Dan Callahan, VP, Cloud Services, CGNET
I’ve been observing some events with our customers, as well as market trends, that make me wonder about the future of Virtual Desktop Infrastructure (VDI). I’m not an IT Manager—I sell and implement cloud-based services and do a bit of IT consulting—so I will look forward to hearing about this from those of you on the “front lines” in this respect. But I’m seeing what looks like a movement away from VDI.
First, a brief bit of history. The first instances of computing were client-server by default: the server was big, expensive and complicated to run. There was no “desktop” then, just a terminal used to communicate with the server. All applications and data were handled at the server end.
Enter the personal computer. Suddenly, the user hosted the whole experience—applications, OS and data. Over time, however, there was a resurgence of the idea that “clients” should be “thin” versus “thick” and a variety of client-server architectures and products emerged. Personal computers were expensive compared with workstations, and many users had relatively simple compute needs, for which a dedicated personal computer was not cost-effective.
Another character in this story was ‘The Bad Guy’—virus and malware creators seeking to gain access to organizational resources and data. Pushing data and information security out to users did not make any IT person comfortable. Charged with solving the information security problem, IT people turned to centralized information architectures that offered a single point of control.
A final part of the story has to do with user options for accessing computing resources. The cost and complexity of going out and obtaining your own computing resources meant that users had little option but to take the computing solution offered to them by IT. Ask any Macintosh user about those days.
But the world today looks much different than it did ten or twenty years ago. Most of us walk around with a device—a smartphone—capable of handling much of our computer work and able to reach the Internet from virtually anywhere. We conduct our work in a variety of locales, only some of which are behind a corporate firewall. We can often access and store company data outside the firewall.
“Pushing data and information security out to users did not make any IT person comfortable”
What I’ve seen with some of the organizations I’ve worked with is that the difficulty of running VDI is being seen as not worth the effort, especially from a user access point of view. IT may still feel that it’s a good solution to balancing user access with information security. But users, frustrated with limits on data access and response times, are turning to other alternatives. They’re grabbing data and manipulating it outside the corporate environment, using devices they own and Internet-based services they’ve subscribed to. This data is now “in the wild,” where its security cannot be assured.
Maybe the causes of this user frustration are easy to fix; maybe they aren’t. Not being on the implementation side of VDI, I can’t say one way or the other. All I know is that at least three of my customers have moved off of VDI, citing ongoing implementation difficulties and a failure to adequately assure that information assets are secured.
I tend to believe this has more to do with user behavior and the emergence of compute options for users than it does with any technical or architectural issues. In politics, there is a notion of the “consent of the governed.” The state’s political legitimacy is rooted in the acknowledgement of that legitimacy by the people being governed. The corollary in IT is that users have to agree to use the tools provided by IT. IT’s “offer” is that they will supply the compute environment that meets the users’ needs (not to mention IT’s needs) and users will agree to use those tools. Increasingly, users are opting out of that deal. Need storage? Here’s a terabyte, for free. Need to author a document or crunch some numbers? Here are some free tools. For most anything that the user at one time depended on IT to provide, there is (as the saying goes) an app for that. It’s easy to suggest that IT can reign users back in by refusing to support devices and applications it didn’t supply. But that’s easier said than done.
Focusing on the information security question, what are the options for the IT Manager? I’d suggest the first choice is to do everything possible to make VDI work. If it’s a question of bandwidth, that can be fixed. If it’s a matter of training, providing better documentation for the user or other non-technology remedies, that is likely worth the effort.
The second option, even if the first option is valid, is to look at implementing a security approach that focuses on the information itself. I don’t see a lot of customers taking this on just yet, as it’s no small task. But approaches such as information rights management and data loss prevention acknowledge one growing reality: controlling information security by controlling where the information is stored seems like a fool’s errand. Like the horse that has left the barn in the famous phrase, once information lives outside the organization it’s a challenge to claw it back.
Who knows, maybe my observations about VDI are at one end of the distribution. But it’s worth asking, “Are my users getting what they want out of our VDI setup?” And it’s also worth realizing that users may have more options for getting their work done than you thought.