Home > Blogs > VMware Accelerate Advisory Services > Monthly Archives: February 2013

Monthly Archives: February 2013

Virtual Desktops…A Dead-end Solution? (Part 2)

by Christopher Janoch

In my previous blog post, I stated my opinion that a virtual desktop system was not an ideal future computing environment:

“The thing that our IT departments and service centers need to realize is that the desired destination is access to applications and data, not Microsoft operating systems. A Windows desktop environment is nothing more than an application delivery system. The true workspace of the future involves the decoupling of applications and data from the device environment, and we are already seeing it in action, TODAY.”

For the majority of my clients, this shift in focus has dramatic ramifications for strategies of security, access and compliance. New strategies are needed to ensure security and compliance in the modern virtual workplace.

User Access and Controls
With the universal acceptance of the Microsoft desktop environment came the strategy of treating this access point as the only secure gateway into the corporate systems. Security solutions for identity authentication, anti-virus/malware protection, intrusion detection and data security were based upon the lockdown, monitoring and control of the Microsoft OS. The shift of user behavior away from the desktop environment is quickly rendering these systems obsolete and ineffective. To secure a virtual workplace environment, access controls must be policy-based and tied to the identity verification of the end user regardless of device, access point or operating environment.

In addition, most end user environments are inadvertently compromised by bad behavior on the part of the user:
• Downloading software that contains a virus or Trojan horse
• Inserting a removable storage device that contains a virus or Trojan horse
• Opening a document infected with a virus
• Visiting a compromised Web site or running a compromised SaaS application

For many of these situations, isolation from a desktop environment or the implementation of a disposable, stateless desktop environment can render this vector harmless. In the event of an infection, the user simply has to disconnect and the compromised environment can be discarded.

Security Agents
Security strategies for virtual end user environments are often at odds with performance and capacity management strategies. Locally installed and operating agents generally increase security, but can adversely affect the performance of each individual virtual desktop or application. In a pooled resource environment, this will greatly affect performance of the platform overall. Wherever possible, the preferred strategy should be to use network-level or hypervisor-level agents in place of locally installed agents. If that cannot be achieved, then at a minimum agent scans, updates, and other operations should be staggered to decrease the additive performance impact on the service delivery system.

Remote Access
Today, nearly all of my clients have an extensive system of external firewalls in place, and rely upon secure VPN tunnels to remotely access internal infrastructure. While this traditional method is secure and reliable, it can be very costly to scale and tedious to coordinate client installation and configurations when used in a hosted or extranet environment. Also, with VPN technology, if the user’s end point device becomes infected, then the corporate LAN can be exposed to whatever malware has compromised the user’s device. External access through a secure remoting protocol from a desktop or tablet can be far more secure than putting that same device on the corporate LAN via VPN technology. With the PCoIP technology in VMware Horizon View for example, the risk and attack surface is greatly minimized, since access is limited to a remote graphics protocol over a dedicated, signed and secured channel.

Secured Access through Security Server Proxy (VMware Horizon View)

External access can also be offered and secured in a similar way by connecting through a secured tunnel to an end user access portal for direct access to streamed, packaged and SaaS-based applications and services. Two-factor authentication using a service such as RADIUS should also be employed as an additional layer of security. Relying on both a password and a unique token code can prevent intrusions should the password be compromised (and can offer a secure method allowing the user to change or reset a forgotten password).

Secured User Portal (VMware Horizon Workspace)

Today, many traditional security policies are created and enforced at the operating system layer, which confines an end user’s access of services and applications to the Windows desktop. By beginning today to shift the compliance and security policies away from the desktop environment, environments will be better prepared for alternate types of end user access. The VMware Horizon suite of products can streamline and simplify operations by turning disparate operating systems, applications and data into centralized services that can be easily provisioned, managed and delivered to end-users with policy-driven access and delivery safeguards vital data and ensures compliance.

Christopher Janoch is a business solutions architect for VMware Accelerate Advisory Services. Follow him on Twitter @cjanoch

VMware Accelerate Advisory Services can help you define your end user computing strategy through balanced transformation plans across people, process and technology. Visit our Web site to learn more about our offerings, or reach out to us today at: accelerate@vmware.com for more information.

Would you like to continue this conversation with your C-level executive peers? Join our exclusive CxO Corner Facebook page for access to hundreds of verified CxOs sharing ideas around IT Transformation right now by going to CxO Corner and clicking “ask to join group.”

Virtual Desktops…A Dead-end Solution? (Part 1)

by Christopher Janoch

While giving a presentation on VMware end user computing at a client last week, I was challenged by the CIO who stated: “I don’t believe that virtual desktops are a viable solution for more than 20 percent of my workforce.” Frankly, I couldn’t agree more!

While there are several use cases that can be answered by a virtualized Windows desktop environment (such as overseas development, call centers, or help desk support), the idea that virtual desktop infrastructure (VDI) is the ultimate solution to end user computing is a naive one rooted in the past. Today’s workers require agility and flexibility – broad access to corporate services, applications and documents from a variety of devices and locations, in a secure and manageable environment.

Speaking as a road warrior myself, I find that much of my work today can be successfully performed using a light-weight tablet – as opposed to my heavier Windows laptop complete with spare batteries, cables and accessories. And when I purchased my tablet, I chose it for the simplicity, stability and flexibility that comes with a hardened OS and standardized user interface. It defeats the purpose for me to remotely access a virtual Windows desktop and utilize an imaginary mouse to access the services and data I need to work with.

So what do our end users really desire in a modern computing environment? Access to all applications, services and data; from anywhere at any time; securely and reliably; using whatever device they choose – in that device’s native format. Simple to say – not that simple to deliver.

