U.S. Forces' response to the 2011 Japan earthquake showed how virtual desktop infrastructures can deploy new endpoints quickly, easily and securely.
Keeping up with software and security patches in traditional desktop PC network can be a daunting task — especially if you have to manage 6,000 desktops across a distributed environment. That was the challenge Glenn Exline, manager for end user computing with VMware, faced as a manager of the enterprise network that supported the Air Force’s 45th Space Wing at the Cape Canaveral Air Force Station.
“With any luck we would get an 80 to 90 percent success rate,” Exline said. The IT team would spend two weeks applying software and security patches to physical machines and reporting to upper management on the progress.
Then the team found a better solution with a virtual desktop infrastructure, in which the IT staff can apply updates to a master image on a server in the data center, recompose rules for desktops and send out the updates to the virtual desktops. “I guarantee you that every one of those virtual desktops is an exact copy” of the master image, Exline said.
VDI’s ease of administration, enhanced security and rapid elasticity have motivated agency adoption of virtual desktop environments. Baking in security and planning for storage and performance issues are key elements in successful VDI deployments, government and industry experts told an audience at the recent FOSE trade show. Elasticity, the ability to add more servers or desktops to a network to meet demand, can be achieved more easily within a VDI environment if the infrastructure is designed properly, panel members said.
For instance, the U.S. Navy and U.S. Forces Japan used virtual desktop technology to support personnel assisting in the response and relief efforts after the earthquake and tsunami that struck Japan in March 2011.
Navy personnel in Japan were accessing virtual desktops based in the United States, Exline said. U.S. Forces Japan had to support 100 people who would be soon arriving to help with tsunami relief. Instead of looking for laptops to reloaded with security updates, IT managers were able to click a few buttons and roll out more virtual desktops. When the personnel arrived on the scene, they accessed services via shared kiosks or used repurposed machines, and the IT team didn’t need to deploy 100 additional computers.
“In both cases they were able to enhance their tsunami response simply by enhancing their virtual desktop infrastructures,” Exline said.
Agencies can achieve a high level of security and information assurance using virtual desktops versus standard desktops, Exline said. Desktop virtualization is software technology that separates the desktop environment and related application software from the physical client desktop computer that is used to access it.
Because data resides on servers in a data center instead of on a user’s desktop, the environment is more secure. If an unauthorized person gains access to a virtual or thin client desktop, that individual would have nothing because all data, passwords and security are still in place back in the data center, he said.
Exline shared his insights during a FOSE panel on cloud computing moderated by Wolf Tombe, CTO of U.S. Customs and Border Protection, which is deploying a virtual desktop infrastructure.
More organizations are moving toward hybrid cloud environments in which there is a mix of an on-premise private cloud and cloud infrastructures run by commercial cloud providers. So agencies will have to work with their cloud providers to ensure that virtual desktop environments are secure under these scenarios, Tombe said. For instance, CBP is in the early planning stages with Microsoft to determine if the company’s cloud-based messaging and office productivity suite, Office 365, is a fit for the agency.
If CBP does go down that path, a likely scenario would be for Microsoft as a public cloud provider to offer Word, Excel and Outlook e-mail down to users’ virtual desktops while data would reside within the agency’s secure firewalls, Tombe said.
The Recovery Accountability and Transparency Board built a cloud hub, which has the ability to control, monitor and audit access to systems and information within a hybrid cloud infrastructure, said Hemanth Setty, CTO for the Recovery Board. RATB was one of the first agencies to move e-mail and collaboration to Microsoft Office 365. A key requirement is for all network traffic to go through the hub, which has security tools for threat and intrusion detection and prevention. “So any e-mail I send to anybody pretty much goes through my security appliances,” Setty said.
The Recovery Board has learned valuable lessons about the need for planning and building out an infrastructure to accommodate additional users, Setty said.
“The key thing is how you plan the infrastructure in the back for storage and network bandwidth utilization,” he said. Performance issues can arise as more users log into a VDI environment if the infrastructure is not properly configured to take on the extra load. Once the storage and bandwidth issues are addressed, scaling up and down with new machines should be straightforward, Setty said.