AUTHOR: Eric Ledyard
Much of our industry is focused on what is being called the "post-pc era" of desktop/mobile computing. Many vendors have approached this concept with technologies and solutions around desktop virtualization. While this is a very valid approach to a limited number of users at most organizations, in order to truly address the needs of users in the new world, we believe that the focus needs to be moved up to the application layer in order to address all use-cases. The first thought process that needs to be modified is that if we are going to be living in a post-PC era, we need to stop looking at technologies which only move the PC from a physical device to a virtual device and start looking at what a user truly needs to perform their function and build solutions that provide the best experience for them to do that.
In the new world order of end user computing, users will be accessing a combination of applications that are hosted internally, hosted externally, and will be relying on SaaS applications managed by third-party providers. They will also be accessing them from not just one device that is locked in their office but from multiple devices and multiple locations, thus driving the need for security policies and management tools that have the ability to understand where the user is and limits their access to their sensitive data based on their location and risk profile. They will also request that they have the ability to browse corporate applications and provision them automatically to themselves through a self-service portal.
These requirements are typically the reason that desktop virtualization projects fail. As companies move to try to envision what their users will need in the future, they then try to provide these services while still using a PC mentality and approach. What they find is that they cannot prove enough value to their organization to justify the monumental changes that would be required to virtualize their desktops. We are finding it more common that if you assess an organization and try to determine which use-cases will benefit from a strictly virtualized desktop solution, you will find that there are very few users at a corporation that would be able to use this solution.
VMware has taken a much different approach to these challenges and has found that in order to provide a true post-PC era solution, you have to break away from the desktop completely. In the following diagram, you can see the vision for what we are doing:
As you can see above, the concept is to provide universal, secure access to all the user-centric services of the organization whether those are full virtual desktop resources, social resources, app services (internal, external, SaaS), and data services from any device, anywhere. The real challenge of providing these services effectively is ensuring that the users are secure and that you have complete control over your data resources.
What VMware has done to address this challenge is created a solution for this in the form of many products that you may already be familiar with (VMware View, ThinApp, etc) and then providing secure portal-based access through the creation of VMware Horizon Application Manager. I am extremely excited about the release of vHAM (and I love the name… we are looking for an acronym that would spell vBACON) and many folks do not fully understand why I love the concept so much. As is often the case, many people like to summarize new technologies and then make assumptions on how they work and what their value statement is based on something they know about another product in the marketplace. vHAM is far more than just a “single sign-on portal” as many folks describe it. In fact, it is a user-based self-service portal that will provide ubiquitous, secure access to all end-user services at an organization from any device. An example of what this looks like is below:
As you can see, a user logs in using only their active directory login information and they are then presented a portal with all services that they have access to. If you look closely, some of these services are internal applications, some are hosted applications, some are virtual desktop services, and others are SaaS application services. The very interesting thing that many people do not realize (because it is so seamless and simple to use) is that each of these services is protected and abstracted by a layer of enhanced security that allows the IT organization to protect and manage their resources effectively across all of the services they provide.
The really cool thing about vHAM is that the only credential that I know, as the user, is my active directory or LDAP account. From that point, I have no idea what credentials are being used to authenticate me into the other applications. If I were to leave or if someone were to hack my active directory account information, they would still not have access to any of my end-user services. I also would not be able to get into any of the systems or SaaS applications remotely since I would never know what my login credentials were. This is a huge advantage for any security team and provides ton of value in the new world of end-user services.
vHAM is still in its infancy at the time of writing this blog entry. Many of the advanced functionality that is planned is still guarded by NDA, but hopefully from the diagrams above you can see that the vision that VMware is working towards is extremely well thought-out and is very comprehensive. It is not merely a desktop virtualization strategy but is truly a platform for providing end-user services in the post-PC era.