Recently I was reached out by a journalist whom I speak to fairly often, and this person asked me to provide some insight into Shawn Bass’s blog series on how VDI isn’t secure. It took me a long time to write the reply to this person because there was a lot to discuss, after spending all that time I actually felt my reply should go up as a blog post, so here is my reply with very little information edited.
I read Shawn Bass’s blog last night and while I do agree with him on his major point: VDI is no more secure than Physical PCs. (I agree because in the end they are both running the Windows OS which would be identically secure be it virtual or physical).
I do disagree with the minor points such as this one:
Whole disk encryption products have been out for years now and given that a majority of federal, state, local governments require disk encryption on endpoint systems this is becoming less and less likely as a vehicle for loss of data when an endpoint is lost/stolen.
I disagree that data can be secure at the end point device. If there is anything I learned in my college courses it’s that security is an illusion. No matter how hard you try to secure something there is always something that makes in insecure. Encryption products only delay the inevitable. It’s this belief that makes me say, I believe that there is a big difference between not having the data at the end point, verses having it, regardless of encryption. This means I believe verticals that are very data sensitive (health care with PHI) are better off with a SHVD or SBC solution that keeps the data off the end point device.
As far as Shawn’s point about securing the data in the datacenter, and protecting from things like drop box, I think he is spot on; this is very difficult. However I do think he is missing something here too, this argument has nothing to do with physical verse virtual desktops. The data in the datacenter is difficult to protect, that’s a problem in both worlds. The issue with physical PCs is that not only do you have to protect it in the datacenter, you also have to protect it at the end point. SHVD/SBC eliminates the need to protect it in two locations. But again, Shawn is right, it’s extremely difficult to protect this data.
I also think there is less risk in protecting the datacenter, these areas are under surveillance, in protected rooms, the chances of something being stolen is very low, compared to a desktop. So virtual desktops do provide better physical security than physical desktops, but that’s just layer 1.
The underlying issue Shawn is getting as is that it’s VERY difficult to secure yourself against users that rightfully have access to things and break the rules. In my background in health care, we couldn’t stop doctors/nurses from looking at records they have no business looking at, but we could track it. With employees, this is really your only defense, track and punish the offending user.
I also feel Shawn is missing part of the live data argument. In a SBC/SHVD world, the data doesn’t cross the network except in the datacenter. What is sent to the end point is just screen updates, which could be argued has data (but it’s going to be very limited) compared to say an ODBC query running across a VPN, in that scenario the data that is sent over the link is a full queried response (IE real data). But to Shawn’s credit he does say that SHVD/SBC “may” improve this, I would just go a step farther and say it “does” improve it.
Overall I very much agree with Shawn, I just pick at some of the finer points.
Now to answer your questions: (these are questions I was asked in the journalists email to me)
How are VDI-based virtual desktops better than PCs?
- Management. They are easier to manage. This is what the vendors push, this is what I talk about often. I can have thousands of desktops run off a single central image. Other products can do this but SHVD works in more use cases.
- Performance. In many cases performance can be improved using a virtual desktop. Poorly written apps, that send large amounts of data to a remote user over a VPN, can see a significant boost in performance when running on a gigabit network (on the back end) and then remotely accessed. This is true for both SBC and SHVD. Also, utilizing technologies like Atlantis ILIO make it possible to have VMs that boot in seconds not minutes. I have a health care client that cites poor desktop performance a patient safety issue. I like how that client thinks.
- Follow me desktop. This is one of those benefits of SBC/SHVD, the ability to have your desktop follow you anywhere, be it a tablet, desktop, or TV, your desktop following you is a big benefit. You could argue that laptops do this too, and you’d be right, but the ability to do this with follow me desktop technologies means I don’t have to carry one device with me, any device is my access point.
I want to switch gear, you are putting me as the VDI protagonist, but I’d like to flip it around. There are a lot of reasons not to use SHVD.
- Cost. Need I say more. It’s expensive, and you tend to only see the benefits in OPEX not CAPEX. A major change in storage architecture could change this story. So I tend to praise any vendor that bring storage into the hypervisor host.
- Other technologies that would do a better job. For instance, SBC would be better suited to deliver an application to a tablet than an SHVD desktop. Provisioning technologies like Citrix Provisioning Server, Wyse Streaming Manager, VMware Wanova, would be better suited to solve the management complexity of physical desktops without the need to build out a huge SHVD solution. This is especially true for environments that have already upgraded their physical PCs to Windows 7 so they have good hardware but still have major management complexities.
- Expertise. SHVD isn’t simple and at scale requires some pretty sharp IT staff to keep it running. Thankfully technologies like Citrix’s VDI-in-a-box, Nutanix and others are working to simplify this complexity.
My stance is that you use whatever technology makes sense, and try to ignore all the negativity that is out there. PCs still make a lot of sense, so does SHVD, SBC, disk streaming technologies. They each have their place, they each solve a problem. No single technology is going to replace the need for all other technologies (at least not yet). I think VMware’s stance with Wanova further backs up this point, also what I just said could be used to define what Citrix calls Flexcast, so they too stand by that philosophy.