Let’s stipulate up front that there are certain situations where Virtual Desktop Infrastructure (VDI) and Desktop-as-a-Service (DaaS) are viable and even a wise choice. That said, if you make the move to VDI with an expectation that the technology will save you money, it’s not going to end well. VDI costs can be significant and difficult to predict. In many cases they will far exceed the comparable cost of deploying Windows 10 laptops. Security is a further parameter that needs to be weighed when making a choice to pursue VDI or DaaS.
For context, VDI involves hosting virtual desktops on centralized server and storage infrastructure. The user’s endpoint, which could be a laptop, tablet or even a phone, presents a replicated version of Windows and any applications the user needs to access. In theory, VDI is highly efficient. It gets the IT department mostly out of the business of supporting Windows machines in the field. This is valuable, depending on how big “the field” is for your organization. A variety of factors arise that make Windows VDI cost more than the traditional approach to provisioning PCs.
- Software licensing costs are one factor that pushes up VDI costs. The VDI software comes with a license fee, as does each VDI client application. There are also software licensing costs for the storage array and so forth. Generally the cost of VDI software exceeds that of standard Windows 10 operating systems. An additional complication here relates to problems with application software. Not all applications work well, or even at all, on VDI. There may be customized workarounds and other costly hassles involved in getting all the company’s apps to work on VDI.
- Hardware costs for VDI may surprise you as well. While the “dumb(er)” VDI endpoint may be less expensive than a regular Windows 10 laptop, you will have to invest in VDI servers and storage. Here things can get a bit tricky depending on your workloads. If your end users are using lightweight, text-based applications, then you might be able to get away with a relatively inexpensive server for hosting the VDI virtual desktops.
- A call center offers an example of this use case. Everyone has the same low-grade PC requirements and sits in a big room. VDI can work in this context. However, if your people have graphically-intensive or process-heavy workloads, you will probably have to get specialized, costly servers. If the call center uses Voice over IP (VoIP) apps over VDI, this can also result in costly workarounds/infrastructure changes that are difficult to support.
- Storage presents a similar problem. Some workloads require fast storage for VDI. These investments and support costs can add up.
- IT support is also a VDI cost that needs to be recognized. In a highly-unified and controlled scenario like the call center, it may be possible to cut down on support costs with VDI. However, much of the time there will be an even trade between helpdesk personnel who support Windows 10 machines and the internally-facing VDI admins who run the VDI infrastructure. As with regular PCs, you’ll have to staff VDI admins in proportion to your VDI deployment. Individual support cases can get even more complicated when the support team has to troubleshoot both the physical laptop and the OS the laptop is running for VDI. Consider how stressful that can get when it’s an important machine, like the CEO’s laptop.
Security is yet another area where VDI’s benefits are not as clear as the technology’s advocates might indicate. Yes, there is a certain advantage to have a central point of control for all security countermeasures running on all VDI endpoints. At the same time, this centralization itself exposes you to risk—potentially more serious risk than you would face with a distributed operating system deployment.
The risk emerges because a compromised endpoint can let the attacker into the VDI server. An attack could unfold in the following way: The attacker who owns the user’s machine also owns the VDI desktop. Then, if the VDI desktop runs a full persistent Windows OS, it has the same security problems as a normal Windows laptop. The security field saw this play out in a recent Citrix vulnerability. In this case, one vulnerability in the VDI/DaaS gateway led to the exposure of an entire internal network, along with desktops, apps and data.
There are alternatives for privileged machine provisioning beyond just VDI or standard PCs. With hardware-level VM segregation, running below the OS, you can have two completely separate virtual PCs running on a single piece of hardware. Users can then securely access information and run privileged apps in a locked-down virtual machine on their laptops vs. on remote VDI servers.
The second VM runs in parallel, available for day-to-day web browsing and the like. Both virtual environments are completely isolated from one another. Malware that reaches the open VM is completely contained within it. In this architecture, an attacker will find it essentially impossible to breach the barrier that exists between the standard and privileged machine at the endpoint.
Perception Point offers a cost-effective way to achieve the hardware-level VM segregation alternative to VDI. With Perception Point Advanced Browser Security, you can run an isolated protected browser contained in a virtual machine on a single device. Multi-layered dynamic detection capabilities also instantly block access to malicious/phishing websites and to malicious file downloads preventing ransomware and APT attacks. It’s seamless to the end user. Using the browser, you can define and apply separate security policies to each isolated VM, enabling access to sensitive or privileged corporate systems and data without negatively affecting user productivity.
Is VDI a cost-saver? It depends on many factors, as you can see. VDI costs can be higher than you expect, especially when intangible, but potentially high-value issues like security should also be taken into consideration. Consider all alternative solutions before making a decision to invest, or continue investing, in VDI.
Contact us for a demo of our Advanced Browser Security.