Virtual desktops ease management, security
Imagine moving the trading floor of one of the world's largest stock exchanges to your living room. Or maybe producing high-end animations for a Hollywood blockbuster from the back seat of your car. Or collaborating on the design of a new luxury-class automobile with a team of engineers scattered around the globe. And, even better, the work being done in any of these scenarios doesn't exist with you or any of your collaborators but remains secure and protected in one central location.
This is the remarkable world of virtual desktop infrastructure (VDI) computing.
With VDI, the user's operating system—probably Windows—and applications are running on a server. The user sees a PC that acts just as if the software were running on it, but the PC is running a client program that sends keystrokes and mouse movements to the server, which sends back data describing screen images.
This design offers so many unique advantages that it almost seems like it was specifically designed for the workforce challenges and enterprise needs of today.
VDI is efficient
One of the most operationally efficient aspects of VDI is that it automatically allocates the right amount of compute power to users based on their needs. VDI assigns users a profile based on general categories, or personas, that classify users by the typical amount of compute resources needed by users with similar responsibilities. In general, there are three persona profiles:
- Task workers: Data entry call center workers and other lower-level compute power users
- Knowledge users: Customer service cloud groups and similar workers that require more compute power
- Power users: High-end CAD, design engineering, film animation, trading floor, and other workers that need to manipulate content or data in real time
VDI allows enterprises to automatically distribute the right amount of compute resources from different servers, reducing the chance of overloading any one server in the event of a sudden surge in usage. It also enables the enterprise to move the compute resources to on-premises servers in situations where regulations or other needs require it.
In the case of power users, efficiency also means that expensive workstation costs can be shifted into more general-purpose server costs. Rather than buy expensive workstations for a team of engineers who only occasionally need their full power, a company can use VDI to get the workstation-as-a-service power when needed. The fact that users are all running on the same servers also facilitates concurrency of data among the users. That means performance may improve in some ways, as teams of high-end users working on the same large datasets are running on the same servers, rather than on independent workstations.
The VDI market
Most customers get VDI through a small number of vendors and cloud services. The oldest provider in the business is Citrix Systems. VMWare, with its Horizon solutions, is also a major market presence. Windows Server comes with Microsoft's Remote Desktop Services, and it sells Windows Virtual Desktop on Azure. Many cloud and hosting services, such as Amazon Web Services, offer variations on VDI for both Windows and Linux clients.
These companies offer management facilities, some very sophisticated. In many cases, it is advantageous to exercise VDI management under broader cloud management tools, especially in complex, hybrid environments. Such systems, for example, can allow organizations to scale out from an on-premises VDI environment to a cloud-hosted VDI environment seamlessly and on demand.
Terminals vs. desktops
There are three ways to do VDI, and they balance a complex tradeoff between performance, security, and hardware resources.
The early generations of Windows terminal products did not support desktops in the VDI sense. Users logged into sessions on a shared server. (In fact, the first product of this type, Citrix MULTIUSER, was based on OS/2.) Because all users ran in the same instance of Windows, users running demanding applications—such as loading a very large spreadsheet—could hamper performance for other users.
Please read: Enterprise Strategy Group research focused on the key considerations for enabling remote work and recovery plans with VDI
The shift to virtual machines made this problem manageable. Each user is allocated a VM running the desktop version of Windows or Linux, or something very close to it. Administrators can use the hypervisor and management systems from the VDI vendor or third parties to control the resources allocated to groups or specific users.
Both VDI and terminals also allow for the delivery of specific applications, so the user has access only to that application and not the operating system generally.
In either model, the administrators have complete control over what software the users are allowed to run and what network connections they can make. But the VM model enhances security further by separating the users completely, so if a user gets in trouble in spite of common controls, they are unlikely to be able to attack other users.
Nevertheless, the terminal/shared server model can still make sense. In a large call center, where all the users are running a small number of heavily managed applications, a shared server is likely much more efficient than desktops running in VMs.
WFH is the new SOP
Serving applications to remote users was a use case even with the earliest Windows terminal systems, but the main drivers were for serving large numbers of users on a corporate LAN. In recent years, VDI as a general remote access method became more popular, and when the pandemic sent everyone home to work, the case for VDI became even more compelling.
