A few OS images administered by IT is a more secure scenario than having lots of OS images administered by end users. You’re more likely to be in an accident while driving your car than you are while riding the bus. The bus is not a tank and it’s not accident-proof, but statistically you’re safer on that bus than you are in your car. Same goes for single image managed virtual desktops vs. legacy desktops.
Again – Simon & Tal pretty much violently agreeing – and I again concur with both PoV.
“Different workloads require different desktop” – this is 100% true and there can be no preferred order of the tech.
I often ask customers whether a Ferrari is better than a Nissan. Invariably the answer is Ferrari. My response to that is “But I live in the desert” and ask the question again. In my car analogy, obviously the Nissan Patrol 4×4 is better for my transport use-case, but the manufacturer also produces some pretty decent track hardware (GTR) that will compete well with the Ferrari if that was my use-case. The Desktop Virtualization manufacturer that can cover the widest possible real-world use case, IMO, works. This is also true for car companies.
Tal, great follow-up, thanks. And to be clear, I don’t think you’re the chap advancing a VDI only story at all. Indeed the richness of the Citrix solution set is its strength, and it is that richness that is driving customers toward the Citrix portfolio vs narrow “one-size fits all” solutions. For example, VMware, with a VDI-only approach, is seriously confused. They will never have a XenApp, and it looks as though they blew their chances at a XenClient, too. Each of the technologies has a role to play, but we must admit that today, even in the Citrix stack, they are relatively poorly integrated. So the IT manager needs N different consoles for N different delivery technologies, and they need an additional M for server side hypervisors, storage, networking… etc. This only increases the complexity and therefore the likelihood of failure, and it increases costs.
When last did Microsoft Update crash your PC? Not for years. Did it break any apps? No. Existing tools such as SCCM solve a lot of problems already, in a reliable way.
So, if security is not a value prop that you espouse (strangely, you did on twitter), and we agree to disagree on how to manage the images (say). Then the only value prop is delivery of apps to multiple endpoint devices. Fair enough. VDI doesn’t do that as well as TS. (And to be fair, let’s include XenApp’s VM hosted apps as a TS style solution, because it is – and simply solves the app-compat problem.
By the way, thank you for engaging like this – it is awesome to see the leading vendor do so, and do so openly. I think Brian Gammage owes us all an explanation, since he’s now in charge of the desktop strategy. And saying “Microsoft announced what we expected for Win8″ doesn’t cut the mustard.
Nothing in what I have said should be read as critical of Citrix or its portfolio. Where VDI has a use (and perhaps I need to list the use cases) it is a great tool. But it is no panacea and it is a major pain in the ass instead. VMware for sure owes us all a better explanation. I personally believe they really messed up on the client, because they dropped the ball in getting to a type 1 client hypervisor, and now Microsoft with Win8 will beat them to the punch. I think their investments are going heavily into Horizon (err… Mirage) and not into traditional Windows desktops on their type 2 client hypervisors. Lots of innovation server side, but that’s useful for both VDI and general Windows Server VMs..
Anyway, thanks for the great follow up, and for getting involved. Thanks also for stepping up to articulate the Citrix position so clearly.
Simon
Completely agree with your points and arguments re VDI, or more accurately, server hosted virtual desktop infrastructure. Very limited use case, and probably less expensive, and less complex alternatives.
However, this statement is no longer accurate.
“Before I dig in, let’s agree that there’s no way to deliver Windows apps to non-Windows clients other than centralized execution and a remoted experience.”
Must disagree on this point. Windows and Windows applications (Linux too) can be launched on the Mac using Type 2 hypervisors technologies (i.e. VMW Fusion, Parallels, Oracle Virtual Box).
However, these products and Apple lack any multi desktop / user management capabilities as they are intended for “one to one” use.
Opus from Orchard Parc solves this issue. One capability of Opus from Orchard Parc is “one to many” management of Windows on Mac. The benefits of VDI (i.e central management, data behind the firewall etc), plus a suite of management and automation tools, combined with local execution of the application to optimize performance (i.e. graphics, VoIP, locally installed apps) plus mobility.
Big consideration with VDI is cost…..lots of capex involved, and damn, its complex. Opus uses a fraction of the data center infrastructure of VDI (i.e. servers, network, storage) so cost issues are less of a factor. And it’s much simpler to deploy.
Based on the various arguments here, there are valid use case scenarios for all solutions including legacy PCs, TS, and VDI. It’s just not a one size fits all world.
And lets not forget, not all innovation comes from the “big boys”.
To me this boils down to: (and I’ll keep it short as I have the tendency to drivel on)
- Are we trying to solve a problem which does not exists? No. (so I slightly disagree with how you portrait the current state of physical endpoints – time spent on image management is unsustainable for many of my clients)
- Is the answer to the problem always VDI? No.
- Can the answer be VDI? Yes, as a tactical solution for specific use cases where TS does not fit.
- Can VDI be a strategic approach – yes, as a stepping stone (and I am aware of the inherent contradiction here) to enable logical separation of OS and app, mobile, user centric app delivery.
- Why VDI as the “one fit all”: 1) because the VDI “vendor says so” – 2) because the clients prefers the simplicity of one architecture that can (potentially) cover all use cases (so both dubious but reality)
Bottom line – I can’t fail VDI completely – VDI has a space as tactical building block alongside TS (and others) – combined as strategic hybrid approach to facilitate future app delivery models. (all simplified in the interest of time)
Andy
I used to rave on Brian Madden’s blog saying the only reason to use SHVD (VDI…) was for High Availability. Whether it’s a DR plan (ranging from PC outage to building outage), or just making your desktop available on a mobile device SHVD has you covered.
Other than that, why does it make sense to have your desktop hosted on a server when server resources are blatantly more expensive than desktop resources, and what makes it more secure? The reason why SHVD are being pushed down our throats is because the big 3 vendors (Citrix, VMware, and MS) invested in server side execution first rather than client side execution. Citrix is years ahead of the competition with XenClient and even VC’s NxTop is years ahead of VMware and MS as well.
http://www.brianmadden.com/blogs/brianmadden/archive/2011/07/28/desktop-virtualization-a-rainbow-of-complexity.aspx
CHVD (Client Hosted Virtual Desktops) will take over the enterprise. I sure hope your Bromium product will be able to integrate with the current ecosystem (XenClient, NxTop, and OKL4/seL4). Who really cares about VMware’s MVP.
I am eagerly awaiting your release. Especially since the Government Community Cloud is taking off, transforming the US and Canada for the better. I would like to see if Xen and Bromium would play a part in it.
Kyle