Call it one of the smartest bets in IT: Virtual desktop infrastructure technology can help most companies do business more securely and efficiently. Sure, there are exceptions, but you need to at least evaluate the benefits of VDI. So why are some CIOs hesitating? Top fears we hear involve cost, confusion about outsourcing options, and the potential for end-user revolt. But hey, no one ever hit it big by playing it safe.
One result of the recent economic downturn is a cultural shift in the way we do business. Companies willing to take risks and slash overhead while finding ways to maintain or even increase output are the ones that survive, maybe even thrive, when times are tough. In an effort to become recession-proof, CIOs are re-evaluating legacy systems and procedures, looking to identify ways to cut costs and increase productivity.
The resulting demand for more efficient and secure IT systems has created a perfect environment for virtualization to proliferate. In our recent InformationWeek Analytics Virtualization Management survey, one-third of the 391 business technology professionals polled said 75% or more of their companies' production servers would be virtualized by the end of 2011. Now, CIOs looking for the next round of efficiency gains must start investigating application, storage, and desktop virtualization. In our survey, 60% of respondents said they're using or evaluating VDI, and 8% of those have already deployed. The companies we work with in our practice confirm that, over the next few years, we'll see a steady increase in the number of organizations adopting desktop virtualization.
For IT teams considering VDI, our key piece of advice is that executive-level buy-in is critical. Your end users may not even realize you're virtualizing servers, but they'll be very aware of VDI. You need business leaders squarely behind the project. On a related note, be prepared to educate users about how VDI will benefit them; this is no place to skimp on communications and training. On the back end, take into account your IT staff's size and skill set when deciding which architectural model--in-house or cloud--and SLA level are best for your needs.
There's no one-size-fits-all approach: Any mix of applications and operating systems can be packaged and delivered to a range of end users. One exception is data- or CPU-intensive apps like CAD or Photoshop, but trust us, vendors are working on this.
Virtual desktops can be served up privately, from an on-premises data center, or in the cloud via a hosted model. And every day, more players deal themselves into the VDI game, broadening the range of verticals served and enabling technologies supported. For example, one of our clients, Mosaic Technologies, a managed network services provider, uses cloud-based VDI to deliver an electronic health records application on demand without any client-side configuration. Patient data is secure as it never leaves the cloud data center, and the service also features built-in telework and disaster recovery capabilities.
Time To Build
With business support in hand, the next step is to answer architectural and security questions. First, decide what service level you need and what your security posture must be.
Service level: Both in-house and outsourced VDI offers IT the ability to provision desktops and operating systems from a standard image. How fast you can react to problems and how flexibly you can adapt to changing business needs depends on the skill level of your IT group, or in a hosted situation, the service-level agreement you've negotiated.
As we discuss in our InformationWeek Analytics Cloud Contracts and SLAs report, cloud service providers typically have standard SLAs; they generally won't negotiate custom agreements unless there's significant money on the table, and as you turn the dial up on SLA penalties, be ready for the cloud service to get more expensive. Critical items to include in your SLA are recovery time objectives for systems, servers, and data. Service availability parameters also are an absolute must; the SLA should specify that you'll receive credits if the service is unavailable for any time beyond agreed-on terms. Response time limits within which technical support calls must be answered and issues solved also are critical.
Security: Protecting sensitive information is the top priority for most of us, and since the cloud is Internet-facing, security will be a concern for the foreseeable future. We've been tracking this phenomenon for a few years. More than half of the 547 business technology professionals who responded to our February 2009 InformationWeek Analytics Cloud Governance, Risk, and Compliance survey worried about security defects and loss of proprietary data. One year later, this dynamic still held true: In our February 2010 poll of 518 business technology professionals, security concerns again led the list of primary reasons not to use cloud services.
We hold a somewhat contrarian view. Top cloud providers take extreme measures to protect their interests. Strict authentication and auditing standards are complemented by multiple layers of physical and logical security. Does your company take similar steps to protect data from internal and external threats?
When deciding between on-premises and outsourced VDI, questions to ask include: Where is our data located? What sort of access will we have to apps and logs? And, what type of device protection is provided? In the cloud, data resides in a shared storage environment, segmented by volume and secured by host-based authentication. On-premises, IT also leverages a SAN or NAS, but the entire physical storage environment is private. Large cloud providers do offer dedicated hardware, for a price. Those subject to compliance mandates also must ask about geographic location. Both in the cloud and on-premises, granular application permissions should be in place to ensure authenticated users are served only relevant apps. It's much easier to limit application and data access when using VDI versus a traditional fat-client setup. In a hosted model, only the hosting provider has access to your VDI data records and logs. In most cases, you'll have almost no maintenance responsibility for your IT assets in the cloud, but you may specify in your contract that authorized individuals from your organization may review logs.
As for device protection, both on-premises and hosted VDI provides more layers of security than traditional desktops or portable devices, since all data and images reside in a data center. Users may be required to perform two-factor authentication to access hosted virtual desktops. In addition, a browser is opened to create a tunnel where encrypted data is transmitted through an SSL VPN, adding an additional layer of protection. Some VDI vendors also offer a "remote kill" function to disable a virtual desktop in case of a lost device.
IT must do its part by requiring use of strong authentication methods, such as smartcards. At the data center, a firewall must protect the network, authenticating users with passwords or active directory IDs. In our rundown of eight top ROI considerations, we'll address the fact that with VDI, costs shift from maintaining fat clients to maintaining additional servers on the back end devoted to virtual desktop images. If your on-site data center is at or near capacity, that can be a strong argument in favor of going with VDI as a service.