August 30, 2010

This interview  was reposted from “The Metropolitan Corporate Counsel” website

Editor: Tell us about your practice and role at Proskauer, particularly as a founding member of the Litigation Department’s Electronic Discovery Task Force.

Goldberg: I am a patent attorney with an electrical engineering background. My practice is primarily patent and trade secret litigation, with lots of work in the telecommunications, barcode scanner and financial services fields.

Over the past couple of years, advising clients on electronic discovery-related issues, both in the absence of litigation and during litigation, has become a significant part of my practice. Before litigation, for example, I help clients develop information management systems to proactively reign in discovery costs and meet compliance obligations. During litigation, I help clients understand and manage the burden and costs of the process, with the goal being a rational e-discovery expenditure that, while meeting all obligations, minimizes the disruption to my client, and is proportionate to the amount at issue in the litigation. I also consult on the recovery of often-overlooked electronic evidence, such as computer forensics.

Recently I’ve focused on electronic discovery and alternate dispute resolution, and I am the primary author of the e-discovery section of the International Institute for Conflict Prevention and Resolution’s model economical litigation agreement, colloquially known as the “Litigation Prenup.”

Editor: “Cloud computing” is a buzzword that’s been popping up more frequently than ever. How would you define it?

Goldberg: Cloud computing is a marketing term that covers lots of different technologies and business applications. By way of example, the National Institute of Standards and Technology (“NIST”) is now on version 15 of their attempt to define the cloud, with the current definition two pages long, with lots of subparts.

I like the analogy in the book The Big Switch by Nicholas Carr for an initial introduction to the cloud concept, which compares the evolution of cloud computing to the transition from individual power generation to modern utilities.

Historically, factories needed to generate their own power. For example, a water wheel may have been built to power a factory’s machinery, with the construction of the wheel and its operation and maintenance falling entirely on that business. At some point, these local generators were replaced with centralized power generation, where power was generated remotely, distributed as a utility, and priced based upon consumption. There are many reasons why this development was a good thing. Utilities presumably know how to generate power better because that is their primary business, there are economies of scale, the consumer can ramp up or down its consumption quickly and easily, and the consumer doesn’t have to pay for the excess capacity that the consumer does not need.

Cloud computing is very much the same concept. Rather than building and maintaining its own IT infrastructure, an organization can instead purchase the use of a comparable infrastructure as a service, paying for what it consumes, and leaving it free to focus on its primary business. The cloud also supports business agility by allowing for the fast expansion or contraction of IT capabilities.

Editor: Why is it important for lawyers, particularly, in-house counsel, to take a closer look at how their companies are implementing this technology?

Goldberg: Cloud computing is an area of technology and a business model whose impact is going to reach across many legal areas, from electronic discovery to compliance to intellectual property. Accordingly, the stakes are very high as companies consider replacing internal systems with externally hosted ones.

Saving money is a common reason why organizations move to a cloud, and it’s important to understand whether the organization will actually realize those savings or just end up transferring costs from their IT budget to the legal budget. There are many legal costs that are often overlooked about which in-house counsel will need to be aware. First, there is the cost of a due diligence process, the investigation that takes place before entering into a contract for cloud-based services.

Second, there may be customization costs. If an organization needs to customize the cloud service to make it suitable for a specific need, that may be counter to the economies of scale and will likely involve additional cost.

Finally, I believe the potential change in risk exposure should be taken into account. This may be difficult to quantify as it is a discussion about possibilities and probabilities. For example, would an organization trade some amount in IT savings for an additional percentage chance of a patent litigation? It is going to fall on in-house counsel to help evaluate these risks and to generally make sure that the service will meet business objectives.

Editor: What is the most important legal question for organizations considering moving their data to the cloud?

Goldberg: Because of the many potential variations in the way cloud systems are implemented, technologically, structurally, and contractually, the legal risks are different with each system. The key legal question is whether a given cloud is suitable for a given application. Every cloud has to stand on its own merit and be evaluated separately with reference to the application for which it is intended. For example, you may not want to use the same cloud that you use for your personal emails to hold your corporation’s crown jewels.

Editor: What is the difference between public and private clouds, and why is that potentially important?

Goldberg: I mentioned NIST’s 15th attempt to define cloud computing earlier. Version 15 defines a private cloud as where the cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party and may exist on premise or off premise. It defines a public cloud as a cloud where the infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

A key distinction between public and private clouds, and one that is important from a legal standpoint, is that public clouds likely have multi-tenancy, or multiple unrelated consumers of the service. With private clouds, analysis of risk may be very different if data isn’t being placed into the hands of third parties.

Editor: How may standardization activities impact the adoption of cloud computing?

Goldberg: There are two aspects of standardization that are interesting. The first is contractual and the second is technological.

With regard to contractual standardization, it is well known that there is a lack of standardized terms in cloud computing contracts. Therefore, it is very difficult for in-house counsel to compare a cloud contract from one provider with a cloud contract from a second provider.

The Cloud Computing Project at Queen Mary University of London is an interesting attempt to address this issue. Funded by Microsoft, it is reviewing many common cloud contracts. If it is successful, some best practices may emerge. This should make the due diligence process a lot easier on in-house counsel.

The second aspect of standardization is the need for apples-to-apples comparisons of the technological features of clouds. For example, such issues as security and interoperability may be addressed. Standardization in this sense is needed to facilitate third-party technical audits which will, again, take some of the burden off of the customer during the due diligence process and potentially help speed up cloud adoption.

The potential downside to these standardization activities is that they may ultimately define standards of conduct creating risk for those using cloud systems that fall below those standards.

Editor: As an IP litigator, how do you think the use of cloud services will change the risk of patent litigation?

Goldberg: You are going to have a different risk of patent exposure when your service is hosted in the cloud as opposed to an internally hosted solution. The technologies used by a cloud provider to provide the cloud service won’t necessarily be the same as those used in an internally hosted version of the product.

For example, you may need different technologies to support multi-tenancy in the cloud. You will likely have different security concerns and need to deploy different solutions. In an internal system your security typically includes a firewall designed to keep outsiders off of your network and a permission structure designed to limit the access of employees only to information within the network that they need to know. In a public cloud, you are going to have all of that plus technology protecting your information from other customers of the cloud provider and from the cloud provider itself. The ways data moves and is stored in the cloud may also be different. This all contributes to different risks.

The structure of the cloud service will also impact risk. One cloud service could have a single provider that provides all of the necessary hardware and software. Another cloud may have multiple providers, where one provides the cloud hardware and the other provides the software. In the first example, the consumer is likely in a direct contractual relationship with the single provider. In the second example, the consumer may only be in a direct contractual relationship with one of the two providers, with the other provider having its own contract with the remaining provider.

For a more extreme example, the hardware provider may itself have contracted with other hardware providers, for example, for surge capacity. The consumer may not know at a given time the identity of all the participants in a cloud system or the location of its data. That is going to change the risk profile.

I would conclude by noting that there are a lot of cloud startup companies right now, and in fact the cloud makes it very easy for startups, because they don’t have to build their own hardware infrastructure.

The problem is that over time many or most startups will fail, and this can result in lots of orphaned patents which may ultimately become a burden on the cloud industry. For example, during the dot-com era, when the bubble burst, many startups that failed had patents, which survived and fell into the hands of non-practicing entities, whose business was bringing lawsuits. Likewise, orphaned patents held by failed startup cloud providers can create similar problems.

