Ultimate Guide to Virtual Desktop Infrastructure: Implementation, Costs, Cloud, and Security
What is Virtual Desktop Infrastructure?
Virtual desktop infrastructure (VDI) enables organizations to deliver desktop operating systems, such as Microsoft Windows and Linux, remotely to user devices.
VDI lets organizations run operating systems and applications in a central, virtualized environment in their data center. From this centralized environment, they can serve desktops and applications to user devices, which may be PCs, mobile devices, or thin clients.
This generates major cost savings, as it eliminates the need to provision an entire workstation to each employee. However, VDI is a complex infrastructure that requires large upfront investments. This is why many organizations are opting for cloud-based desktop as a service (DaaS) model instead of setting up VDI on-premises.
VDI Use Cases
Here are several use cases where VDI can provide substantial benefits to an organization:
- Employee workstations—in a modern work environment, employees need access to applications regardless of where they work, in the office, at home or in the field. With VDI, the user can securely access a virtual desktop wherever they are, using either corporate or personal equipment.
- Healthcare—in a healthcare environment, safety and privacy are critical. HIPAA regulations require strict protection of patient data. With VDI, medical staff can only view patient records based on the security profile assigned to their virtual desktop.
- Education—the organization can issue devices to both teachers and students. Teachers can be restricted to viewing specific data and applications for their classes, while students only see data and applications for courses they are enrolled into. When an employee or student leaves, the virtual desktop is deleted.
- Call centers—in large organizations that employ staff in shifts, such as call centers, shared desktops are used. Employees log onto an empty workstation, start a desktop, and log off at the end of their working hours, releasing the resources for the use of employees in the new shift.
- Engineering and design—employees in these types of organizations frequently use graphic-intensive applications. Previously, this type of work required expensive hardware. Advances in VDI have made it possible to set up graphical processing units (GPUs) in a centralized manner, using GPU virtualization technology to substantially reduce costs. Users can then get the benefits of hardware acceleration via any device.
How Does VDI Work?
In a VDI system, the organization manages operating system images, which represent types of desktops that need to be provisioned to users. These images run on virtual machines (VM) managed by a hypervisor. Desktops are delivered over the network to the endpoint device (laptops, desktop computers, tablets, smartphones, and thin clients), and the user can use the endpoint device to interact with the operating system and its applications.
A similar model can be used to run virtualized applications (rather than entire operating systems), and deliver them to users so they can run these applications on their local device.
All VDI deployments have the following characteristics:
- Servers in the local VDI site hold multiple VMs via a hypervisor , each running a desktop instance. The number of desktops per host is known as “density”.
- In order to gain access to the virtual desktop, the endpoint client must authenticate themselves and maintain a connection to the centralized server.
- Clients that have successfully accessed the VDI environment are allocated a virtual desktop from the pool of available resources. This is done by the VDI connection broker.
- Users have a consistent experience of their desktop regardless of the device they used to connect to it.
Persistent vs Non-persistent VDI
A major deployment consideration in VDI systems is whether to persist user desktops. A persistent desktop is a dedicated desktop saved for each user, which retains all user settings from session to session.
With persistent VDI, each desktop runs from its own disk image. The image saves all the user’s settings, enabling more customization of the desktop environment, but requiring more storage per user.
- Easier to personalize, preserves user’s data, shortcuts and files
- Similar setup to physical desktops, making administration easier
- Requires more storage, because individual disk images require more space than a single “golden image” of the operating system
- Storage is managed as a separate logical drive integrated with the VM, while user data is stored in the desktop image
- Complex to manage and optimize a large number of desktop images compared to one master image
With non-persistent desktops, every time a user logs out, their settings and data are not stored as part of the virtualized desktop. Personal data and settings are stored in a separate user layer, which is later added on top of the “golden image”. Each time a user logs in, they receive a fresh image.
- Built from a master image, making it easier to patch and update the operating system
- Improved security, because users cannot change operating system settings or install software
- If the image is compromised, it is easy to revert desktops to a clean state, and attackers will not possess any sensitive data or credentials
- Requires less storage space per user
- Separation of operating system and user data, making it possible to move user data to lower-cost storage equipment
- Users cannot easily personalize their desktop, does not support full user profiles
- Because users share a disk image, administrators need to customize the image to ensure access to all required operating system features
- Commonly, administrators create a golden images for each type of user or department, which requires application virtualization or user environment virtualization
How to Determine VDI Solution Costs
VDI is a heavyweight infrastructure that requires dedicated hardware, software licenses for VDI management components, and other indirect costs. Here are some of the key components of a VDI solution.
- Initial hardware costs—buying the hardware to run VDI management components, which can support expected capacity with high performance. The organization must provision additional hardware for peak periods, near- and long-term growth.
- Consulting and implementation—in many cases organizations use consultants to guide or fully manage the initial implementation of a VDI site.
- Hardware maintenance—cost of hardware maintenance, upgrades and hardware replacement over time, and support contracts.
- Operations and administration—a significant cost is the time spent by IT staff operating the VDI site, managing VDI-related activities like desktop images, and supporting users.
- Redundancy and backup—setting up systems to facilitate fault tolerance, backup, and disaster recovery. This may include redundant servers on standby in case a VDI server fails.
- VDI licenses—VDI software from vendors like Citrix or VMware is a major part of a VDI site’s cost. Licenses may be priced per user, per device, or as a flat-fee license for the VDI management components.
- End-user software licenses—the operating system or software used by VDI end users must also be accounted for (unless it is proprietary to the organization or open source). Most software vendors have different pricing for desktop and virtualized environments.
