Security considerations of The Anywhere Workplace

What Is It? 

How many of us have attempted to start our computer in the morning only to have it not start at all, end up applying updates that take forever, or encounter other issues that impact on our day? Almost everybody has experienced this at some point.  Even if you moved to another computer (if one was available) you were probably out of sorts because something was missing – an application, a mapped drive, a printer, something.  Perhaps you needed a specific application installed and had to wait on the help desk, ran into compatibility issues, or maybe something got installed you didn’t want like, oh I don’t know, malware?

Virtual Desk Infrastructure (VDI) isn’t a silver bullet, but it can be close if done right.  In this case, your entire environment exists on a server somewhere – your data centre, a hosted environment, or the cloud.  All your applications, links, customisations, and favourite files.  Whether at your computer, someone else’s, on the road, or at home, you connect in to your VDI and voila!  Everything is there, exactly as you left it.  Start working on something at the office, continue while on the go, finish it up at home.

We call this The Anywhere Workplace and when it all works well, it’s slick.

Now that we’ve established that your workspace exists in a magical space that you can get to from anywhere (if you have the right permissions, security, and end user equipment).  Is that all?  How is this a security thing?  Isn’t this more of a productivity thing?  Ah, I’m glad you asked!

Let’s say your hard drive crashes.  Is all your data backed up?  Is it all synchronised to the cloud or to the office server?  What if it only backs up daily?  Can you afford to lose an hour’s work?  A day?  A week?  Everything?  What if you’ve lost your laptop?  Maybe something caught fire in the office and your desktop is toast?  Why do I ask so many questions?  So, if something happens to the physical equipment, in a VDI environment you should be OK because little to no data exists locally.  You simply find another point from which to connect to your environment and carry on.

Better still, your device might get stolen but there is no data of value on it.  The environment is strictly controlled, so malicious software is a lot harder to install.  Data loss through peripherals can be better managed.  Scheduled updates can be applied to minimise your downtime waiting for them to apply when you start your computer (plus you can also force updates on those pesky users that keep delaying them, creating a vulnerable machine).  Plenty of upside, no down side, right?  Not quite, but I’ll get to that later.

This takes us back to the day of everyone having “dumb” terminals on their desks.  Remember the good old monochromatic green or orange on black displays all connected back to a massive mainframe unit hidden in the basement?  Centralised became decentralised became centralised again, only better.  Now we have decent terminals that can either be completely diskless “dumb” terminals or, more likely, just a regular computer that starts a VDI session.

Where Do I Start? 

The first thing you need to decide is if VDI is right for you because, to be honest, as good as it is, it’s still not for everyone.

• If you have a consistent environment where most users have the same applications and use a lot of the same resources, this can work well.
• If you have users that move around a lot between offices, homes, and work while out on the road, this can also be good.
• If you need to strictly control the working environment with granular control over desktops, applications, and data, then yes, give it some thought.
• If you have a very dynamic environment with a lot of different requirements, it could get cumbersome but there are ways to work around it – just be ready to deal with a larger number of profiles and images.
• If you have users that have resource-intensive needs like memory and CPU, then maybe VDI isn’t the best solution but again, could still work if managed correctly.

VDI is not an all-or-nothing solution; you can have some users in a VDI, but you could also have some traditional thick clients for specific use cases.  At the core of it will be resource allocation and usage.  You’ll need to make sure that whichever way you choose to go that you have the resources to make it work.  None of us want to deal with cranky users complaining that “the network is slow”.

Let’s say that you have decided that VDI is right for you.  Figure out how many users you’ll have, what they will need, and start putting together a design that will create the VDI environment.  It’s a good idea to include as many of the common applications and tools as possible in the baseline whether everyone will use it or not.  The idea is that everyone will get a basic image and can adjust it to their liking and has access to a list of approved applications they can add based on their profile.  If the application isn’t approved for them, they can’t add it, so that way you won’t get the mailroom digging through the financials, or the latest whizbang tool downloaded for free and installed.  Great way to limit Shadow IT as well!  You can have everything default back to the baseline when the user logs out, such as a hot-desking workplace, or preserve their session exactly as it, or relaunch the next day, or on a different terminal. The healthcare industry is a great use case for an Anywhere Clinical Desktop, follow me desktop system where clinicians can tap on and off a terminal regardless of which ward or consultation room they are currently in.

Now that you’ve sorted out the users and the applications, you probably have a list of resource requirements.  Modern desktops and laptops (and tablets for that matter) have a lot of power that users will never tap into, so maxing out the resource requirements for the VDI hosts isn’t going to earn you any favours from the finance team, so while you need to be liberal with your horsepower, you need to be conservative with your budget – but allow room to grow.  Size up your VDI servers accordingly and shop around to get the best bang for your buck.

I probably don’t need to say this, but please, don’t hesitate to reach out to your local VDI experts so you can make sure it’s done right the first time.  Users are a very skittish bunch at the best of times and if there is the slightest sniff that things are not working to their liking, you’ll hear about it and you can cross yourself off their Christmas card lists!  VDI needs to be done right to create an effective Anywhere Workplace. If you have an existing VDI solution, organic and unplanned growth, virtual sprawl and inefficient use of resources is common, consider a Health Check to understand your VDI’s performance.