Editor: How can an organization manage the risk of patent infringement in the cloud?

Goldberg: Organizations could undertake patent clearance projects to try to identify what relevant patents are in the space, who is filing litigations in the space, and which providers already have licenses to patents that are of concern. However, in the cloud, such efforts could be complicated by a lack of transparency in cloud systems. The consumer may not actually even know or be able to learn how the cloud system is actually implemented at any given time.

Further, certain cloud contracts allow for the provider to change the system, sometimes without notice. Accordingly, you could have done a very thorough patent clearance project, but tomorrow the system, and its risk, may be different.

Another way to manage patent risks is through contractual indemnification. One potential problem is that the customer may not be in a direct contractual relationship with all of the providers of the cloud system. Thus, in a system with many providers, it may be difficult to get complete indemnification.

Editor: What other IP issues are concerns?

Goldberg: Protecting trade secrets in the cloud is another concern. Obviously, you have to take reasonable steps to maintain the secrecy of a trade secret in order for it to maintain its value. It is an open question of what is reasonable in the cloud context. Encryption is likely one answer to this problem.

Some cloud contracts may give the cloud provider certain rights in its customer’s data, and there is the potential that this could impact the value of that data. It is one thing when the provider gets rights that it needs to operate its systems, for example, the right to copy or move files in certain limited ways. But, there may be more serious ownership concerns that can impact the value of the data when the provider gets rights in its consumer’s data for revenue-related purposes, such as targeted advertisements.

Editor: Can you explain why the issue of “control” over the data in the cloud is important?

Goldberg: Electronic discovery obligations extend to documents in an organization’s custody or control. By moving documents to the cloud, the documents may no longer be in a litigant’s custody, but they may still be under its control. The starting point for analyzing this issue is the cloud contract. If ESI is under control of the litigant, it may fall within the litigant’s e-discovery obligations, meaning that it could be the litigant’s responsibility to preserve, retrieve and produce those documents in litigation despite the fact that they are not in its custody. Issues of control go beyond just the basic documents and also extend to things like metadata, log files and other associated ESI.

Before data is put on the cloud, it is important for the cloud customer to know how it is going to carry out these basic e-discovery functions, including making sure it has whatever rights and help it needs from the cloud provider. The cloud contract should also provide for how costs will be allocated.

The analysis of control in the cloud may be simple where a litigant has a direct contractual relationship with all the providers of the cloud service. It can be tricky with more complicated systems.

For example, let’s assume that the cloud contract provides a consumer with the right to access certain forensics. One of the things that the consumer will want to check during the due diligence process – if it is not in a direct relationship with the hardware provider – is whether the party with which it has contracted itself has the rights under its contract with the hardware provider to meet its obligations to the consumer.

Editor: Besides issues of control, how can cloud computing impact e-discovery?

Goldberg: Returning to the previous example, let’s assume that a log file is relevant to a case, but it is not under the control of the litigant. Does that mean it can’t be discovered? The answer to that is potentially “no,” as a discovery request could be sent directly to the cloud provider for such data. While these direct requests to the provider may be objectionable where the data is under the litigant’s control, here the log files may only be available from the cloud provider. How the provider responds in such cases depends in part on the cloud contract. Therefore, the contract should describe how the customer would like the provider to respond to those requests.

It is also important to note that the Stored Communications Act may also affect the cloud provider’s obligations to turn over data.

Editor: What is data persistence and why is it an important issue in the cloud?

Goldberg: Data persistence concerns how data survives in the cloud, in some cases after you expect or want it to be deleted. It is a good idea – and sometimes a necessity if compliance obligations are implicated – for an organization to make sure the cloud that they are contemplating using will comply with their information management system, and any applicable laws, before they move their data to the cloud.

It can be problematic if the cloud service cannot comply with the organization’s retention policies. For example, from an e-discovery point of view, it may mean that a litigant has to incur an expense that they could have avoided if the document had been properly deleted. The unexpected retention of the document could also lead to a direct request to the cloud provider for that document in litigation, particularly if it can be argued that the surviving copy is somehow outside of the litigant’s control.

From a compliance point of view, the improper retention of information on a cloud can lead to the violation of certain laws. For example the European Union Data Protection Directive specifies limits on how long data can be retained.

Editor: What steps can an organization take to minimize the impact of a cloud service on e-discovery?

Goldberg: Discovery on the cloud can be more complicated than normal discovery because your data is on a network controlled by someone else. Therefore, there may be restrictions on available tools that you can use, you may need to rely heavily on the provider in order to get things done, and you’ll have a lot less knowledge about the network than you do with your own network.

The heat of litigation may not be the ideal time to first address these limitations. It’s a good idea to identify how data will be collected and preserved before that data is put on the cloud. What the organization could then do is record the results of the due diligence in a data map or other litigation readiness tool and store that along with the contract. Should litigation later arise your organization will be prepared. This may also provide some defensibility should things go unintentionally wrong.

Editor: How important is the role of the lawyers?

Goldberg: The due diligence process, and ultimately the decision about whether to go to the cloud, should be an enterprise decision, bringing in the business stakeholders, IT and in-house legal. While the ease of purchasing certain cloud services may support ad hoc adoption, there may be many benefits to making such decisions in a uniform organization-wide manner.

This article was reposted from the “InformationWeek” website.

The Data Center Institute, a think tank for data center managers, says only 14.9% of the organization’s members have implemented some form of cloud computing. But, it predicts, “the next five years will see the adoption of cloud computing grow dramatically.”

The report was authored by leading members of AFCOM, the former Association for Computing Operations Managers, a name it has dropped in favor of use of just its acronym.

The organization completed a survey last September which came up with the 14.9% figure. If the remainder are not thinking of moving toward the cloud, either internal or external, then the institute’s position paper should act as a warning shot across the bows. The report issued Monday predicted: “Its impact on data center management will be felt throughout the industry.”

Cloud computing will grow because it can address several persistent issues that plague data center operations, the position paper said. They include:

Underutilization: “Many servers in data centers are underutilized; there are still some running 3-5% of total capacity, while others actually sit idle.”

Security: “Security continues to lag within most data centers… we need to focus on emerging approaches that center around the distributed model, including identity management and the new use of encryption, either within on-premise systems or within the cloud.”

Ability to scale: “Businesses that need to quickly scale will typically find latency between the identification of the need and the time additional capacity can actually be brought on-line.”

Cost per cycle: “Many IT budgets were slashed during the last economic downturn to force management to revisit the cost of computing, which is driving much of the data center consolidation as well as the movement toward cloud computing.”

In effect, AFCOM is telling its members to “take what you’ve got and develop a plan to use cloud computing to get some of those attributes,” said Leonard Eckhaus, founder of AFCOM, in an interview upon release of the position paper, Guiding Data Centers To Cloud Computing.

The paper adopts the same definition of cloud computing as the widely quoted National Institute of Standards and Technology, which describes a public cloud, such as Amazon’s EC2; a private cloud, such as an enterprise builds for internal operation; a hybrid combination of the two; and a community cloud, where a group of organizations share a data center infrastructure.

A key tenet of cloud computing for data center managers is that it allows them “to shift the risk of handling the processing load from your enterprise data center to the cloud computing provider… the cloud provider is better suited to accept that risk,” said the position paper.

