Virtual Desktop Infrastructure Advisory - Mass.Gov

Document Sample
Virtual Desktop Infrastructure Advisory - Mass.Gov Powered By Docstoc
					FROM:          Jason Snyder, Chief Technology Officer, Commonwealth of Massachusetts

DATE:          10-3-2011

RE:            Advisory Memorandum – VDI(Virtual Desktop Infrastructure)

The Commonwealth Chief Technology Officer is issuing this Advisory Memorandum in response
to questions raised about the use of “VDI” (Virtual Desktop Infrastructure) for
secretariat/agency deployment as an alternative to traditional PC desktop configurations.

VDI technology has matured to a point that allows it to offer many advantages to the
Commonwealth and actually can lend itself to emerging security approaches being taken on by
the Commonwealth Security Group. With the continuing need for lowering costs and creating
operational efficiencies, VDI’s ability to utilize inexpensive, longer refresh cycle “thin client”
hardware in place of standard desktop hardware can be a great cost savings. VDI’s efficiencies
in desktop provisioning, OS versioning, patching, and application distribution/integration can
offer much to some of the IT organizations in the Commonwealth. As the growing use of remote
access and a variety of devices presents challenges to the Commonwealth, VDI offers many
secure solutions to be able to face these challenges and boost productivity.

Based on preliminary testing, current industry practices, Commonwealth secretariat/agency
feedback, and business owner feedback, it is advised that secretariats/agencies take into
consideration the following key points when evaluating whether or not to deploy VDI

Centralized Model

       After review by both the technology and security offices in ITD, it has been determined
        that the recommended approach for using VDI in the Commonwealth is to use the
        “centralized model” methodology which involves deploying a VDI solution that utilizes a
        centralized server or servers that are attached to centralized data storage systems. The
        technology of using the “hosted model” of outsourced virtual desktop services is not
        quite mature enough to meet the complex security and integration challenges faced by
        the Commonwealth at this time. Use of the untethered or “remote model” would be cost
        prohibitive and inefficient when considering the majority of the Commonwealth’s work
Dynamic “non-persistent” mode

     After review by both the technology and security offices in ITD, it has also been
      determined that the recommended mode for using VDI in the Commonwealth is to use a
      solution that leverages “dynamic” or non-persistent mode. Dynamic mode makes use of
      a master image of the desktop that gets cloned for each user that then get gets combined
      with the user’s personal data (which is stored separately from the desktop) and
      applications. Dynamic mode allows for efficiencies and cost savings in the back-end
      infrastructure required to host a VDI solution, while preserving the end-user experience
      from a variety of locations and device types. The use of “static” or persistent mode is
      designed for a unique and diverse user base and uses completely separate unique images
      per user. Static mode carries a lot of resource overhead in terms of storage and
      bandwidth use and is not recommended. The TCO for “dynamic” mode is up to 11%
      lower than the TCO of “static” mode.

Caveats and Concerns for VDI implementation:

     Bandwidth and protocol use.
          WAN link bandwidth utilization should be analyzed before considering VDI to
            support a large amount of remote sites.
          Many VDI solutions offer the use of special efficient protocols such as PCoIP or
            ICA that optimize the end-user desktop experience when used instead of RDP.
            Consideration of these protocols should be given when looking at Network
            topology and “Thin Client” hardware compatibility.
     High speed storage solutions are highly recommended for certain segments of VDI back-
      end infrastructure to optimize overall performance and end-user experience.
     Printing and USB device compatibility
           Direct attach USB printers or “thumb drives” can be a challenge when trying to
             use VDI.
           While centralized security lockdown of USB ports can be an advantage to some
             agencies, it may be a challenge to others.
           Another consideration is that compatibility of certain encryption technologies for
             “thumb drives” can be limited.
     Redundancy in the various layers of back-end infrastructure should be ramped up
      considerably when going from pilot to production environment. Reliance on
      connectivity and a centralized back-end infrastructure can lead to single points of failure
      that need to be mitigated wherever possible.
     ITD security is doing risk analysis now, but will need to integrate an Enterprise VPN
      approach that will segregate VDI sessions appropriately. This is more secure than
      today’s approach, and will likely allow use of more types of devices in a secure manner.
      MS OS licensing can include additional connection fees when an Enterprise license is not
       in place. Typically, the subscription fee is $100 per year, per device. If there is an EA or
       “Software Assurance” in place, this fee can be waived for PCs, but not Thin Clients.
      Initial cost of deployment for a VDI solution when done properly can be high and might
       be prohibitive if the only motivation for a migration is TCO savings. According to
       Gartner: “The TCO benefits of VDI, however, have been in doubt in the past, as
       reductions in IT labor and end-user costs were often offset by the capital costs required
       to build the required back-end infrastructure.” Other motivations such as operating
       system upgrades, desktop/file-print server lease expirations, or business/operations
       needs should be part of the equation when considering VDI deployment.
      With Commonwealth IT consolidation, the decision was made for secretariats and
       agencies to maintain their own file and print environments. As VDI can potentially blur
       that line, questions remain in regards to how VDI might be architected for the

As with any technology deployment, we recommend secretariats/agencies conduct thorough
testing of their own internal critical systems with any VDI solution before considering

In summary, ITD recommends secretariats/agencies deploying VDI technologies use:

          “Centralized Model” methodology.

          Dynamic “non-persistent” mode.

          A well architected solution and security approach that takes into account the many
           factors involved in deploying VDI in the Commonwealth.

          If any Secretariat or Agency wishes to pursue a VDI solution, they should contact the
           Commonwealth Chief Technology Office as ITD would like to partner on any such

Concerns regarding this advisory can be sent to:

Shared By: