How USAID delivers first-class apps to third-world field offices
How USAID delivers first-class apps to third-world field offices
A general dissatisfaction with inflexible IT services, including the inability to access resources to fulfill daily operational tasks, has driven the U.S. Agency for International Development to invest in a cloud-based virtual desktop infrastructure that provides IT services for users located around the world.
With field offices around the world, USAID works with private voluntary organizations, indigenous organizations, universities, U.S. businesses, international governments and U.S. government agencies to promote U.S. national security and foreign policy and reduce terrorism by addressing a key root cause of violence in the world today: poverty fueled by the lack of economic opportunity.
A total of 200 users have already been moved to a new cloud-based service that allows them to access Google Apps Premier through a cloud-based General Services Administration IT Schedule 70 contract award. Hundreds more will be migrated in spring 2011, and the plan calls for completing the deployment to as many of USAID’s 11,000 users as possible by the end of 2011.
USAID is moving a total of 50 applications — including e-mail, office productivity and some business applications — into the cloud-based environment that will enable secure access to IT services.
According to Jerry Horton, CIO for USAID, this migration is important for three primary reasons. “First, we must reduce our costs. At the same time, we can’t reduce the IT services we deliver to employees around the globe. And third, we needed to improve security for our increasingly mobile workforce,” Horton said.
USAID’s approximately 11,000 users have until now used desktop computers with standard images and no administrative rights to prevent the installation of applications not approved by the IT department. Few laptops were deployed because of security requirements to prevent data loss. When users travel, they primarily carried hard copy documents rather than laptops. Recently, iPads were introduced to mitigate this, encrypting data rather than devices. Remote access to computer resources for telework had previously been enabled by Citrix solutions.
Spurred by complaints about mailbox quotas negatively impacting productivity, users continually expressed dissatisfaction about the lack of accessibility outside USAID offices, leading some to use workarounds, such as Web-based email. Some users also faced limited and unreliable access at remote sites in the field, Horton said.
With limited visibility into IT resources and applications used outside the main offices, especially at field offices, Horton said, “a radically new IT approach was needed to decrease the cost of delivering computing and support services and to create a more mobile workforce able to use a variety of devices.”
Moving to cloud-based office productivity software, including e-mail, is now a high priority. Although not all agency locations have acceptable latency or even Internet connectivity, Horton has strongly advocated for the new environment to improve user access to IT resources, data and collaboration in the field, which is all considered vital to the agency’s mission success.
The cloud-based solution being rolled out will improve security by limiting data loss in the event of the loss or theft of a mobile device or any malicious software attacks. In all, desktop virtualization is expected to lower costs associated with providing and maintaining desktop services and by moving IT services to the cloud help to reduce costs associated with developing and maintaining multiple data centers, Horton explained.
How it works
USAID has obtained infrastructure-as-a-service cloud services via the award of a GSA IT Schedule 70 contract to present users with a software-as-a-service-based desktop virtualization environment and associated infrastructure for identity management and authentication services. The IaaS will allow for capacity to be increased automatically based on resource demand. The desktop virtualization implementation consists of Citrix servers and desktop virtualization software, primarily XenDesktop, deployed on virtual machines. Users will access the virtual desktops and applications using clients ranging from thick to thin and zero clients in addition to mobile devices such as iPads, mobile phones and personal digital assistants.
Security in the cloud-based environment is enabled via single-sign-on and two-factor authentication. When a user logs in through the single-sign-on infrastructure with two-factor authentication — using Ping identity management, along with RSA’s SecurID and Active Directory — a secure virtual user desktop with an application work group is presented on whatever device is used. Applications and privileges are determined by the group profile assigned to each user. In the initial deployment, three types of client devices are being issued, including zero clients, thin clients and regular workstations, Horton said.
Storage is network-based as well, eliminating the need for data encryption on every device. Because no data is stored on user devices, no data can be lost or stolen in the event of a theft or loss of device. A secured virtual desktop is presented to the user whenever and wherever they log in to the virtual desktop infrastructure.
Approximately 50 applications are being virtualized and streamed to users in the initial phase of implementation, out of a USAID portfolio that originally included thousands of applications. Other applications will be migrated to the cloud if the same functions aren’t provided by existing approved applications, Horton said.
Users will be able to personalize their desktops so that they gain the same look and feel no matter where they are or what device is used to access USAID’s virtual desktop infrastructure.
Modernizing client computing via virtualization is expected to simplify and accelerate provisioning of services for users. With a few mouse clicks, applications and privileges will be determined by the group profile assigned to each user. Application testing will be more efficient as new virtual machines can be created in seconds for testing. Once tested, applications will be installed and delivered to users by making the application available to specific profiles so it can be automatically streamed to the desktop. The delivery of applications will require only clicking a check box. Users won’t need to install new software or upgrades. Updates need to be done once to the base image in the data center, and then it will roll out automatically to all users. As a result, there will no longer be a need to update each device separately.
Finally, security will be improved because no local data will be stored on user devices. If client devices fail, users need only swap out the hardware. Once connected to the network, each user regains access to his or her desktop environment. To meet federally mandated Federal Information Security Management Act requirements, USAID must incorporate two-factor authentication. The agency has already successfully tested integrating its Internet-based single-sign-on solution with two-factor authentication provided by RSA SecurID.
Lessons learned and a look to the future
A big lesson learned by USAID during its initial testing was that user training is extremely important. Although the solution provides the same desktop to all users, it was challenging for users to migrate to cloud-based applications or services with new user interfaces such as Google Mail or Google Docs, primarily because the features displayed were different. “Training was needed to help users feel comfortable with the new environment,” Horton said.
Meanwhile, bandwidth and latency issues are dependent on the country from which users will connect to the new services. Certain latency requirements are expected to impact the number of users who can use the new services and will likely affect the field offices that generally lack bandwidth or have high latency issues, Horton said.
For now, USAID considers a private cloud deployment most appropriate based on its risk assessment and a technical analysis of desktop virtualization and the associated security infrastructure for identity management and authentication services.
The IaaS private cloud provider is expected to automatically control and manage its infrastructure to support USAID. Resource usage is expected to be monitored and reported with proper billing, based on usage and other negotiated terms. Looking ahead, USAID is considering metered billing for the services provided. Virtualized desktops and applications would provide USAID with detailed information on what services are being consumed and by whom.
The private cloud deployment will use existing data centers and hardware at USAID. It might eventually become a community cloud if USAID hosts desktop virtualization for other organizations, including other U.S. government agencies or collaboration partners that work with USAID.