What do leaky faucets, fragmented file systems and failed hard disks all have in common? We want to fix them! Desktop management is a problem that's felt keenly in IT departments everywhere. From security to supportability to regulatory compliance, there's clearly a need for improvements in desktop management. Today, a new technology – virtual desktop infrastructure (VDI) -- offers a different way to fix that problem.
But is VDI the only solution? For many environments, it is possible to fix many desktop management hassles by using other approaches and practices. For the record, I certainly don't oppose the use of virtualization for desktop environments, and I think it most likely will find a useful role in many environments. However, in order to justify the costs and technology investments, it's worth understanding other options.
In this tip, I hope to demonstrate that VDI is not required in order to solve desktop-related security problems. In future installments, I look at how VDI can be used to handle other desktop infrastructure issues and what alternatives to VDI may be.
Securing desktop data
Problem: Data stored on corporate desktop and notebook computers is vulnerable to theft or unauthorized access.
The VDI fix: By using VDI to physically store all of this data on virtual machine images in the data center, chances of data compromise are reduced. The reason for this is that information is that sensitive data is never actually stored on a desktop or portable computer. If the system is lost or stolen, organizations don't have to worry about losing information since it is not stored on the local hard disk.
Alternative fixes: Securing data is a common challenge in all IT environments, and many solutions are available. Sensitive information, in general, should be stored in protected network locations. File servers should adhere to security standards to prevent unauthorized access or data loss. In this scenario, the most important data is already secured within the data center.
For protecting local copies of information, there are several hardware and software-based solutions that can be used to encrypt the contents of desktop and notebook hard disks. An example is Windows Vista's BitLocker feature. Even with VDI, you would have the need to protect local copies of VMs for traveling users.
Problem: Backing up and restoring important data on client machines takes significant time and effort.
The VDI fix: When using VDI, all of the contents of the desktop and notebook computers are actually stored in the data center -- usually on a dedicated storage arrays or network-based storage devices. Since all of the data is stored centrally, systems administrators can easily make backups of entire computer configurations, including the operating system, installing applications, data, and configuration settings. They no longer have to really on network-based backup agents that require the computer to be powered on and accessible in order for the data to be copied.
Alternative fixes: Hardware failures or accidental data modifications on client-side computers are potential problems, but there are many backup-related solutions. I already mentioned the importance of storing critical files on data center servers. By using automated restore tools, users can quickly be restored to service, even after a complete hardware failure.
While VDI might seem to help in this area, when backing up entire VMs and virtual hard disks, you're actually protecting a lot of unnecessary information. For example, each virtual hard disk that is backed up will include the entire operating system and all of the installed program files. These types of files could be much more easily restored using installation media or by reverting to an image-based backup.
Users should understand the importance of storing information in network environments. File synchronization -- such as the Windows Offline Files feature -- can be used to automatically support traveling users.
Managing system updates
Problem: Systems administrators spend a lot of time in keeping systems up-to-date with security updates and related patches.
Alternative fixes: The VDI approach still requires each user to have access to a single operating system. The OS itself must be secured, patched, and periodically maintained with other types of updates. Most vendors have tools for automatically deploying updates to large numbers of computers. These same methods can be used with or without VDI. In addition, features such as Network Access Control (NAC) can help ensure that only secure computers are able to access the network.
The VDI fix: Part of the challenge is in dealing with remote machines that must be connected to the network and be properly configured in order to be maintained. With VDI, guest OS images are located in the data center and can be accessed by systems administrators whether or not the VM is being used.
Consider all the options
VDI approaches can help increase security in many different situations; but VDI is not the only option for meeting these needs. IT automation tools and practices can help address problems related to data protection, security of client-side data, and ensuring that network systems remain free of malware and other infections. When deciding how and when to deploy VDI, keep in mind the alternative approaches.
About the author: Anil Desai is the author of numerous technical books focusing on the Windows Server Platform, Virtualization, Active Directory, SQL Server, and IT management. Most recently, he has written The Rational Guide to Managing Microsoft Virtual Server and The Rational Guide to Scripting Microsoft Virtual Server. He has made dozens of conference presentations at national events and is also a contributor to technical magazines.