No CIO is going to undertake a complex desktop virtualization infrastructure initiative just to equip mobile employees. But don't discount the possibilities here--a limited VDI deployment for workers who spend the most time outside the office, or who need special access, could get IT ready to move fast when vendors finally address some of the problems holding back the technology, including offline access and back-end stress on the data center.
Monical's Pizza, a chain of 63 restaurants based in Bradley, Ill., has deployed remote desktops on some systems but not company-wide, says Douglas Davis, information systems coordinator for the company. "We give remote Mac Home Folders to some of our users. This makes backing up easier, and if a system goes down, you simply replace it with a new machine and they're immediately up and running," Davis says. "It's the wave of the future."
We think a phased rollout like Monical's is the way to go. Mobility is the perpetual bane of IT. Security teams want data kept safe. Admins want device standardization and easy management. But employees demand access to e-mail, productivity, and other software tools from home, client sites, and hotels, on a range of hardware. And there's no stopping this wave.
IDC forecasts that the worldwide mobile worker population will pass the 1 billion mark this year and grow to nearly 1.2 billion people--more than a third of the world's workforce--by 2013. In 2008, the United States had the world's highest percentage of mobile workers, 72%, and it's expected to remain the most highly concentrated market, with 75% of the workforce--119.7 million workers--going mobile in 2013.
VDI provides valuable benefits to these road warriors and the IT pros who support them. Among those benefits: access to applications that can't leave the data center, such as software that hooks into a database of highly confidential or classified information, the contents of which can't be accessed offline for security reasons; an extension on the life span of legacy applications that aren't multiuser-enabled; a way to easily deploy applications that need operating systems other than Windows; and an end to the problem of a salesperson's laptop going south when she's 1,000 miles from headquarters and getting ready for a presentation--just check out a clean desktop image.
Despite these benefits, our July InformationWeek Analytics Desktop Virtualization Survey of 430 business technology professionals shows that IT, while interested, is cautious about the technology. About 42% of survey respondents have already deployed VDI or are in some stage of testing. An additional 35% are assessing the benefits. The main drivers are added security and an ability to issue less expensive devices. Inhibitors include uncertain costs/ROI and performance worries.
We've examined the technical and budgetary angles of VDI in past reports (see them here and here). Now let's approach the technology from the perspective of some business use cases for which VDI is tailor made--legal, healthcare, and sales--and look at special challenges around various access devices.
Taking It To The Next Level
VDI is maturing into a reliable way for IT to maintain security and manageability while accommodating employees' needs. It's not all the way there, but we found some early adopters that are pushing the envelope. The most important takeaway from these trailblazers: Proper planning can mean the difference between a successful VDI deployment and a mobile workforce rising up in revolt.
Considerations include provisioning for adequate performance and a plan to avoid desktop image sprawl. IT is thinking about performance; in our InformationWeek Analytics 2010 WAN Optimization Survey, for example, when we asked about the file types respondents expect to transfer across the WAN, nearly one in three of those using or evaluating WAN optimization cited VDI images.
Use Case: Legal
"The beauty of our current mobile environment is that it's available to users as long as the browser works," says Andy Jurczyk, CIO at law firm Sonnenschein Nath & Rosenthal LLP. Jurczyk says the firm's users commonly connect from two or even three different devices. About 1,000 of its 1,800 employees in 13 offices in the United States and Europe access mobile virtual desktops. Complete rollout of VDI across the enterprise is expected by year's end. Sonnenschein built what it calls "Follow Me PC" to virtualize desktops and applications in the data center and make the interface available from a browser on any device--PC, Mac, iPad, BlackBerry, or iPhone.
The firm is currently on version 2.0 of Follow Me PC, based on Citrix's XenDesktop and run in a private cloud. Citrix's Receiver client is used to deliver desktops and applications as an on-demand service. Jurczyk says the technology enables the firm's employees to better serve clients by facilitating secure access to intellectual capital, internal documents, processes, and collaboration and communica- tion tools.
Sonnenschein's practitioners access their virtual desktops from home via Cisco 871 Integrated Services Routers that deliver firewall, VPN, and wireless LAN capabilities at broadband speeds. The company also deployed VoIP phones that let users access their work telephone extensions remotely. Once employees connect to the corporate network through a secure VPN tunnel, they're issued desktop images that include the operating system and all applications encapsulated in a Citrix Desktop Viewer.
Remote application access is clearly a huge benefit of VDI, but that can also be realized through conventional terminal services via XenApp or Microsoft Remote Desktop Services. However, there's a major drawback to traditional application streaming: If you're not connected to the internal LAN when accessing a streamed application, then you don't have access to internal network storage--and no one wants to lose a few hours of an attorney's work. By forcing users to access applications inside the virtual desktop, IT is also able to force the use of network storage, which has major benefits for companies that need to keep a tight lid on sensitive data.
In addition, the law firm hosts a private cloud to assure security, continuity, and availability. Data storage, which is important to both Sonnenschein and its clients, is cloud-based as well.