Eckhaus said the paper was also intended to encourage thinking about private clouds or internal architectures that duplicate what’s being done in the external cloud, such as running highly virtualized environments and multi-tenant servers. Data center managers should also be thinking about implementing self-provisioning for end users, usage tracking, and chargeback, he said.

The paper lists core issues for data center managers to consider if moving to a private cloud. Cloud computing is denser than its predecessor forms, with heavily virtualized hosts.”You must carefully consider power management issues when moving to a cloud-based infrastructure,” the paper said.

Network management will also become more focused on “processes shared between physical servers within the data center versus… communications with entities outside the data center,” it said.

Virtualization under cloud computing allows flexible allocation of memory, CPU, and other resources; it’s focused on multi-tenancy and auto provisioning, said the paper.

To make the move toward the cloud, the institute urges:

– Get a realistic appraisal of where cloud computing will help with existing inadequacies. What are the business requirements that the cloud might solve?

– Understand the existing network assets.

–Catalog servers and storage, and know the existing function of each.

–Understand data assets, the type of databases, and data models employed.

– Catalog application assets and make explicit the databases that serve them.

– Form a logical view of the combined existing assets to get an “as is” view of the data center.

–Draft a logical “to be” view of a cloud-enabled data center, with its network, storage, and server assets working together in a more cloud-like fashion.

– Define the physical “to be” architecture that can support the logical view, “including selection of all the right enabling technology… This typically is the most labor-intensive portion of the process” and requires the person mapping the future architecture to have an understanding of current cloud technology.

“If I was the CIO, I’d set up a team of data center managers, facilities managers, network managers, and vendors” who supply them to get to the right cloud architecture, said Eckhaus. That 14.9% figure is going to rise. “I believe the majority of our members will be involved in the cloud 3-5 years from now,” he said.

AFCOM sponsors two events a year for the 4,500 data center managers who make up the organization. The upcoming show is the 30th anniversary of AFCOM at Data Center World on Oct. 3-6 at the Mirage Hotel and Convention Center in Las Vegas.

Find out more

This article was reposted from “EMC Consulting  Blogs” pages.

What Does Gartner have to say about this?

In the blog Windows 7- To Virtualize or not to Virtualize – that is the question! I talked about a golden opportunity for organizations to move to virtual desktop infrastructures (VDI) instead of following a traditional desktop OS upgrade path.

As an update to this pressing concern for IT departments everywhere, Gartner has weighed in on the issue. observing (quote):

“Whether replacing or upgrading PCs, it is clear that Windows 7 migration will have a noticeable impact on organisations’ IT budgets,”

“Based on an accelerated upgrade, we expect that the proportion of the budget spent on PCs will need to increase between 20 per cent as a best-case scenario and 60 per cent at worst in 2011 and 2012,”

“Assuming that PCs account for 15 per cent of a typical IT budget, this means that this percentage will increase to 18 per cent (best case) and 24 per cent (worst case), which could have a profound effect on IT spending and on funding for associated projects during both those years.”

This clearly hits the nail on the head – a standard desktop OS refresh is going to make a serious dent on the ‘CIO purse’ if done following the traditional approaches that are prevalent. This is serious money that could be spent on projects that actually generate direct revenue for the firm!

What does this mean for Corporate IT ?

Essentially, Corporate IT will lock up significant resources in simply performing this upgrade. Those that delay will be well behind the curve (according to Gartner at least), although not being an early adopter has its own intrinsic advantage. The cost of upgrading hardware, either for performance or compatibility reasons, is predicted to be a significant cost.

This is not simple CAPEX, but the opportunity cost of not pursuing those projects/programmes that will directly influence the firm’s bottom profit line. An innovation cost if you will.

Organizations, in a move to innovate, are still employing traditional approaches to solving their desktop OS challenges and the corresponding application stack. However, the dynamics of our time almost mandate a complete rethink of the traditional ‘it’s time to refresh our desktop OS/desktop suites – let’s start a BIG project’ approach. This is a lost opportunity for a CIO to radically shake-up the IT structures/behavior built up over decades in-house.

Such a lock of resources, wholesale disruption of existing revenue generating projects and the outlay in performing the Windows 7 upgrade itself would suggest that ‘alternatives’ to the migration should be seriously examined.

I use Windows 7 extensively – and like it! On the other hand, I absolutely hate the upgrade process, and finding applications that work, new generations of software, and of course the now ‘mandatory’ hardware upgrade – although everyone always insists this is not necessary.  I did this for Windows 3.1x/ME/ XP / Vista  7 – well you can understand the desktop OS fatigue. Imagine what the Corporate-OS-Upgrade-Fatigue for thousands of users!

At a time where leanness has been emphasized; cost-saving/cost-avoiding projects having priority over innovative projects; a general focus on optimizing the IT infrastructure and the pairing down of IT personnel numbers would suggest another approach is needed than the current mass exodus from Windows XP to Windows 7.

Companies are not moving to Windows 7 simply due to a lack of support in the future for the platform, or the fact that Windows 7 is ‘shiny’ and attractive. There is an element of ‘anxiety’ in not being left behind. The group/herd instinct to follow the others. However, distinctness and variety are the drivers of sustained competitive advantage and long term relationship-focused revenue streams.

The CIO almost owes it to the organization to ‘think out of the box’, be a maverick, look for distinctiveness, not follow the ‘herd’ instinct prevalent in the organization and ensure IT is truly a partner to the organization to achieve organizational goals. This includes providing an excellent work environment for employees, and breaking the shackles of the desktop and the men-in-grey attitude still plaguing large organizations. Learn from the smaller guys. Be nimble, agile and creative!

So why is all this important for CIO’s and Organizations?

Innovations streams mandate a series of upgrades to reach that end-state that was originally desired. The main product to roll out should be the capability to have virtual desktops located within the virtual infrastructure that should already have been designed in a rock solid fashion. For exceptions requiring a mobile offline desktop, allow the virtual desktop to be delivered as an offline desktop (but still encapsulated using the virtualization technologies). This can be synchronized back with its online counterpart – replication technologies are really advanced these days. Communication technologies are also powerful and usually available in one form or another. At the very end of the chain, should be the absolute need to have a pure local traditional OS install on the user device. Essentially virtual desktop infrastructures provide an enterprise class functional container for desktop OS’s.

These are the same great features that are partially driving server virtualization – why not use them on the desktop! Applications should also clearly be virtualized to allow them to be independent of hardware and user profiles. They should be simple to upgrade and rollout – with the minimum number of images being used. Why have thousands of variants to support?

This opportunity should also be taken to do a complete cleanup of the existing environment. Windows XP left a lot of rubbish hanging around in registries, file systems, home profiles and questionable applications installed locally.

The new virtual desktop should be lean. There should be a complete decoupling of the OS and the user data/profile. The desktop should be really simple in future to upgrade. Applications should be containerized so that they can run on different OS versions. VMware ThinApp technologies support this notion very well, and Citrix/Microsoft also provide their own encapsulation technology (e.g. App-V).

Indeed the encapsulation technology providing the virtualization should also be independent of the desktop OS and provide complete freedom to choose – that should allow organizations to break out of the straight jacket of the traditional desktop OS vendors. The more desktop OS’s supported in the VDI solution, the better. Mainstream OS support should of course be available, but support for up and coming important variants such as the Ubuntu or Apple variants will allow an organization to rapidly re-engineer their IT to suit the needs of the organization – and negotiate tough discounts on the OS – the prime cost component currently in virtualization solutions.

