Virtual desktops have gone from an interesting idea to a technology agencies embrace in increasingly large deployments. To move to virtual machines, however, requires a fresh look at security, standardization and the skills of your IT employees.
Virtual desktops have gone from an interesting idea to a technology agencies embrace in increasingly large deployments.
Consider the following: The Energy Department's desktop virtualization pilot has expanded to 500 seats and could grow well beyond that. The Navy kicked off a 7,500-seat desktop virtualization project last year, and the Defense Intelligence Agency (DIA) has installed about 18,000 virtual desktops on two networks so far. That's a significant shift from the small-scale demonstration projects that emerged five years ago.
The technology and deployment methods behind such projects are now well-defined and familiar to IT departments. With application virtualization, an organization streams software to desktop computers, where they run on the locally installed operating system. The virtual desktop infrastructure (VDI) approach, on the other hand, hosts desktops as virtual machines running on a central server. Applications, operating systems and data reside in the data center.
Large-scale virtualization projects often compel agencies to revisit security policies, pay closer attention to configuration management and assess the types of technical expertise they need to have on hand. Therefore, a key consideration for adopters has become virtual desktop administration.
"We are seeing a shift in the skill set and in the experience needed," said Donald Adcock, deputy CIO for energy IT services at DOE.
Why it matters
The fundamental differences between physical and virtual machines drive the need for a new desktop administration regimen. Virtualization moves the key components of the desktop to the server room, leaving little to manage on the client side. Indeed, a zero-client box provides the ability to connect with a desktop-hosting server and not much beyond that. So although traditional PCs required considerable desk-side support, that's not the case for the minimalist hardware devices used in a virtual desktop setting, and the bulk of the management activities thus shift to the server side.
Furthermore, with server-oriented computing, users partake of a shared resource — and that changes the administration game because what a user does on his or her virtual desktop could affect what other users experience on theirs.
"If one person is watching full-motion videos on their particular virtual desktop, it will have an impact on those sharing the same [computing] resources," said Michael Mestrovich, senior technology officer for innovation at DIA.
The agency has deployed slightly fewer than 12,000 virtual desktops on its top secret Joint Worldwide Intelligence Communications System and about 6,000 virtual desktops on its secret network.
Mestrovich said desktop virtualization has enabled the agency's thin clients to support a range of activities, from viewing video shot by unmanned aerial vehicles to participating in town hall meetings via streaming video. But to make virtual desktops work, organizations need to understand the types of applications customers run and how those applications affect the CPU, network and storage resources of the underlying infrastructure.
Government and industry executives point to a number of administrative issues agencies can expect to encounter when fielding a VDI. One obvious consideration is what types of expertise IT personnel should possess to run a virtual desktop installation.
Mestrovich said large-scale VDI administration requires a range of skills and knowledge. IT staffers managing the server side, for example, need to have greater insight into the virtual desktop users' activities and the resulting infrastructure demands. Accordingly, DIA systems administrators working on the back-end VDI now have more of a focus on the customers' endpoints and the applications they might be using, Mestrovich said.
Administrators also need to be much more aware of disk input/output, he added. Indeed, virtual desktop demands on storage can result in bottlenecks that degrade the user experience. For example, thousands of employees arriving at work and simultaneously logging onto their thin clients can result in a boot storm if storage systems aren't designed for VDI.
IT staff, meanwhile, will need to learn how to handle client-side chores remotely while maintaining the same people skills they had when providing desk-side support, Adcock said.
"You really need your personnel dealing with [virtual desktop users] to be people-friendly and people-oriented," he said.
DOE's virtual desktop pilot was originally built to handle 250 seats but has since grown to twice that, Adcock said. The pool of available applications is set to expand as well. The department is currently evaluating its portfolio to determine which applications can be virtualized.
And although server experts might need to study up on user considerations, administrators previously focused on the desktop will need to learn about servers and other infrastructure elements. Wim Coekaerts, senior vice president of Linux and virtualization engineering at Oracle, said administrators must acquire specific knowledge of servers, storage and network capabilities.
They also need to learn about the gold image or virtual machine template. "With traditional desktop management, IT staff can spend a great deal of time configuring individual desktops, visiting an end user's client device to repair it and so on," Coekaerts said. "But with desktop virtualization and its template-based approach, it's easy to clone a specific type of desktop environment, use it for hundreds or thousands of users, and easily replace it if something needs to be changed."
That method also applies to traditional desktop computers, but agencies often make exceptions for users with needs beyond the standard configuration. Those agencies end up maintaining multiple images, each of which must be secured and updated. Proliferation, however, can also occur with virtual desktop images if IT departments don't actively avoid it.
"If you don't maintain some kind of control over governance, you will find yourself with the same thing in the virtualized environment," Adcock said. "You will quickly find yourself [with] multiple images that have to be maintained and accounted for and tracked."
IT personnel managing virtual desktops should also take security into account. Ken Liska, a virtualization specialist for NetApp's U.S Public Sector, said organizations might have security policies and systems in place that add overhead and cost but don't provide extra protection for virtual desktops. Some security measures, such as antivirus software, are unnecessary for zero clients because they lack an operating system.
The need for remote control in a VDI setting also has security implications. "Many client security systems are in place specifically to prevent the remote control of a client operating system," said José Padin, a systems engineer manager at Citrix Systems. "VDI...is inherently about remotely controlling the virtual client operating system. The two systems are diametrically opposed."
To remedy that issue, most security systems provide the means to "containerize" client operating systems and apply different security policies to each container, Padin said. Host-based intrusion-prevention systems, for instance, can be configured to permit remote control for virtual desktops while preventing remote control of a physical endpoint.
The task of getting everyone up to speed on the new environment could prove the main obstacle to effective virtual desktop administration.
"These are newer technologies, so the agency skill varies depending on how long the agency has used this technology and how far into the process they have gone," said Jim Leake, vice president of the end-user computing portfolio at Unisys. "For agencies just exploring the concept, the learning curve can be steep."
Virtualization vendors offer help in that regard. Mestrovich said VMware, Citrix and Microsoft all offer courses that focus on virtual desktop administration skills. Technical certifications are also available. Citrix, for one, offers a certification program for its XenDesktop 5.
In addition to sending people for training in VDI, DIA also looks for people — both contractors and federal employees — who have experience and certifications in virtual desktops, Mestrovich said.
In addition to systems administrators, help-desk employees should be included in virtual desktop training. Help-desk personnel need to be aware of the hosting infrastructure and desktop provisioning technology to do their jobs effectively. Liska cited a case in which the support staff was left out of the education loop and, as a consequence, ended up troubleshooting virtual desktops as though they were physical machines.
Virtual desktops add to the complexity of the triage stage from the help desk's perspective, Leake said. When users call in to report that their machines have become sluggish, there are several elements to consider.
"The help desk must determine if the issue is being caused by a thin client, the network, the hosted machine or the app," Leake said.
The good news, he said, is that the fix is typically easier to apply in a virtual setting than it is on a physical desktop.
NEXT STORY: For many in federal IT, the cloud remains hazy