Use Case: Healthcare
Nonprofit healthcare provider Broward Health, based in Fort Lauderdale, Fla., deployed Citrix's XenDesktop two years ago as part of an upgrade to its aging infrastructure. Broward is one of the 10 largest public healthcare systems in the nation, with a community that includes four medical centers and 32 clinics accounting for about 7,000 desktops. Peter Barnick, consulting systems analyst at Broward Health, says about 450 employees require remote access to virtual desktops.
IT supports Dell Latitude D630 and E5400 laptops as well as Hewlett-Packard Elitebook 2740p machines, all with full-disk encryption. Users access their desktops using Internet Explorer 7, the latest version certified for the healthcare system's applications, and a secure VPN connection. IE 8 is being tested, with rollout scheduled for October.
Although Broward Health doesn't officially support Apple's iPad and iPhone 4, some physicians are showing up with them, and a few departments are asking IT to support applications on netbooks rather than laptops. Patient privacy regulations and corporate policy mean the healthcare provider sets strict limits on remote access, however. Barnick is taming the "bring your own iThing to work" movement by automatically vetting devices that attempt to connect to the network and blocking those that don't meet the organization's requirements.
Health Insurance Portability and Accountability Act rules don't specify which devices or technologies can access sensitive patient data; they just require that the data itself be secured, and when shared, it must be over an encrypted link. VDI inherently meets both requirements, regardless of the device the VDI session is accessed on. Moreover, healthcare and education are sectors notorious for running legacy applications into the ground, so VDI is a godsend when there are specialized apps that must be supported and that can't natively run on an iPad or a 64-bit OS--remember, Windows 7 64-bit can't run 16-bit apps.
Digital imaging, as for X-rays, presents storage, processing, and bandwidth challenges. While VDI isn't great at rendering the fast-moving graphics you'd see in computer games, it's fine for high-resolution, static digital images. That allows hospitals to deploy less expensive thin clients on the floor that can be used to access the processing power of a hypervisor serving VDI sessions.
Network latency was an issue at Broward Health before the infrastructure overhaul that included VDI. "Many of the features that we're implementing today require fast, high-volume access," Barnick says, referring to image files used by radiology and MRI and CT scans accessed by medical staff. At the same time, the overall volume of data transmitted has increased, so the organization operates a robust fiber-optic infrastructure.
Use Case: Sales
At Iland, a cloud computing infrastructure provider in Houston, IT uses thin clients to do administrative tasks, while the sales team and senior executives use iPads at trade shows and client meetings to access pricing sheets and other product data. The company also supports Android devices and iPhones. It runs VMware View 4 on the back end and PocketCloud from Wyse Technology on mobile devices.
Before Iland implemented VDI, users would travel with laptops running some of their applications," says CTO Justin Giardina. Now, a central desktop image is presented. Not only are current users satisfied with the virtual desktop image, Giardina says, but mobile VDI is taking off as word-of-mouth testimonials make their way around the office. That's not uncommon because, unlike with older thin-client setups, today's VDI systems let users customize their virtual desktops beyond what's provided by the base image.
Of course, nothing is more embarrassing than having your system crash during a demo--just ask Steve Jobs. Fortunately, our testing shows bandwidth isn't usually an issue. "In my lab setup, Office apps perform quite well, even over low-bandwidth and high-latency links," says Randy George, an InformationWeek and Network Computing contributor. "In fact, even up to 200-millisecond ping times, I was able to run Office at a more-than-acceptable level of performance."
Meantime, vendors are improving what was--until recently--lackluster delivery of graphics on virtual desktops via improved rendering technologies, such as Citrix HDX and VMware View 4. HDX delivers a high-definition virtual desktop for graphics-intensive applications to be run through a VDI session by providing network and performance optimization. VMware View 4 similarly offers improved display delivery, via the PC-over-IP protocol, that dynamically detects and adapts to the end user's network connection.
Another reason to launch a VDI trial is the onslaught of varied devices needing access to corporate apps and data. Why would mobile workers choose to lug around a relatively heavy laptop when the network is as easily accessible from a netbook, tablet, or smartphone? In fact, they won't--and anyway, companies are (or should be) growing weary of the fat-client upgrade treadmill.
In our most recent InformationWeek Analytics End User Device Management Survey, desktops still held the top spot. But with VDI, an enterprise could dispense with $1,000 desktops or laptops and pay $279 to $499 for a thinner device with native 3G connectivity. Multiply those numbers by several hundred or thousand workstations, and you're talking real money. VDI costs on the back end for software, servers, and storage, but economies of scale around using an existing data center could still present a good TCO scenario.
A recent survey by Citrix showed 80% of its customers plan to use Apple's iPad for business, and 84% of those organizations will support employees' personal iPads. And in our End User Device Survey, cell and smartphones came in right behind desktops and laptops among our 558 respondents.
One caveat: A keyboard and monitor are vital to a good user experience when using a smartphone as a VDI client. "Users can access the virtual desktop without these accessories, but it's not very functional to try to put a desktop on the screen of an iPhone," says Elias Khnaser, practice manager at Artemis Technology, a systems integration firm. Using the iPad's Bluetooth 2.1 + EDR technology, users can opt to connect a wireless standard keyboard to tablets as well.