A VDI expert can help you with designing the whole infrastructure from images to resource allocation to security policies to management and monitoring of the whole thing.  They can help you make the transition for users as smooth as possible to the virtualised environment and hey, it might even be worthwhile porting your existing environment into VDI for consistency.  I’ve done this several times during virtualisation projects when decommissioning physical servers.  A few hiccups, sure, but it can be done.

How do I make it work? 

Now that you’ve started, got the right people engaged, and are working on your VDI project, how do you make it move from fantasy to reality?  A Proof of Concept (PoC), test or pilot phase is a must.  You need to make sure it all works before you open the doors to the masses.  Ever see those Boxing Day sales on TV where the doors open, the flood of people run in and inevitably someone falls and gets trampled, others miss out on the bargains, and not everyone goes home happy?  That’s what you can expect if you suddenly drop everyone into a VDI environment.

Plan, plan, plan.  I cannot say it enough.  You know the way your users interact with their systems, so design accordingly.  Engage third-parties to review your designs, run your tests, and QA the whole thing top to bottom, end to end, side to side.  It MUST work.  Engage some of your most trusted users to help you trial it real-time and be sure to allow for the inevitable hiccups.

With a solid plan, a tested design, and having met the success criteria from your PoC or pilot, you can move towards deployment.  Procure your hardware, software, and licenses.  Build your images and policies and have it ready to go.  I would strongly suggest load testing as well to be sure your VDI environment will cope with the load.  A lot of work up front, will save a lot of pain down the road.  Try all the various use cases.  Regular in-office users, mobile users, and home office users.  Try a variety of different platforms based on your fleet of devices.  Also, the more automated the transition, the better.  Imagine if a user logs off their laptop one night and when they log in the following morning, they’re now running in a VDI environment.

Meanwhile, on the back end, be sure to back up their environments and data and this is where a Disaster Recovery and Business Continuity Plan is worth its weight in gold.  Redundancy and high availability are a must, but you already knew that, right?  Just be sure to adjust your backup and recovery strategy accordingly and this should have been part of the design and testing.

So now you’ve planned a VDI environment, designed it to be robust, have migrated the masses into this environment, they have their favourite applications and access to their data, and everything is backed up, replicated, and working smoothly.  They cannot install unauthorised applications, if their laptop gets lost, damaged, or stolen there is no data loss.  They can work from any desk, anywhere, anytime, such as in the office, at a satellite site, on the road, or from home and have access to everything they would from a thick client on their desk at work.  Perfection, right?  What could possibly go wrong?  My friends, there are pitfalls, and there are ghosts.

What are the Pitfalls?

We’d have to agree that VDI is, on paper, more stable, more resilient, and more secure.  If you have the computer power in the core and the ability to access it anywhere, at any time you should be sweet, right?  A commonly overlooked VDI issue is the network infrastructure itself.  You can have wicked servers and clients, but if your network is a throwback to the days of bell bottoms and platform shoes, it’s like trying to force a watermelon through a garden hose.

When designing your VDI solution, be sure to account for the throughput and bandwidth between the endpoints.  Server to server, server to client, remote client to VDI, and so on.  In a traditional server-client setup, you only access the server as / when you need it with most of the work taking place locally.  In VDI, everything takes place on the servers so while you may not have the flow of data to and from your workstation such as large files and so on, you still need connectivity to relay the inputs and see the displays.  It might not sound like keyboard and mouse inputs and displaying your screen takes up a lot of data but multiply it by dozens or hundreds of users.

We’ve all had the frustration of clicking a mouse or pressing a key only to have to wait for the display to update.  If you’re used to instantaneous response and no lag, then be sure that your VDI responds the same; you don’t want to have to deal with the fallout and you certainly don’t want to have to tell your users they’ll have to get used to it.

The same holds true for external users, so if I’m using VDI from home or on the road, it must work just like I was in the office.  You can’t account for everyone’s internet connection such as home users or the high-performance public networks in hotels (I’m joking, of course) but the infrastructure you can control has to work.

Ghosts in The Machine? 

If you have a great VDI implementation and have allowed for the network performance issues, where are the ghosts?  The ghosts are the behavioural issues of your end users and exactly where the ghosts can get in.  Let’s say a computer gets stolen that is logged in to your VDI.  The intruder would have the same access as that user since it is seen as a trusted connection.  Weak passwords, systems that are not hardened, and the list goes on.  Yes, these are ghosts that can exist in traditional non-VDI environments, but please realise that VDI is not immune to all security risks; end user responsibility is just as critical, so stay vigilant.

Is it right for you?

VDI may or may not be right for you, but it is a conversation worth having, so I would recommend reaching out to see how you can benefit from virtualising your desktops as well as your servers.

Are you still unsure?

We’re always happy to help, just let us know how we can assist!

Helpful links:
The Anywhere Workplace
Virtual Desktop Infrastructure Health Assessments