FROM: Jason Snyder, Chief Technology Officer, Commonwealth of Massachusetts
RE: Advisory Memorandum – VDI(Virtual Desktop Infrastructure)
The Commonwealth Chief Technology Officer is issuing this Advisory Memorandum in response to questions raised about the use of “VDI” (Virtual Desktop Infrastructure) for secretariat/agency deployment as an alternative to traditional PC desktop configurations.
VDI technology has matured to a point that allows it to offer many advantages to the Commonwealth and actually can lend itself to emerging security approaches being taken on by the Commonwealth Security Group. With the continuing need for lowering costs and creating operational efficiencies, VDI’s ability to utilize inexpensive, longer refresh cycle “thin client” hardware in place of standard desktop hardware can be a great cost savings. VDI’s efficiencies in desktop provisioning, OS versioning, patching, and application distribution/integration can offer much to some of the IT organizations in the Commonwealth. As the growing use of remote access and a variety of devices presents challenges to the Commonwealth, VDI offers many secure solutions to be able to face these challenges and boost productivity.
Based on preliminary testing, current industry practices, Commonwealth secretariat/agency feedback, and business owner feedback, it is advised that secretariats/agencies take into consideration the following key points when evaluating whether or not to deploy VDI technologies.
- After review by both the technology and security offices in ITD, it has been determined that the recommended approach for using VDI in the Commonwealth is to use the “centralized model” methodology which involves deploying a VDI solution that utilizes a centralized server or servers that are attached to centralized data storage systems. The technology of using the “hosted model” of outsourced virtual desktop services is not quite mature enough to meet the complex security and integration challenges faced by the Commonwealth at this time. Use of the untethered or “remote model” would be cost prohibitive and inefficient when considering the majority of the Commonwealth’s work force.
Dynamic “non-persistent” mode
- After review by both the technology and security offices in ITD, it has also been determined that the recommended mode for using VDI in the Commonwealth is to use a solution that leverages “dynamic” or non-persistent mode. Dynamic mode makes use of a master image of the desktop that gets cloned for each user that then get gets combined with the user’s personal data (which is stored separately from the desktop) and applications. Dynamic mode allows for efficiencies and cost savings in the back-end infrastructure required to host a VDI solution, while preserving the end-user experience from a variety of locations and device types. The use of “static” or persistent mode is designed for a unique and diverse user base and uses completely separate unique images per user. Static mode carries a lot of resource overhead in terms of storage and bandwidth use and is not recommended. The TCO for “dynamic” mode is up to 11% lower than the TCO of “static” mode.
Caveats and Concerns for VDI implementation:
- Bandwidth and protocol use.
- WAN link bandwidth utilization should be analyzed before considering VDI to support a large amount of remote sites.
- Many VDI solutions offer the use of special efficient protocols such as PCoIP or ICA that optimize the end-user desktop experience when used instead of RDP. Consideration of these protocols should be given when looking at Network topology and “Thin Client” hardware compatibility.
- High speed storage solutions are highly recommended for certain segments of VDI back-end infrastructure to optimize overall performance and end-user experience.
- Printing and USB device compatibility
- Direct attach USB printers or “thumb drives” can be a challenge when trying to use VDI.
- While centralized security lockdown of USB ports can be an advantage to some agencies, it may be a challenge to others.
- Another consideration is that compatibility of certain encryption technologies for “thumb drives” can be limited.
- Redundancy in the various layers of back-end infrastructure should be ramped up considerably when going from pilot to production environment. Reliance on connectivity and a centralized back-end infrastructure can lead to single points of failure that need to be mitigated wherever possible.
- ITD security is doing risk analysis now, but will need to integrate an Enterprise VPN approach that will segregate VDI sessions appropriately. This is more secure than today’s approach, and will likely allow use of more types of devices in a secure manner.
- MS OS licensing can include additional connection fees when an Enterprise license is not in place. Typically, the subscription fee is $100 per year, per device. If there is an EA or “Software Assurance” in place, this fee can be waived for PCs, but not Thin Clients.
- Initial cost of deployment for a VDI solution when done properly can be high and might be prohibitive if the only motivation for a migration is TCO savings. According to Gartner: “The TCO benefits of VDI, however, have been in doubt in the past, as reductions in IT labor and end-user costs were often offset by the capital costs required to build the required back-end infrastructure.” Other motivations such as operating system upgrades, desktop/file-print server lease expirations, or business/operations needs should be part of the equation when considering VDI deployment.
- With Commonwealth IT consolidation, the decision was made for secretariats and agencies to maintain their own file and print environments. As VDI can potentially blur that line, questions remain in regards to how VDI might be architected for the Enterprise.
As with any technology deployment, we recommend secretariats/agencies conduct thorough testing of their own internal critical systems with any VDI solution before considering implementation.
In summary, ITD recommends secretariats/agencies deploying VDI technologies use:
- “Centralized Model” methodology.
- Dynamic “non-persistent” mode.
- A well architected solution and security approach that takes into account the many factors involved in deploying VDI in the Commonwealth.
- If any Secretariat or Agency wishes to pursue a VDI solution, they should contact the Commonwealth Chief Technology Office as ITD would like to partner on any such solution.
Concerns regarding this advisory can be sent to: email@example.com