Smartphone manufacturers see the potential of selling devices as thin-client nodes for VDI. In the next few years, many intend to add HDMI ports for connectivity to flat-screen TV monitors; that and a wireless keyboard coupled with 4G network access will turn the smartphone into a road warrior's dream, says Khnaser.
On the desktop, Citrix, Microsoft, and VMware all offer bundled remote clients that let systems running Windows, Mac OS, or Linux call up a terminal-like session on a remote host machine.
In fact, form factor shouldn't matter: VDI clients are available for iPads, netbooks, desktops, laptops, and smartphones running Microsoft, Apple, or Android operating systems. And enterprise-class, secure VPN connectivity is available for a broad range of devices. Cisco and Juniper Networks, for example, offer VPNs that support Apple's iPhone and iPad.
What does matter, according to our Desktop Virtualization Survey: security and ubiquitous access.
Lock It Up
The security benefits of VDI look highly attractive compared with releasing into the wild a laptop holding enterprise data on its hard drive. But even with VDI, there are security concerns around mobility. By default, you just need credentials and the VDI portal URL to access a virtual desktop. If a user's credentials are compromised, then you have a problem. By requiring a trusted digital certificate to be installed on any system accessing VDI sessions, IT can ensure that the person accessing the virtual desktop is doing so from a trusted device.
Sonnenschein's Jurczyk is adamant that out-of-the-box security isn't enough for his law firm's virtual desktops. The firm created its own custom security certificate that's loaded on employee devices and, once applied, manages password strength, time-out, automatic wipe on a determined number of tries, secure wireless access, and additional VPN security. IT also enforces company polices to comply with both U.S. and European regulations.
With the physical device decoupled from the virtual desktop, maintenance and security management are controlled from the data center, simplifying updates and patching as well as improving compliance and control of auditable data. But companies using fat-client endpoints will still be vulnerable to losing data if end users are allowed to store files on their local drives. In this case, you will need to deploy endpoint security software. A policy regulating file storage is helpful, too.
Security experts also advise encrypting data through an SSL VPN tunnel and requiring two-factor authentication to ensure only authorized users access virtual desktops. In the event that a device is lost or stolen or an employee is terminated, some VDI vendors offer the ability to remotely wipe, kill, or lock a device, as long as it's connected to the network--a must-have security feature.
Offline, Off The Radar
For many companies assessing VDI, the model falls short the minute the network is unavailable, since the client desktop resides on the server. Twenty-seven percent of respondents to our Desktop Virtualization Survey cited "users need the ability to work while disconnected from the network" as a reason for not adopting VDI. And some features, like the client kill option referenced above, require network access.
Sonnenschein's Jurczyk says that Follow Me PC 3.0, which will include the yet-to-be-released XenClient bare-metal hypervisor, will be an answer to that problem. XenClient, expected by year's end, is an offline version of XenDesktop that solves the problem of needing network access in order to run a VDI session by letting users download their virtual desktops off the server and work locally. VMware View 4 also offers an experimental offline desktop that lets IT shops run a managed virtual desktop locally. Existing policies for the virtual desktop continue to be applied and enforced. Later, the desktop is checked back into the data center for resynchronization.
Once XenClient is in place, "we'll be able to do everything we do today, in a disconnected state," Jurczyk says. Sonnenschein's users are productive while offline, such as when traveling on an airplane, because the firm provides laptop users with local applications. Overall, the firm thinks the benefits of a virtual desktop for traveling practitioners outweigh the shortcomings.
Still, vendors realize that for most companies, offline access is a roadblock, and they're scrambling to address it. Companies such as MokaFive, Virtual Computer, VMware, and Wanova offer specialized offline virtual client-side desktops.
The popular MokaFive LivePC, for example, lets employees download virtual desktop images and run them locally on a PC or Mac. MokaFive LivePC addresses the security problem by checking into a policy server when an Internet connection becomes available. Any change in employee status that affects virtual desktop access can be enforced immediately, including a complete remote wipe of any virtual desktops downloaded by the client. IT retains control of the virtual desktops via policies for security, access control, peripheral usage, personalization, and network configuration, says Purnima Padmanabhan, VP of products at MokaFive. The product suite also lets IT administrators remotely terminate LivePC on a device if it's lost or stolen.
Looking ahead, there's consensus among industry watchers that in as little as five years, current barriers to VDI adoption--including the inability to work offline--will be overcome. Telecom companies worldwide are upgrading their networks--3G followed by 4G will be ubiquitous, and there simply won't be any offline. At the same time, expect Wi-Fi hotspots to become more prevalent across cities and towns, stores, and modes of transportation.
Still, for now, some IT pros see current VDI solutions for the offline problem as insufficient--and reason for employees to push back. Ultimately, it's up to each company to assess the needs of its mobile workforce, understand the limitations of offline access, and decide if VDI is right for them.
But don't hold back too long. This technology has the potential to be as powerful a game changer as server virtualization has been. It's all about how we choose to manage our desktops, and the quality of the experience we want to deliver to end users. Consider arming your mobile workers with this new breed of thin client--before competitors outflank you.