- Facility costs—VDI requires a dedicated data center, or at least additional rack space in an existing data center. This involves adding storage equipment, network devices, power, cooling, etc.
- Workstations for special uses—there might be special cases in which the organization will provision users with dedicated workstations, in addition to the VDI deployment, representing an additional expense.
Learn more in our detailed guide to making VDI cost effective
VDI vs DaaS
Increasingly, organizations are questioning the cost and complexity of setting up an on-premise VDI site, and turning to desktop as a service (DaaS) solutions.
DaaS is a cloud-based VDI offering that does not require the organization to set up infrastructure locally. The organization only needs to manage licenses and disk images, and the rest is taken care of by the DaaS provider. Below are some of the key differences between VDI and DaaS.
VDI requires extensive setup including hardware procurement, deployment and configuration.
DaaS makes it possible to launch virtualized desktops immediately, all prior setup is handled by the provider.
VDI has a high upfront cost, as well as ongoing costs for hardware, maintenance and ongoing operations.
DaaS does not have upfront costs. All costs of the service are rolled into a per-hour or per-user subscription price. Each organization should carry out an economic analysis to compare the expected ongoing costs of VDI with the subscription costs of DaaS.
Backup and High Availability
With VDI, backup servers and high availability needs to be set up and maintained at the organization’s expense.
With DaaS, most providers automatically backup data, and provide high availability built in, with a guaranteed service level agreement (SLA).
Agility and Elasticity
VDI is not elastic—If the organization needs to support peaks of usage, it must set up extra resources, and during non-peak time those resources are unutilized. In addition, if there are new requirements, like graphical processing units (GPU) for graphic-intensive tasks, there is a need to purchase and configure new hardware to support them.
DaaS is elastic, allowing the organization to scale up and down according to the actual number of desktops it needs. For example, it is easy to add desktops for temporary staff hired for a seasonal promotion, and stop paying for them when no longer needed. Adding special hardware configurations can be done instantly with no upfront cost (as long as the hardware is supported by the DaaS provider).
How to Enhance VDI Security
VDI infrastructure carries highly sensitive data, and virtual desktops can provide access to critical IT systems. Here are a few best practices you can use to improve VDI security.
Learn more in our guide to breaking VDI security myths
Restrict End-User Functionality
Ensure users never have access to services or networks they do not need for their job. Consider whether to disable user functions that can cause security issues, such as access to USB drives, copy-paste, or screen captures. Use content filtering to ensure users cannot access malicious or inappropriate websites.
Remove Unnecessary Services in Golden Image
Evaluate the operating system “golden image” for any service or feature that is not necessary for user productivity, or that increases the attack surface. For example, the printer spooler is a service that is not needed in a virtualized desktop and could have security implications.
If a service is necessary for users but represents a security threat, consider how to mitigate the threat, for example by patching the golden image.
Use Security Tools
It is mandatory to secure a VDI site using at least basic security measures, such as firewalls and intrusion detection/prevention systems (IDS/IPS).
Seriously consider the use of endpoint protection solutions, which include antivirus, behavioral analysis to detect suspicious activity on an endpoint, and the ability to directly respond to security threats occurring on endpoints. Prefer agentless software, as it will provide better performance in a virtualized environment.
Ensure the security setup can secure:
- VDI control plane servers
- The hypervisor
- Virtual machines
- Guest operating systems running on VMs
It is common for organizations to allow users to bring their own device (BYOD). In a VDI context, this presents a serious risk, because attackers who gain access to a personal device can access VDI and impersonate the user.
Attackers could then gain unauthorized access to data and systems, alter desktop configuration and add malicious content. In a worst case scenario, attackers could escalate privileges to take control of the hypervisor, and shut down the entire VDI site.
Here are a few precautions you can take to reduce the risk of compromised BYOD devices:
- Enforce strong passwords and use multi factor authentication (MFA)
- Consider using single sign-on (SSO) software
- Take measures to prevent users from connecting to unsecured wifi networks
- Restrict a user’s ability to download files or data to their local device
- Restrict applications users can install on their personal devices
When users are working on personal devices, many security precautions are impractical, because the organization has limited control over BYOD devices, and users will resist restrictions on use of their personal device. Hysolate can help by giving employees and contractors access to corporate applications from a non-corporate BYOD via an isolated and secure virtual environment.
Addressing VDI Challenges with Hysolate Isolated OS Solution
Creating and managing a VDI solution is a large project and a huge undertaking for an organization. Creating, planning the infrastructure correctly, and making sure everything is tested, has the proper sizing to support the target population requires thousands of hours of work and a huge investment. In addition, running the servers on premise, involves tremendous costs of purchasing the servers, and of course maintaining the infrastructure leading to high OpEx and CapEx costs.
With that said, in today’s remote first world, users connecting to the datacenter VDI solution, sometimes over a VPN tunnel will get poor performance and user experience and desktops are not available when offline.
Hysolate solves these problems an isolated, fully managed OS that sits on user endpoints. Users get a local isolated operating system running on their machine deployed within minutes which is managed from the cloud.
Isolated workspaces enable:
- A higher level of freedom on employees corporate devices
- Ability to receive 3rd party generated content in an isolated zone
- Access to IT admins, DevOps, developers, and other privileged users in their everyday environment
- Access to employees from personal, unmanaged devices
The behavior of the workspace is managed in the cloud, while all of the computing resources run locally on user machines.
This eliminates the need to invest in a large and costly infrastructure, and provides a better local user experience, with offline availability.