It does not really matter that there is not a 100% match of VDI solutions to the functionality of local desktop OS installation – there will always be some odd hardware/software that does not quite work out. That is why innovation streams are important – use a hybrid approach with the mass of desktops in the virtual environment.

Over time as more functionality becomes available in VDI solutions (and there is already a 98%+ match), the sheer number of features regarding delivery efficiency and data security will mandate this as the principal solution to deploy a Windows X or whatever desktop OS is your favorite.

Choice and control coupled with efficiency. Doesn’t sound too bad! Welcome to the Private Cloud and Desktop-as-a-Service! Make the jump to VDI now and not lose this golden opportunity!

Posted 29 August 2010 18:00 by jaspal.dhalliwal | 0 Comments Filed under: Cloud, Paradigm Shift, Transformation, Private Cloud, Organizational form, CIO_Agenda

Windows 7- To Virtualize or not to Virtualize – that is the question!

Whether ’tis nobler to rollout a standard Windows 7 desktop,… OR to take arms against a sea of troubles,
And by virtualizing desktops end them?

Many of the current discussions we at EMC Consulting (Cloud & Virtual Data Center Practice) are having with IT Managers, CIOs, CTOs and Architect/Designers are typically focused on understanding the Cloud notion, its consumption and management models, and of course ‘how to build one’ . Frequently the ‘what does it mean for us?’ pops up.

Depending with whom you’re speaking the answer will vary in terms of granularity. An administrator asks regarding daily activities, an IT Manager in terms of service delivery and orientation, and the Cxx level is focused more on the realization of sustainable competitive advantage of Business IT amongst other themes.

With the current need to phase out Microsoft Windows XP on the CIO radar, engaging IT resources/personnel for the foreseeable future, and so many other areas of IT strategy still to realize, the move to Microsoft Windows 7 is rather significant. Many are taking the approach of a ‘simple’ desktop operating system (OS) upgrade. There are yet others utilizing the opportunity to replace parts of their desktop estate with long overdue PC/laptop replacements. These strategies are fine if the end result is simply to get rid of Windows XP and come back into the Microsoft ‘circle of trust’. Compounding the situation is the application stack (Ask-not-what-you-can-do-for-your-cloud-but-what-your-cloud-can-do-for-you) – and yet another migration.

Windows 7, different perhaps from the advent of Windows Vista in terms of its timing, comes at a turning point in the IT industry. The desire and interest to move away from traditional models of IT, resource consumption, and device form factors has never been so strong. Indeed the very notion of a desktop operating system is being challenged. We often hear in envisioning workshops this very same thought and if it can be done right now! Not an easy question to answer.

Don’t get me wrong here. I am myself an ardent user of Windows 7, coming from Vista (yes I installed that too), and of course the venerable XP. The functionality is fine, and Microsoft have done a good job of creating something useful. However, it is not really Windows 7 that I use daily. It is the applications and the browser that I mainly use. Certainly then, the OS could perhaps be a bit leaner – or as some virtualization vendors are doing – practically remove the need of an OS by creating bare-metal desktop hypervisors (Citrix and VMware initially).

Corporate IT Missing A Trick?

Based on the macro movement in the industry, the Cloud tsunami, Everything-as-a-Service and unprecedented levels of connectivity to the Internet, perhaps the idea of rolling out Windows 7 needs to be thought of in a different light.

We have discussed with many organizations embarking on virtual desktops as a part of their desktop estate mix, if Windows 7 should not indeed be treated as an innovation stream. One stream of many that would herald the move to the ‘digital-nirvana’ user workspace end-state (which is of course different for every organization).

By treating Windows 7 as an innovation stream, a collection of features desirable for an organization to possess, we come closer to the idea of Windows7 being a stepping stone on a path. The implication is that constant change will be accompanying the ‘desktop’ estate for all organizations – in that new features can be bundled and released rather than a colossal OS upgrade.

The very term ‘desktop OS’ is starting to look tarnished and is in all probability a complete misnomer these days.

EMC Consulting has a very strong practice supporting the migration to Windows 7, and together with customers, a different product mix is being implemented. Large swathes of virtual desktops hosted in a private cloud are being rolled out, with some use-cases mandating a traditional local install approach in the interim. However, in most cases the applications are being virtualized to ease the move to delivery via Cloud technologies. Some applications have already moved lock-stock-and-barrel to Private/Public Clouds.

How does this pan out with the ‘desktop OS’ developers?

Well. Microsoft itself is planning to refresh desktop OS’s more frequently than in the past (Windows x details were leaked onto the Internet this year). Microsoft itself is starting the move to Cloud offerings in partial/full form through its Azure offerings amongst others to come. Microsoft Exchange Server, long the province of corporate IT, is itself being considered to be ‘handed over’ to Microsoft in the form of Exchange Hosted Services (EHS). This of course leads to the question of whether there are other email/collaboraton technologies that can be used? Microsoft is embracing this sea-change after a fashion. It does not really have a choice anymore!

It looks increasingly as if change is going to be the new norm. Change is good – and the ability to rapidly change and reconfigure resources is a fundamental competitive advantage in an ever more dynamic cyber-verse.

Essentially, the change to an innovation stream starts to focus organizations internally on features and capabilities they value – not which version of a desktop OS they are installing next. The capability set essentially underpinning their varied business needs is identified and pursued.

In the move to the virtual desktop, this starts to yield real benefits in a very lean composed desktop (separated user profiles, applications, base OS). Initially we had the first wave of this in the form of server based computing models simply shipping out a shared Windows desktop surface. This was inflexible and required great operational control to ensure adequate features for all users (e.g. Citrix MetaFrame/Presentation Server/XenApp, Microsoft Terminal Services/RDS). This model still has its place in organizations today.

Virtual desktops in comparison, being wholly independent of other users’ workspaces, allow a greater level of flexibility, allowing users to continue to be productive in traditional ways, innovate and indeed generate new methods of working. This wave seems to be making a home for itself in the Private Cloud. Offerings such as the VBlock support near on 10,000 concurrent virtual desktops. This is unprecedented in a single offering. These desktops can be created for all users in seconds/minutes from scratch, and remain always patched, protected, and available 24 hours/day accessible from anywhere! The level of control from Corporate IT and level of freedom for users is a real boon in management terms.

We are seeing in parallel the rise of ‘Platforms and Applications as-a-service’ models in full swing on the Internet. Indeed it is possible to get a pre-purposed virtual desktop with the latest greatest Windows 7 (or Linux, Apple OS etc.) as a complete remote service.

Extend this further to the application stack above the OS, and we start to see exponential gains in manageability and long-term sustainability in terms of user-experience and operations. This is being felt in the wake of offerings such as Salesforce.com. This in turn is being extended to corporate applications being built on these platforms. There is choice here with Google, Microsoft, Amazon and others providing similar capabilities. The speed of building new business applications is remarkable in that the time-2-value has shrunk drastically! Good for consumers and definitely good for business!

We haven’t yet talked about how this desktop is consumed. Ever more capable devices are emerging (netbooks, tablets, iPad, iPhone, smart phones etc.) finding captive audiences initially using these virtual desktops for private purposes, and over time morphing to  fully-fledged personal productivity assets equally capable of being plugged in at ‘work’!