The thing that our IT departments and service centers need to realize is that the desired destination is access to applications and data, not Microsoft operating systems. A Windows desktop environment is nothing more than an application delivery system. As such, it can and should be replaced as soon as a better delivery system can be provided. The key to the future is cloud-based apps, SaaS-based apps, self-contained apps and virtualized apps that are OS, platform and device agnostic. The true workspace of the future involves the decoupling of applications and data from the device environment, and we are already seeing it in action, TODAY.

VMware and EMC’s new venture, the Pivotal Initiative promises to unify EMC’s Greenplum, VMware’s vFabric (including Spring and Gemfire), Cloud Foundry and Cetas organizations to deliver the tools necessary to design new enterprise applications and services for this brave new environment. And, VMware Horizon Workspace (part of VMware’s announcement today of the VMware Horizon Suite, a comprehensive platform for workforce mobility) is an ideal broker to centralize, simplify, standardize and secure access to all of these disparate applications, data and services from any device, at anytime, anywhere.

I can almost hear my CIO bring the conversation back to today’s reality: “…Corporations today have thousands of business critical applications—the majority of them vendor-supported—that need to be delivered, provisioned and managed. How should we best manage those today?”

It is true that the majority of our legacy applications and data storage methods is tied to the rigid and complex architecture of yesterday’s PC-centric environment, and that without the Microsoft OS delivery system most will not function in their present form. For these, a virtualized Microsoft desktop environment would best suffice, if employed in a manner best suited to evolve towards the future. Even while pursuing a virtual desktop strategy, begin today to decouple the applications and data from the desktop computing environment.

VMware, a pioneer in virtualization, has helped millions of clients achieve radical CapEx and OpEx savings by abstracting software from hardware dependencies, pooling resources for efficient management, and simplifying access and provisioning process. The same strategies should be followed for the application stack of the end user computing environment.

VMware ThinApp technology can be used to encapsulate and abstract applications from operating system dependencies, to be accessed from a centralized location without any local OS dependencies. Used in combination with VMware Horizon View, a layered virtual desktop environment can be delivered to end users with applications, user profile data, and corporate data stored centrally and abstracted from the operating system.

Following the same “virtualization first” policies that were so successful for server virtualization, every user application, system and profile should be encapsulated, to accelerate future provisioning directly into the VMware Horizon Workplace.

And what about the remaining workforce that the CIO was concerned about? Those currently using physical workstations today that may not be good candidates for a virtual desktop? The VMware Horizon Mirage solution extends the same layered, abstracted approach for applications and data to a physical desktop environment that still requires local hardware resources and accessories.

The critical concept to recognize is that a virtual desktop environment is not the promised evolution for end user computing – merely a stop-gap measure to move towards a device-agnostic virtual workspace environment. Employed strategically however, with an eye towards desired goals will ensure that your transition to that future end user environment will be successful. VMware Horizon is a comprehensive suite of products built from the ground up for a mobile and collaborative workforce. Together, these technologies enable IT to optimize their current environment while safely embracing innovation and emerging trends to maintain a productive workforce and secure business environment.

Christopher Janoch is a business solutions architect for VMware Accelerate Advisory Services. Follow him on Twitter @cjanoch

VMware AccelerateTM Advisory Services can help you define your end user computing strategy through balanced transformation plans across people, process and technology. Visit our Web site to learn more about our offerings, or reach out to us today at: accelerate@vmware.com for more information.

Would you like to continue this conversation with your C-level executive peers? Join our exclusive CxO Corner Facebook page for access to hundreds of verified CxOs sharing ideas around IT Transformation right now by going to CxO Corner and clicking “ask to join group.”

Is Your Organization Ready for the Software-Defined Data Center?

by Heman Smith

Infographics are great for providing clarity. As the one below illustrates, the role of IT workers is rapidly transforming — and IT executives are keen on building the optimum IT organizational structure for the software-defined data center (SDDC).

If you want an agile, business-responsive, service-driven IT organization, the role of IT must change from a reactive, rigid structure to one that is proactive, innovative and dynamic. The key to the success of this transformation to a SDDC is a symbiotic partnership between IT and the business, driven by executive leadership.

Accelerate Advisory Services consultants work collaboratively with customer stakeholders to assess their organization’s operational readiness against a cloud operational capability scale, which VMware has developed from years of experience with the technologies and processes of successful cloud computing. Looking at the organization’s IT operations from this cloud capabilities framework perspective, we gather information and data to provide our customers with actionable recommendations and financial guidance on their transformation to a SDDC.

When I work with customers, I review the core assumptions for successful IT operations in a cloud-driven world:
• IT needs to change in significant ways to achieve the capabilities needed for effective cloud operations.
• People and organization both need to adjust to reflect the faster pace, the new technologies and critical changes in processes.
• When IT becomes a service broker, its financial model fundamentally changes, and measurements are essential for success.
• Intentional, ITIL-type processes and control are no longer optional, but essential.
• The new, cloud-centric technology architecture delivers tremendous capability and requires more responsibility.

Accelerate consultants can help you undertake your transformation to the software-defined data center. Visit our Web site to learn more about our offerings, or reach out to us today at accelerate@vmware.com for more information.

Would you like to continue this conversation with your C-level executive peers? Join our exclusive CxO Corner Facebook page for access to hundreds of verified CxOs sharing ideas around IT Transformation right now by going to CxO Corner and clicking “ask to join group.”

Heman Smith is an operational capability consultant for VMware Accelerate Advisory Services. Follow him on Twitter @hemansmith