Are virtual desktops worth it?
Lets stipulate up front that there are certain situations where Virtual Desktop Infrastructure (VDI) and Desktop-as-a-Service (DaaS) are viable and even a wise choice. That said, if you make the move to VDI with an expectation that the technology will save you money, its not going to end well. VDI costs can be significant and difficult to predict. In many cases they will far exceed the comparable cost of deploying Windows 10 laptops. Security is a further parameter that needs to be weighed when making a choice to pursue VDI or DaaS. For context, VDI involves hosting virtual desktops on centralized server and storage infrastructure. The users endpoint, which could be a laptop, tablet or even a phone, presents a replicated version of Windows and any applications the user needs to access. In theory, VDI is highly efficient. It gets the IT department mostly out of the business of supporting Windows machines in the field. This is valuable, depending on how big the field is for your organization. A variety of factors arise that make Windows VDI cost more than the traditional approach to provisioning PCs.
Security is yet another area where VDIs benefits are not as clear as the technologys advocates might indicate. Yes, there is a certain advantage to have a central point of control for all security countermeasures running on all VDI endpoints. At the same time, this centralization itself exposes you to riskpotentially more serious risk than you would face with a distributed operating system deployment. The risk emerges because a compromised endpoint can let the attacker into the VDI server. An attack could unfold in the following way: The attacker who owns the users machine also owns the VDI desktop. Then, if the VDI desktop runs a full persistent Windows OS, it has the same security problems as a normal Windows laptop. The security field saw this play out in a recent Citrix vulnerability. In this case, one vulnerability in the VDI/DaaS gateway led to the exposure of an entire internal network, along with desktops, apps and data. There are alternatives for privileged machine provisioning beyond just VDI or standard PCs. With hardware-level VM segregation, running below the OS, you can have two completely separate virtual PCs running on a single piece of hardware. Users can then securely access information and run privileged apps in a locked-down virtual machine on their laptops vs. on remote VDI servers. The second VM runs in parallel, available for day-to-day web browsing and the like. Both virtual environments are completely isolated from one another. Malware that reaches the open VM is completely contained within it. In this architecture, an attacker will find it essentially impossible to breach the barrier that exists between the standard and privileged machine at the endpoint. Hysolate offers a cost-effective way to achieve the hardware-level VM segregation alternative to VDI. With Hysolate, you can run multiple isolated operating systems on a single device. Its seamless to the end user. Using Hysolate, you can define and apply separate security policies to each isolated VM, enabling access to sensitive or privileged corporate systems and data without negatively affecting user productivity. Is VDI a cost-saver? It depends on many factors, as you can see. VDI costs can be higher than you expect, especially when intangible, but potentially high-value issues like security should also be taken into consideration. Consider all alternative solutions before making a decision to invest, or continue investing, in VDI. |