This brave new world indicates a net movement away from stuffy large desktop OS deployments on the narrow palate of PC/notebook hardware that organizations are typically still working with.

The consumer experience is driving the need for change within organizations. Organizations everywhere are waking to the clamor of their own users wanting a better experience in the digital workplace (after all they can easily afford a better experience as a consumer – so why can’t the firm do it!).

So why is all this important?

Well if innovation is the lifeblood of an organization, then all the available means to ‘spark’ innovation should be exploited. By reframing the traditional desktop OS deployment approach, an organization may be able to fundamentally change the digital workplace.

There are plenty of examples of companies working to redesign office layouts, use more capable telephony-over-IP, manipulating light and environmental conditions to put the brain ‘in-a-better-state-of-mind’ These approaches are working (Back in 2007 this is how things were - Google Headquarter – Amazing Work Place 9/19/07 )!  Why would we not do the same for the ‘desktop operating system’?

Thinking about that long term transformation of an organization, every person has at least one good idea in them. The idea may be the one that drives your industry for the next decade. Well is that not worth putting in a little more thought about the Windows 7 migration?

Is it not worth thinking about virtualizatiing your applications? Is it not worth thinking about how the jump to the Cloud will be made for desktops? Does it not make sense to virtualize now to allow some/all of those benefits to stream into an organization?

Some careful thinking now – moving away from the traditional ‘administrator/IT group’s worldview in ‘rolling out yet another desktop OS & the time is not right for Cloud – there’s no other way’, and keeping your eye firmly on the ‘big picture’ will invariably be a sure bet!

Agenda
•Overview: Disaster Recovery
•Getting Started: General Advice
• Business & Technology Considerations
•Deployment
• Configurations & what to buy
•Conclusions & Recommendations

Read the transcript

• “Getting Started with Cloud Computing”  by Alan Joch
• “Higher Altitudes for Cloud Computing” by Eric Sherman
• “Securing The Cloud”  by  George V. Hulme

Read the articles

Ned Miller, director of public sector strategy for Symantec’s public sector market, breaks it down for us today.

NM: The purpose, or intent, of the report was really simply to evaluate where agencies were, or currently are, in their overall cloud strategy, and then evaluate the ones that are early adopters, specifically with any challenges or barriers they’ve had with implementation, and really to focus on their key concerns. That will allow us to position how we can help our government clients going forward.

FCB: And what were some of your key findings?

NM: There were a number of themes that were pretty consistent in terms of the evidence that we collected.

The first area that we were very focused on was just how many agencies had actually implemented cloud, or cloud-based applications, or any platform or infrastructure. We accounted for about 23 percent of the agencies that participated in the survey have actually implemented cloud, and about 35 percent are planning to implement.

A couple other key areas that I think were interesting and noteworthy [are] — the emphasis on private clouds versus public clouds, and where agencies have already adopted some cloud strategies. About 58 percent of agencies are already using a private cloud, or in-house cloud, versus approximately 64 percent of those who are planning . . . to use private or in-house cloud versus using an outsourced cloud model.

FCB: We always, inevitably, come back to the security question. [Your survey] says 89 percent say data protection privacy is their top issue. Can you break down those numbers a little bit for us?

NM: Based, again, on the survey, about 80 percent of the participants came back and responded with that they believe that encryption in the cloud is a key area that needs to be addressed, and approximately 70 percent of them have come back and required data segmentation for the actual data in the cloud itself.

FCB: In terms of where agencies are now in terms of implementing cloud, you’ve got a slide [in the report] that says ‘proceeding with caution’. How does that tie into the security question?

NM: Well, in terms of ‘proceeding with caution’, a number of CIOs and CISOs that I’ve spoken to personally are still moving forward based on the mandates coming from OMB with their implementation of cloud strategies; however, the concerns are still centered mostly around security.

It still comes back to the data itself, protection of that data, and they’re fairly conservative in terms of the implementation approach to date, and therefore they’re really relying on building private clouds and building inside their own infrastructure. So, those are kind of still the key concerns — it really has to do with the data itself and where it resides.

FCB: So, a lot of agencies say they feel safer in these private clouds, rather than public clouds, but according to your survey, almost half who have implemented cloud don’t know if they’ve experienced a breach or an attempted breach. Is this cause for concern? Should we be really worried about this?

NM: We should, and, again, this speaks to the desired end state, which is a clear set of standards to address how to adopt and deploy and implement a secure cloud, which leads to FedRamp. . . . [It] is really designed to unify cloud computing security standards across the U.S. Government. Obviously, the initiative is managed by the folks up at NIST and Peter Mell, and he has a big task in front of him. We believe that, overall, this attempt to standardize a security model around cloud computing will take some time to evolve, and the biggest challenge we see with it, quite honestly, is not necessarily the adoption of the standards, but how quickly the industry — both the people, the process and the technology — are moving, versus how quickly standards can be adopted.

So, the biggest challenge to the standard, I believe, will be that we’re moving much faster than what standards typically have been able to get out.

FCB: What other barriers — perceived or real — are agencies facing at this point as they’re looking at cloud adoption.

NM: My sense is, at this point, that it’s going to come down to, specifically, expertise on the government agency side in terms of developing a technology strategy to deploy these private clouds.

So, we’re crossing into somewhat uncharted territory where agencies are building, with their own resources and infrastructure, these private clouds without necessarily a lot of strict guidance to any security standards, because they don’t quite exist yet.

So, in their rush to move towards the cloud, and derive the benefits that cloud provides in terms of efficiencies, economies of scale, etc., security often is still one of those scenarios that’s not baked in automatically.

FCB: And, finally, in terms of the ‘what’s next’ aspect of this, I believe you did talk to some agencies that are already implementing or starting to implement cloud computing. What did they tell you? What did you find out from them?

NM: It’s interesting in that, outside of the survey, I personally have been in contact, as I mentioned, with a number of CIOs and CISOs, and on the federal side, there’s a little over a dozen or so agencies that have fairly mature programs. They’ve actually stood up applications, some of which are service-to-citizen applications, the majority of which are still internal.

The notion of cloud computing is really catching on. We’re starting to see a number of agencies really jump towards that. I think in terms of what’s next is — they really need a cloud security strategy, instead of guidance from the authoritative sources, to help them ensure that, as they move forward with the guidelines that have been laid out by the federal budget planning process, [which says that] by September, 2011, any major IT investment acquisition has to provide an alternative analysis of a cloud strategy.

So, in terms of being able to support the mandates coming from OMB, I think the thing that we need the most is clear guidance around standards, and some assurance around the minimum security standards and criteria for both the industry partners [and] the government itself, specifically around data encryption, what the certification and accreditation process is really going to be like, what it means for one agency to approve a certain cloud provider [and] if another one can truly adopt that particular vendor, and then the notion of data segmentation for cloud solutions — whether it’s public or private.

This article was reposted from the “CIO ComputerWorld” website.

What a difference a year makes. Twelve months ago it was almost impossible to find Australian organisations that had embraced cloud computing. Now pretty much everyone is planning, piloting or executing some form of migration to the cloud. If there was ever doubt that cloud was little more than hype, it was eradicated in April 2010 by Commonwealth Bank of Australia (CBA) group executive for enterprise services and chief information officer, Michael Harte. In a speech to Committee for Economic Development in Australia, Harte declared that never again did he wish to be locked into using proprietary hardware or software and cloud computing was his escape route.

