I know what you’re thinking. Not a peep from Bromium in months and now here’s a blog about DaaS. What the heck are these guys doing over there? Well, as a person who’s lived and breathed the stuff nearly since its inception, I feel that there’s still a lot of misinformation out there about VDI – possibly resulting in detrimental strategic decisions, and DaaS is quickly rising to the top of that information entropy word cloud. So let’s talk about the scope of this blog: I’m not going write so much about VDwhy here, Simon’s already done a pretty good job of it on our blog. The focus of this blog is about VDIaaS – that is the concept of a service provider offering remote Windows 7 desktops for a monthly fee.
We’ve all heard the pitch about how centralized desktops are easier to secure and administer than conventional ones. And in some cases they are. Those cases usually involve someone who has a fairly nominal workflow – they need Windows, Office, and maybe a CRM app, and a productivity app or two. They likely also don’t really need Windows 7. It’s my position that someone who truly is in a position to use a service-provider leased hosted desktop would more than likely be satisfied with Terminal Services desktops as a service than VDI desktops as a service. But I’m not going to write about that here – my former peer Calvin Hsu did a bang up job talking about it on his blog.
You see, Terminal Services-based Windows Server desktops have an available Service Provider License Agreement. That is, if you started a company tomorrow and wanted to provide DaaS for $5 a month by delivering a Windows Server desktop skinned to look like a Windows 7 desktop, you could legally do it. But there is no SPLA for Windows 7, so it is illegal for service providers to deliver Windows 7 desktops as a service. This doesn’t mean that your company can’t pay a service provider to host your VDI desktops, it just means that you need to buy the licenses for those desktops yourself. The service provider can’t buy the licenses and rent them back to you.
Joe Matz, Corporate Vice President, Worldwide Licensing and Pricing at Microsoft recently posted a blog which I equate to a giant dancing human arrow pointing at an elephant in a small brightly lit room: Microsoft doesn’t want service providers delivering Windows 7 desktops as a service.
Up until that blog there was this sort of make-believe grey area in the VDIaaS arena. A hope that Microsoft would “come to its senses” and allow service providers to deliver VDI as a service. But no more.
Guise Bule, CEO of tuCloud was so upset about this that he wrote a manifesto about how Microsoft’s licensing actions are akin to a threat to national security (I’ll get to the security bit at the end). In this opus he also attacked TS desktops as follows:
“Stop calling them desktops, its false advertising at best and flat out lying to yourselves and to your customers at worst. If you really believe in your model then call your ‘desktops’ what they are, shared slices of server designed to trick the user into thinking they are using a desktop, yet you insist to your customers that they are Windows 7 desktops and try to disguise them as such.”
What could Microsoft possibly be thinking??
I believe Microsoft’s perspective on VDI is exactly this: Hosted VDI desktops are no match for the rich local Windows 7 experience. If you want a throwaway desktop experience, go use Windows Server, but the Windows 7 experience is special. You probably know they have an index for it. They even capitalize the “E” in experience. When users see the Windows Experience Index on their VDI desktops they are seeing a lie, because there is no guarantee that the user is actually experiencing the promised Experience. Just like Guise believes TS desktops aren’t “real”, so does Microsoft believe remotely hosted VDI desktops aren’t “real” without a mechanism to appropriately set the end-user’s expectations for the “Experience” they are about to experience . I think the only reason they support VDI in the first place is because someone convinced them that end-users would always be connecting to VDI over LAN.
But what about the SME’s/SMB’s who don’t want to have to worry about administration? Is it Microsoft’s intention to completely eliminate service providers from the Windows 7 delivery market? Nope. Hello Intune! If you are Microsoft and you dearly care about end-user experience and the only way to ensure predictable positive end-user experience is to put Windows on the end-point, then you find a way for Windows 7 to be on the end-point but abstract all the management components such that a service provider could provide all the administrative capabilities while ensuring a positive end-user experiences. If you really need a Windows 7 desktop, and you need it managed by a service provider, Intune is likely the way to go for your use case. Pricing at $11 per PC per month (much cheaper than $100 for VDA). Add Office 365 to that for as low as $4 a month. If you need more apps there’s always App-V.
Let’s dig deeper. As you may know, while at Citrix I was a big champion of using end-user experience at scale as the primary metric for VDI POC’s. Desktops as workflows have very unique requirements in order to be provisioned as a cloud-based service, the net of which I feel makes most use cases untenable.
To begin with, VDI desktops have a very demanding IOPS requirement (Input/output operations per second) which is very expensive to maintain in both public and private clouds. In the private cloud each random IO is a spindle head movement. With an average of 20 IOPS per desktop, the total random IO required of a SAN is 20,000 IOPS. This translates to 300 spindle disks without accounting for RAID. With RAID 5 or 6, the number of disks required is 600-800 just to support steady state random IO coming from these 1,000 virtual desktops. While the hardware cost may be abstracted in the public cloud, the service cost could easily outweigh it: Consider the going rate of $6 per IOP per second per month, at 20 IOPS per desktop the cost of 1,000 desktops on a public cloud would be $120,000 per month! It stands to reason that even if we discount for the licensing limitations, the cost of ensuring “as good as local” end-user experience for DaaS service providers would be immense and passed on to the customer. My experience has been that service providers tend to skirt these costs at the expense of their customers’ end-user experience, and economies of scale would dictate that the net outcome of any cost savings in delivering VDI usually net poor end user experience.
The notion of multi-tenant VDI desktop administration is a pipe dream. Enabling true multi-tenancy is close to impossible (read: unsupported by Microsoft, ridiculously expensive and complicated). The ability for a cloud tenant to have single-pane-of-glass visibility and control over the instances, data, and networks in their cloud-hosted solution certainly sounds appealing. In terms of a DaaS solution this would mean the desktops, the master images, patching, user data, networks, access policies, etc. would be available for multiple isolated virtual desktop silos . In addition, the multi-tenant management solution would need to have the ability to securely provide this level of access to multiple tenants. None of this functionality exists in any of the desktop virtualization offerings available today for VDI. Manifesting muti-tenancy in a manner that wouldn’t negatively impact end-user experience seems unlikely.
Lastly: The security benefits of virtual desktops are overhyped. Persistent or not, every “war games” scenario I’ve seen with VDI ends with one of the virtual desktops getting compromised and the attacker gaining access to the datacenter subnet. Sure one can try to add additional network layers between the virtual desktops and the infrastructure behind them, but the net of such exercises only serves to increase rather than decrease the attack surface. One needs to do a serious calculation of the benefit of zero data at the end point vs. the risk of putting desktops on your server subnet. Revisiting the “Experience” bit – VDI is basically just a desktop populated by whitelisted apps. Users will be productive at any cost, and so if they need to go outside of the “safe” VDI desktop to do their job, they’ll do it. The poor end-user experience endemic of VDIaaS is in itself a security threat because it drives users to look outside of VDI in search of productivity.
- Tags: VDI