There was a lively attempt at a debate on twitter last week between myself, @VirtualTal, @ShawnBass, @brianmadden, @cswolf, @bsonposh, @harrylabana and others about the value of VDI. Because this needs more precision than 140 chars, let’s be crystal clear: I mean Virtual Desktop Infrastructure as invented by VMware but offered by many vendors: Windows client OS-based desktops, hosted centrally on a hypervisor, with a remoted desktop user experience (RDS, HDX, ICA, PCoIP…). Optionally (eg: View) there is the opportunity to “check out” a virtual desktop VM to run it locally on a client hypervisor (VMware’s type-2 ACE, Workstation or Player for Windows, or Mac-based Fusion) then “check it in” at some later point. [This is an utterly daft idea – and not discussed in this post – if I have a decent laptop, why would I ever check-in my desktop and go back to VDI?].
If you’re after the short version, here’s the summary: I have not found a single desktop virtualization expert (that does not work for one of the DV vendors) who will put their err… cred, on the table to recommend VDI over other desktop virtualization technologies (other than for a narrow set of use cases). In fact, the opposite is true: The leading voices in desktop virtualization think customers are being misled, and that it’s high time for the truth to out. A leading Wall Street Bank CIO told me “I charge back VDI desktops at $150/month/user. It’s a nightmare. We should spell it vDIE.” VDI is a lot more expensive (than anything else), users don’t love it, it causes gray hairs for desktop admins, and it isn’t more secure. Brian Madden recently wrote a “you use it, so pay for it, sucker” piece, which is excellent, though he is wrong on the presumed security benefits.
When I talk to CIOs, they all agree on two key drivers for desktop virtualization:
- The need for better desktop security, and
- Support for mobile devices.
Note that they don’t all say they need a better way to manage the desktop or even distribute apps. Existing tools do pretty well, and after all why shouldn’t they? It’s not a new problem.
There are three key arguments against VDI:
- It’s expensive, complex, and vastly complicates the role of desktop admins
- Technology exists that delivers the centralization benefits, at a fraction of the cost, in a way that is more useful to end-users: Microsoft RDS (Terminal Services) either as an app or a desktop abstraction.
- VDI isn’t more secure (than… anything else). (Nor is RDS, though it is better than distributed desktops).
Before I dig in, let’s agree that there’s no way to deliver Windows apps to non-Windows clients other than centralized execution and a remoted experience. And let’s agree that Windows Remote Desktop Services (RDS, Citrix XenApp, Quest vWorkSpace…) delivers apps just fine to a tablet, using the app metaphor that users expect. Moreover a remoted Win 7 desktop on a tablet is … not fun (a finger is not a good mouse), so ignore it and give users the apps they want. The data say this: The overwhelming majority of virtual desktops today are delivered using TS/RDS. Very few enterprises have successfully rolled out VDI at a scale beyond a few thousand users, and those that have are beginning to wonder why.
The security arguments advanced in favor of VDI warrant a closer look:
- Centralized desktop execution & data: Less enterprise data roaming unprotected on laptops is a good thing. And if data is client-side cached, it is encrypted at rest. But client-side encryption has been around forever, and VDI vendors appear to have belatedly re-invented it. If you don’t have client security & backup procedures in place already, you deserve the pain that VDI will bring.
- Secure centralized access control & auth: Rather than rely on a password on the device, the enterprise can use an access-time credential check. The access/auth gateway can also provide single sign on to legacy, web and SaaS apps (see Citrix Cloud Gateway, VMware project Mirage). Granular control of access and identity are powerful tools for enhancing security. But they aren’t a feture of VDI. Do it, and use RDS instead.
- Single Golden Image desktops: Every employee runs “the same” approved golden OS image, and the desktop layers (OS, apps, user) are composed at login-time to deliver a ”new PC every day”, with the right apps and user customizations & data. Each desktop starts clean, for each logon. However, although this layer-cake story is seductive, it is basically untrue. And even if it were true, you would still need to manage scores of images for the (vast majority of) your (non-VDI) desktops. But let’s be generous: The vendors are investing heavily, so let’s say they pull it off. The result: a bunch of new desktop layers to manage, store and dynamically compose in the hope that it all works. More management – more oversight – more people, and technology that rips apart an OS in ways it was not designed to be. Security – yes, job security for desktop admins. Also late nights trying to make it all work. And no more secure… (more below)
- Audit control and compliance: Log everything. Great, good stuff, no arguments.
The goal of the VDI vendors is to persuade customers that they will have more control and therefore more security, courtesy of more layers of virtualization. There is a significant downside though: it requires new tools, infrastructure, and IT management skill-sets to separately manage the lifecycle of each desktop component and each layer of the infrastructure that runs them (servers, hypervisors, storage, networks, and IDAM). Finally, it completely stymies the helpdesk.
Nonetheless, VDI is not more secure: Even if I log on to a pristine golden Windows desktop each day, the enterprise is still vulnerable to common vectors of attack: users click on bad links and open bad attachments – in an execution context where enterprise state is un-encrypted. And a smart attacker will target VDI desktops specifically to get inside the enterprise data center.
VDI can deliver Win7 to the CEO’s iPad. So can Windows RDS. And I bet that an app experience is preferred. Let’s be clear on cost too: From the hundreds of customers I’ve spoken to, I’d guess that RDS infrastructure costs about one fifth to one tenth the cost of VDI to purchase and run. And it works great.
New desktops and apps (x86 & mobile) need a GPU. Unless you fancy racking server side GPUs so your users can use IE9, recognize that Microsoft’s path is clear, and responds to user demands: rich graphical apps & “desktops” are here to stay. Deliver legacy 2D apps using TS/RDS, and let a rich client (x86 & mobile) with a GPU deliver what the user wants.
My recommendation: there’s enough discussion about the future of the desktop to argue for no change for now. Most enterprises use XenApp/TS. Continue. Grow the footprint. Consult vendors, industry analysts and solution vendors. I’d recommend you go down a TS/RDS path to deliver apps to iPads, thin clients and desktops. Use AppSense or RES to guarantee consistency (and more). Use TS/RDS with Win7 UI for users that need a remoted desktop. Meanwhile, figure out a plan for the 70-80% of users that will never use VDI, and start prototyping next-gen touch-enabled apps for your mobile clients. Let the VDI mess sort itself out, and look to Win8 (which my friends at Microsoft call a “VDI killer”) to discern the Microsoft strategy (yup, years away, but that’s fine).
And after all that, what about those pressing security challenges? Right, back to work…