Harte is one of many CIOs who have been able to satisfy concerns that initially arose regarding the data security, accessibility and governance of cloud computing.

The bank has been investigating ways to buy software and infrastructure as a service for several years. A trip to the US in May 2007 included a meeting with Google and a chance to investigate its cloud-based services for messaging and email.

“It freed up so much resource,” Harte says. “And we thought, ‘Wow, wouldn’t it be nice if you could do other enterprise-scale activities on public infrastructure, and you could partition and secure that’.”

At the time, however, there simply wasn’t the business motivation for suppliers to make the switch.

“The incumbent service providers, whether it’s IBM or EDS, were really struggling with the model because they tend towards their own accounting standards,” Harte says. “They still have their own strong business models. They still wanted to continue to ‘lock’. They do resist contestability. And those things are the antithesis of what we were trying to do.”

“We only want to pay for what we use,” Harte says. “We want to get out of infrastructure computing and into fine-grain components and highly granular data, so that our customers enjoy new services. This is not about some technical breakthrough; it is about supplying customers the services they want — and doing that at value.”

An initial area of activity has been in test and development, which Harte says can account for up to 40 per cent of the bank’s server resources. CBA is utilising capacity-on-demand from Savvis and Amazon Web Services for part of the workload.

“Once we’ve developed and tested those capabilities, and we have them operating at full production, we can determine whether they stay outside in the public cloud or [should be] brought back inside the corporation,” Harte says. “We can provision those in under 10 minutes and we can do it at up to a tenth of the cost.”

Harte is not alone in his thinking. For many CIOs, the cloud is a chance to move away from technology strategy and embrace business strategy, although the definitions of cloud computing remain a grey area. Westpac, for example, has completed a trial of an internal private cloud and plans to bring the service into production.

“[We want to] move away from a capital demand-driven budget to one that’s a utility-based model, that is much more predictable and reliable in terms of determining what our ongoing costs will be,” Nikoletatos says. “But this is not about saving money; it is about reducing risk and improving business continuity.”

He says that the experience for students is going to change significantly in the next 10 years, requiring greater flexibility in how data is handled.

“Unless you have a bottomless pit of funding to help build things organically, you have to be thinking differently about how you deliver services,” Nikoletatos says. “It’s about getting the foundation right and, as you mature areas that you can move to the cloud, you slowly progress them and move them once you satisfy the governance-related issues.”

As the deputy chair of the Council of Australian University Directors of IT (CAUDIT), Nikoletatos says many other universities are looking to cloud computing as a way of reducing costs and increasing functionality, including through collaboration. “The University of Melbourne, Monash and RMIT are all working collectively on a model with a Fujitsu data centre in mind,” Nikoletatos says. That large organisations are treating cloud computing seriously reflects the rapid maturity of the capabilities of many service providers. According to the chief technology officer at Melbourne IT, Glenn Gore, much has been learned in a short period.

Melbourne IT has been running VMware’s vCloud Express service since September 2009 and is now switching over to a full vCloud implementation, with vCloud Express to be relaunched as an SME-focused service later this year.

“What I have realised is that some really good things come along with cloud, but with those good things come a different set of responsibilities and accountabilities,” Gore says. “Supporting cloud-like infrastructure is more complex than we anticipated, and that’s even with our decade of hosting experience.”

Melbourne IT is one of several service providers to launch cloud service offerings, and they are finding customers quickly. The earthmoving equipment maker Komatsu, for example, has signed with Telstra to have its IT infrastructure delivered as a service. Komatsu CIO, Ian Harvison, says the decision was catalysed by the expiration of the leases on several of its servers, coupled with the infrastructure in its data centre beginning to show its age. Harvison supports 1200 staff spread across 43 branches around Australia, New Zealand and New Caledonia.

He invited three organisations — Hewlett-Packard, Fujitsu and Telstra — to investigate Komatsu’s requirements and propose a new infrastructure plan. HP withdrew, and the solution that stood up from a cost perspective was Telstra’s. Komatsu has signed a five-year, whole-of-business agreement for Telstra to provide infrastructure-as-a-service in a virtual private cloud, and has also renewed its communications contract with Telstra. “This really is about aligning our resources to focus on the strategic and the core things we need them to do,” Harvison says.

“And in running infrastructure, it’s [Telstra’s] core capability. They can do that — we don’t need to be doing it.”

“It was something we’d wanted to do but the problem in the traditional model is you have to go and buy a server, put it in, and put the whole disaster recovery environment in place,” Harvison says. “This model means we don’t have to worry so much about having to procure the servers ourselves and get them up and running.”

Do it yourself cloud

Komatsu turned to an external provider, but other organisations are choosing to create their own clouds as a more effective way of servicing clients.

The Australian Bureau of Statistics (ABS) is one example. The constrained resources available to the ABS have meant that it has long operated a chargeback model for its 3200 staff and 1000 field researchers.

But whereas the old model was based on CPU cycles, ABS director of infrastructure, Tony Marion, says that by reorganising its data centre using virtualisation technology, it has been able to configure it as a private cloud and charge clients based on variable overall resources.

“It is a variable charge, but it allows areas that want to do a lot of research and run really long jobs that don’t necessarily need a lot of capability [to not be] charged horrendously per CPU cycle,” Marion says. “So it is more enabler or an ‘evener’ for everybody — all receive an even share of the pie.”

Chargeback is handled through VMware’s Virtual Centre, with the ABS recording the main variables of CPU, memory and disk. Marion says the ABS is now able to provision a test and development environment for its offices almost instantaneously, whereas previously it might have taken two or three months.

Marion is also looking into desktop virtualisation within its cloud to enable staff work from anywhere on any device.

“Everybody has a virtual machine, so that your data never leaves the bounds of ABS,” Marion says. “And if we want to allow people to connect with us from outside, maybe we can set them up with a virtual machine. “These are the sort of things that we are thinking about — giving people more and more capability — because what we want to do is get the statistics out there as easily as possible.”

Similarly, the Catholic Education Network has created its own internal private cloud. CENet services the IT needs of 15 Catholic dioceses encompassing 705 schools across NSW, Queensland and the ACT and Darwin, with a student population of 250,000 and 20,000 teachers.

CENet chief executive officer, Bede Ritchie, explains that when faced with the need to refresh its server environment, the network opted in January 2010 to virtualise using technology from NetApp and VMware, giving it the basis of a private cloud. The initiative has also taken advantage of the Catholic Network Australia program that has improved the bandwidth to the majority of schools across the country. The new configuration enables CENet to offer infrastructure-as-a-service to the dioceses to run their own discrete services.

“The big benefit from my perspective is taking away the responsibility for them to have to worry about hardware,” Ritchie says. “A diocese can request a VM, request some storage, run it up, and three months later just make it disappear and go back in the pool again.

“They can be freed to use their smarts to assist teachers to implement ICT in classrooms, rather than having to kick tin.”

The business case

The reasons for adopting could services are often very specific. For the property company Savills, it was about commoditising certain backend functions, particularly disaster recovery.

Infrastructure manager, Justin Gillfeather, says Savills is trialling Optus’ cloud service. By connecting across the Optus network he does not have to risk reaching out to public services.

“We expect it will take some load off our internal IT department,” Gillfeather says. “Especially things like disaster recovery — that all becomes somebody else’s problem.

