VD-aye vs VD-why: A welcome review

Author: No Comments Share:

 

I was invited invited by Chris Wolf to debate the necessity of VDI with Gunnar Berger at last week’s  Gartner Catalyst Conference (a superb event, in the original Burton spirit), chaired by PQR’s Ruben Spruijt (co-creator of the de-facto standard Login VSI benchmark suite for VDI/SBC).

It’s been almost two years since I posted my (scandalous) blog that challenged vendors and customers to properly crystalize the value propositions for  VDI by comparison with the much more widely deployed, less expensive and more scalable SBC (Remote Desktop Services).   Although we agree on the key use cases for VDI, and its limitations, Gunnar (generously) took a pro-VDI stance (VD-aye) and I took a neutral stance (VD-why).  The debate (Video, Free Gartner login needed) offered us an opportunity to re-examine VDI in light of the considerable evolution of the technologies and market adoption over the last two years.

Gunnar (VD-aye) is (like all ex-Burton analysts) a hands-on technologist who knows his stuff.   He has exhaustively explored the costs of VDI,  both current and projected, based on the evolution of server, memory and storage technologies and Microsoft licensing.    He is a staunch opponent of Microsoft’s VDA license requirement for virtual desktops, but recognizes that the license fee on its own ($100/user/year) is a small component in the still staggering costs of VDI on a per user basis, which are dominated by storage.  He estimates current cost at just under $1000/user/year, and projects that with new flash-dominated storage technologies this price could fall by as much as $300 in the next few years.  His analysis does not include IT or user training costs.

My position remains basically unchanged.  There are three core beliefs upon which I believe the adoption of VDI depends:

  1. Manageability:  It is much easier to centrally manage a single golden image of the Windows desktop OS, and then automatically build user desktops (apps, personalization) from this.
  2. Many-ness: You can deliver a VDI based Windows desktop to many end-points including a work PC, an iPad and a home device
  3. Security: Centralizing the desktop, apps and data make the enterprise more secure.

But I contest all of these:

  1. You’d have sworn I said the Pope isn’t Catholic when I said “If your apps run on Windows 7, quit managing the OS – let Microsoft do it instead”.   In other words, it’s time for IT to get out of the business of OS patching, as I have previously argued.   Moreover, the only successful VDI deployments I’ve seen have all used dedicated desktops, not pooled.   Assuming that you can rebuild a desktop from a new golden image and the user’s personalization to get rid of malware is false: lots of malware uses the user profile to persist.
  2. Windows on an iPad is horrible.  Rather use SBC to deliver the application (without the desktop).   Moreover, delivering hosted apps or desktops to non-enterprise owned PCs is not secure.   Malware on the client can easily steal login credentials and any other data (including pixels) delivered to the device.
  3. The security arguments are over-inflated.    As the community at BriForum 2012 agreed, a hosted virtual desktop is no more secure than a physical one.  There may be compliance benefits associated with centralization of data, but what’s to stop your user emailing files from their VDI desktop to their gmail account?  Right – you still need DLP.

Net-net there are some limited benefits of hosted virtual desktops, and of course there are some very good (and relatively niche-y) use-cases for them.   But for the vast majority of enterprise users, VDI is not the answer.   Instead it:

  • Is expensive by comparison with traditional endpoints; in particular the VDA CAL adds $100 per user/year.  For the valid use cases for VDI, why not dedicate an instance of Windows Server to each user, and dress up the desktop to look like Windows 7?
  • Alienates users.  Users just want stuff that works, not multiple different environments.  Yes, you can force your users to  BYO iPad with BYO network for their personal use.   But that doesn’t improve security.  An attacker going after your assets will attack the corporate desktop directly (browser in the VM, email attachment etc.).

My argument is this: The client computing world is undergoing massive change at present.   Use RDS to deliver server hosted Windows apps where necessary.   Let Microsoft manage Windows updates wherever possible (they do an awesome job, it’s time you got out of the way).   Finally, the industry’s most important security advances over the last 10 years are due to Microsoft.   Windows 8 is 20x more secure than Windows XP.  By the time you stand up a VDI farm the world will have moved on – a lot – and you’ll be further mired in expensive legacy computing approaches.

At the debate I asked Gunnar to wear a “VD-aye” T-shirt, which he generously agreed to do.   On the back was the name “Dr Faustus”.   The Faustian deal that IT organizations make with their users is this: “We will give you a VDI desktop.  We understand it isn’t productive, powerful, secure or pretty.  But if you accept this, we’ll let you use your own Mac”  (and in many cases, IT will buy the Mac).  The user quickly agrees (who wouldn’t?), uses a rich “BYO” client on which they enjoy admin privileges and an ability to install their own apps (what use is a Mac without iTunes?), and of course use the Office suite to achieve full rich client productivity, on and offline.   IT turns a blind eye.  It has done what is needed for compliance.    And users are happy.

But, it’s not secure.  Not even slightly.

Previous Article

Crypto updates to crimeware toolkits

Next Article

AppSec Training

You may also like