In mid-March, Ford Motor Co. became the latest U.S. corporation to announce that it will allow more work from home after the pandemic runs its course. Ford's announcement sends possibly the clearest evidence that the new normal of work from home or WFH/hybrid work is here to stay. Ford joins tech giants Salesforce, Facebook, and Twitter in announcing shifts to a new business workplace model. All of these moves are consistent with employment data that shows that job postings for remote worker positions doubled during the pandemic and continue to rise.
VDI is great for remote access
Management of BYOD workers in their homes through VDI is almost exactly like management of workers using corporate equipment through VDI in a secure facility. The vast majority of VDI's advantages, including security advantages, are the same in both cases. This alone makes it desirable as a remote access method.
Some wonder whether performance will be acceptable with complicated applications over relatively slow home broadband connections, but it's not generally an issue. Even for graphics-intensive applications like CAD, performance is good, because the only data moving between the server and client is keyboard and mouse movements in one direction and changes in the screen image on the other, and you don't need much bandwidth for good performance on those. It's also possible to put GPUs in the servers to accelerate the graphics parts of applications, but this doesn't affect the low-bandwidth requirements of the remote display interface.
Where audio is part of the connection, performance problems are possible, but some vendors have the ability to redirect audio and video connections so that the client system communicates directly with the other side of the conversation.
While VDI may require new spending on the server side, it enables savings on the client side. The hardware requirements for good performance of a VDI client are small and were easily satisfied by PCs many generations ago.
A final advantage of VDI is it supports legacy applications for users whose hardware otherwise may not. Applications sensitive to particular versions of Windows, for example, need only run on the version deployed and managed by IT on the server, while the client can be using a Windows PC, an Android phone, or an iPad. In the same way, VDI is noteworthy for allowing users to run applications from other platforms, such as Linux programs running on an iPad.
VDI maximizes security
The philosophy of zero trust is no connection on a network should be considered safe. All connecting systems should have to prove who they are and that they have authorization.
This philosophy meets an extreme and real-world test with home computers used to access enterprise resources, a situation that has suddenly become quite common. Organizations that support only VDI for such users pass the test and validate the philosophy. VDI is an extremely simple mechanism that is easy to secure when compared with the alternatives.
All communications go through a single TCP port. The protocols are well defined and fairly simple. They are always encrypted in transit. This last point is one reason VPNs are superfluous for VDI users. VDIs are for trusted systems, not untrusted ones. VDI providers support dedicated gateways through which users connect and authenticate, using two-factor authentication if, as it should be, required.
Even if a client PC were infected with malware, most of the usual attacks would yield nothing. In theory, because the client sends keystrokes and mouse movements and received display descriptions, malware that captures this information could steal data and pass it on. But there are countermeasures. For instance, Citrix's app protection can block keylogging by encrypting keystrokes on the paths where they might be captured. It can also prevent screen scraping or screen capturing. As a reinforcement of this protection, it can "watermark" screens with the user's login ID—for instance, if someone were to use an outside camera to record the session—so that photographed screen images can be traced.
VDI also inherently enforces, at least to a high degree, data sovereignty. A user in one jurisdiction accessing systems in another jurisdiction doesn't actually download any potentially sensitive data, except to the extent that data is displayed on the screen. This last problem can be mitigated by measures like watermarking the screen.
VDI is mature
VDI products began appearing in the early 1990s and immediately solved big problems for corporate IT. They might have become the normal way to support desktop users. Whatever the reasons this didn't happen, things have changed.
The power of hybrid clouds to deploy resources and scale them rapidly—and the need to support large numbers of users on arbitrary, untrusted devices through arbitrary, untrusted connections—make VDI a more compelling solution than ever.
Lessons for leaders
- VDI puts all the desktops in one physical location, making management more straightforward
- By centralizing so much, VDI simplifies many aspects of IT support, especially client-side support.
- The attack surface of an enterprise desktop that runs on VDI is much smaller than a conventional desktop.
Management of BYOD workers in their homes through VDI is almost exactly like management of workers using corporate equipment through VDI in a secure facility.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.