“The reason we are in beta is to find out whether it is going to be cost effective for us to do this, whether it is really going to save us as much money as we thought, and the degree of flexibility it will really give us.”

Gillfeather says Savills is currently geared towards acquiring other businesses, which means potentially needing resources at short notice.

“If we had cloud running we might be able to do that far more easily than we are currently able to,” Gillfeather says. “If we can buy those resources from somebody else and know upfront how much it is going to cost, that allows us to do longer-term planning that we are otherwise able to.

“If we were starting a brand new business tomorrow would I buy any server hardware at all? At the moment I would, but two or three years from now, maybe not.”

Australian surfwear retailer City Beach certainly isn’t keen to spend the money to find out. When it came to upgrading from a static Web page to a full e-commerce service based on WebSphere Commerce, it opted to host it on Brennan IT’s infrastructure-as-a-service platform. City Beach is Australia’s largest independent retailer of surf, skate and urban wear, with 60 stores nationwide and a turnover of about $300 million. CIO, Paul Downs, says that hosting with Brennan was more cost effective than what he could achieve himself, and it enabled the company to deploy its site in less than 100 days in the lead-up to a Christmas deadline.

“I have quite a lean-team here, so my strategy is to outsource as much as possible, because we just don’t have the resources to provide 24 by 7 monitoring and break-fix,” Downs says. “When you stack up the cost of the wrap-around services versus the cost if I had to employ two or three people to provide the coverage over a year, it’s significantly cheaper, and Brennan places an SLA around it.”

Reality check

The enthusiasm with which many CIOs are embracing cloud computing in no way detracts from satisfying their concerns around data security, accessibility and governance.

According to CBA’s Harte, these issues are not all settled all at once, but they are not all necessarily new, either. Security, for example, has been a concern with each new IT delivery model, including outsourcing, offshoring and virtualisation.

“Security is definitely a concern, but wherever there is a large arbitrage to be had people will decide whether or not they are going to have it,” Harte says. “If they need further compliance, you can work with regulators and the risk community to figure out what to build back to ensure that robust security.”

Komatsu’s Harvison says it is important that CIOs investigate these models now to meet the agenda being placed upon them to do more with less, because hands-on experience is the only way to answer these concerns.

“The technology now is there, it’s proven,” Harvison says. “And as long as you have some comfort around the security aspects and the partner you’ve chosen, then I don’t think there’s reasons to put it up as a barrier anymore.”

This article was reposted from the “InformationWeek” website.

No CIO is going to undertake a complex desktop virtualization infrastructure initiative just to equip mobile employees. But don’t discount the possibilities here–a limited VDI deployment for workers who spend the most time outside the office, or who need special access, could get IT ready to move fast when vendors finally address some of the problems holding back the technology, including offline access and back-end stress on the data center.

Monical’s Pizza, a chain of 63 restaurants based in Bradley, Ill., has deployed remote desktops on some systems but not company-wide, says Douglas Davis, information systems coordinator for the company. “We give remote Mac Home Folders to some of our users. This makes backing up easier, and if a system goes down, you simply replace it with a new machine and they’re immediately up and running,” Davis says. “It’s the wave of the future.”

We think a phased rollout like Monical’s is the way to go. Mobility is the perpetual bane of IT. Security teams want data kept safe. Admins want device standardization and easy management. But employees demand access to e-mail, productivity, and other software tools from home, client sites, and hotels, on a range of hardware. And there’s no stopping this wave.

IDC forecasts that the worldwide mobile worker population will pass the 1 billion mark this year and grow to nearly 1.2 billion people–more than a third of the world’s workforce–by 2013. In 2008, the United States had the world’s highest percentage of mobile workers, 72%, and it’s expected to remain the most highly concentrated market, with 75% of the workforce–119.7 million workers–going mobile in 2013.

VDI provides valuable benefits to these road warriors and the IT pros who support them. Among those benefits: access to applications that can’t leave the data center, such as software that hooks into a database of highly confidential or classified information, the contents of which can’t be accessed offline for security reasons; an extension on the life span of legacy applications that aren’t multiuser-enabled; a way to easily deploy applications that need operating systems other than Windows; and an end to the problem of a salesperson’s laptop going south when she’s 1,000 miles from headquarters and getting ready for a presentation–just check out a clean desktop image.

Despite these benefits, our July InformationWeek Analytics Desktop Virtualization Survey of 430 business technology professionals shows that IT, while interested, is cautious about the technology. About 42% of survey respondents have already deployed VDI or are in some stage of testing. An additional 35% are assessing the benefits. The main drivers are added security and an ability to issue less expensive devices. Inhibitors include uncertain costs/ROI and performance worries.

We’ve examined the technical and budgetary angles of VDI in past reports (see them here and here). Now let’s approach the technology from the perspective of some business use cases for which VDI is tailor made–legal, healthcare, and sales–and look at special challenges around various access devices.

Taking It To The Next Level

VDI is maturing into a reliable way for IT to maintain security and manageability while accommodating employees’ needs. It’s not all the way there, but we found some early adopters that are pushing the envelope. The most important takeaway from these trailblazers: Proper planning can mean the difference between a successful VDI deployment and a mobile workforce rising up in revolt.

Considerations include provisioning for adequate performance and a plan to avoid desktop image sprawl. IT is thinking about performance; in our InformationWeek Analytics 2010 WAN Optimization Survey, for example, when we asked about the file types respondents expect to transfer across the WAN, nearly one in three of those using or evaluating WAN optimization cited VDI images.

Use Case: Legal

“The beauty of our current mobile environment is that it’s available to users as long as the browser works,” says Andy Jurczyk, CIO at law firm Sonnenschein Nath & Rosenthal LLP. Jurczyk says the firm’s users commonly connect from two or even three different devices. About 1,000 of its 1,800 employees in 13 offices in the United States and Europe access mobile virtual desktops. Complete rollout of VDI across the enterprise is expected by year’s end. Sonnenschein built what it calls “Follow Me PC” to virtualize desktops and applications in the data center and make the interface available from a browser on any device–PC, Mac, iPad, BlackBerry, or iPhone.

The firm is currently on version 2.0 of Follow Me PC, based on Citrix’s XenDesktop and run in a private cloud. Citrix’s Receiver client is used to deliver desktops and applications as an on-demand service. Jurczyk says the technology enables the firm’s employees to better serve clients by facilitating secure access to intellectual capital, internal documents, processes, and collaboration and communica- tion tools.

Sonnenschein’s practitioners access their virtual desktops from home via Cisco 871 Integrated Services Routers that deliver firewall, VPN, and wireless LAN capabilities at broadband speeds. The company also deployed VoIP phones that let users access their work telephone extensions remotely. Once employees connect to the corporate network through a secure VPN tunnel, they’re issued desktop images that include the operating system and all applications encapsulated in a Citrix Desktop Viewer.

Remote application access is clearly a huge benefit of VDI, but that can also be realized through conventional terminal services via XenApp or Microsoft Remote Desktop Services. However, there’s a major drawback to traditional application streaming: If you’re not connected to the internal LAN when accessing a streamed application, then you don’t have access to internal network storage–and no one wants to lose a few hours of an attorney’s work. By forcing users to access applications inside the virtual desktop, IT is also able to force the use of network storage, which has major benefits for companies that need to keep a tight lid on sensitive data.

In addition, the law firm hosts a private cloud to assure security, continuity, and availability. Data storage, which is important to both Sonnenschein and its clients, is cloud-based as well.

Use Case: Healthcare

Nonprofit healthcare provider Broward Health, based in Fort Lauderdale, Fla., deployed Citrix’s XenDesktop two years ago as part of an upgrade to its aging infrastructure. Broward is one of the 10 largest public healthcare systems in the nation, with a community that includes four medical centers and 32 clinics accounting for about 7,000 desktops. Peter Barnick, consulting systems analyst at Broward Health, says about 450 employees require remote access to virtual desktops.

IT supports Dell Latitude D630 and E5400 laptops as well as Hewlett-Packard Elitebook 2740p machines, all with full-disk encryption. Users access their desktops using Internet Explorer 7, the latest version certified for the healthcare system’s applications, and a secure VPN connection. IE 8 is being tested, with rollout scheduled for October.

Although Broward Health doesn’t officially support Apple’s iPad and iPhone 4, some physicians are showing up with them, and a few departments are asking IT to support applications on netbooks rather than laptops. Patient privacy regulations and corporate policy mean the healthcare provider sets strict limits on remote access, however. Barnick is taming the “bring your own iThing to work” movement by automatically vetting devices that attempt to connect to the network and blocking those that don’t meet the organization’s requirements.

Health Insurance Portability and Accountability Act rules don’t specify which devices or technologies can access sensitive patient data; they just require that the data itself be secured, and when shared, it must be over an encrypted link. VDI inherently meets both requirements, regardless of the device the VDI session is accessed on. Moreover, healthcare and education are sectors notorious for running legacy applications into the ground, so VDI is a godsend when there are specialized apps that must be supported and that can’t natively run on an iPad or a 64-bit OS–remember, Windows 7 64-bit can’t run 16-bit apps.

Digital imaging, as for X-rays, presents storage, processing, and bandwidth challenges. While VDI isn’t great at rendering the fast-moving graphics you’d see in computer games, it’s fine for high-resolution, static digital images. That allows hospitals to deploy less expensive thin clients on the floor that can be used to access the processing power of a hypervisor serving VDI sessions.

Network latency was an issue at Broward Health before the infrastructure overhaul that included VDI. “Many of the features that we’re implementing today require fast, high-volume access,” Barnick says, referring to image files used by radiology and MRI and CT scans accessed by medical staff. At the same time, the overall volume of data transmitted has increased, so the organization operates a robust fiber-optic infrastructure.

Use Case: Sales

At Iland, a cloud computing infrastructure provider in Houston, IT uses thin clients to do administrative tasks, while the sales team and senior executives use iPads at trade shows and client meetings to access pricing sheets and other product data. The company also supports Android devices and iPhones. It runs VMware View 4 on the back end and PocketCloud from Wyse Technology on mobile devices.

Before Iland implemented VDI, users would travel with laptops running some of their applications,” says CTO Justin Giardina. Now, a central desktop image is presented. Not only are current users satisfied with the virtual desktop image, Giardina says, but mobile VDI is taking off as word-of-mouth testimonials make their way around the office. That’s not uncommon because, unlike with older thin-client setups, today’s VDI systems let users customize their virtual desktops beyond what’s provided by the base image.

Of course, nothing is more embarrassing than having your system crash during a demo–just ask Steve Jobs. Fortunately, our testing shows bandwidth isn’t usually an issue. “In my lab setup, Office apps perform quite well, even over low-bandwidth and high-latency links,” says Randy George, an InformationWeek and Network Computing contributor. “In fact, even up to 200-millisecond ping times, I was able to run Office at a more-than-acceptable level of performance.”

Meantime, vendors are improving what was–until recently–lackluster delivery of graphics on virtual desktops via improved rendering technologies, such as Citrix HDX and VMware View 4. HDX delivers a high-definition virtual desktop for graphics-intensive applications to be run through a VDI session by providing network and performance optimization. VMware View 4 similarly offers improved display delivery, via the PC-over-IP protocol, that dynamically detects and adapts to the end user’s network connection.

Form Factors

Another reason to launch a VDI trial is the onslaught of varied devices needing access to corporate apps and data. Why would mobile workers choose to lug around a relatively heavy laptop when the network is as easily accessible from a netbook, tablet, or smartphone? In fact, they won’t–and anyway, companies are (or should be) growing weary of the fat-client upgrade treadmill.

In our most recent InformationWeek Analytics End User Device Management Survey, desktops still held the top spot. But with VDI, an enterprise could dispense with $1,000 desktops or laptops and pay $279 to $499 for a thinner device with native 3G connectivity. Multiply those numbers by several hundred or thousand workstations, and you’re talking real money. VDI costs on the back end for software, servers, and storage, but economies of scale around using an existing data center could still present a good TCO scenario.

A recent survey by Citrix showed 80% of its customers plan to use Apple’s iPad for business, and 84% of those organizations will support employees’ personal iPads. And in our End User Device Survey, cell and smartphones came in right behind desktops and laptops among our 558 respondents.

One caveat: A keyboard and monitor are vital to a good user experience when using a smartphone as a VDI client. “Users can access the virtual desktop without these accessories, but it’s not very functional to try to put a desktop on the screen of an iPhone,” says Elias Khnaser, practice manager at Artemis Technology, a systems integration firm. Using the iPad’s Bluetooth 2.1 + EDR technology, users can opt to connect a wireless standard keyboard to tablets as well.

Smartphone manufacturers see the potential of selling devices as thin-client nodes for VDI. In the next few years, many intend to add HDMI ports for connectivity to flat-screen TV monitors; that and a wireless keyboard coupled with 4G network access will turn the smartphone into a road warrior’s dream, says Khnaser.

On the desktop, Citrix, Microsoft, and VMware all offer bundled remote clients that let systems running Windows, Mac OS, or Linux call up a terminal-like session on a remote host machine.

In fact, form factor shouldn’t matter: VDI clients are available for iPads, netbooks, desktops, laptops, and smartphones running Microsoft, Apple, or Android operating systems. And enterprise-class, secure VPN connectivity is available for a broad range of devices. Cisco and Juniper Networks, for example, offer VPNs that support Apple’s iPhone and iPad.

What does matter, according to our Desktop Virtualization Survey: security and ubiquitous access.

Lock It Up

The security benefits of VDI look highly attractive compared with releasing into the wild a laptop holding enterprise data on its hard drive. But even with VDI, there are security concerns around mobility. By default, you just need credentials and the VDI portal URL to access a virtual desktop. If a user’s credentials are compromised, then you have a problem. By requiring a trusted digital certificate to be installed on any system accessing VDI sessions, IT can ensure that the person accessing the virtual desktop is doing so from a trusted device.

Sonnenschein’s Jurczyk is adamant that out-of-the-box security isn’t enough for his law firm’s virtual desktops. The firm created its own custom security certificate that’s loaded on employee devices and, once applied, manages password strength, time-out, automatic wipe on a determined number of tries, secure wireless access, and additional VPN security. IT also enforces company polices to comply with both U.S. and European regulations.

With the physical device decoupled from the virtual desktop, maintenance and security management are controlled from the data center, simplifying updates and patching as well as improving compliance and control of auditable data. But companies using fat-client endpoints will still be vulnerable to losing data if end users are allowed to store files on their local drives. In this case, you will need to deploy endpoint security software. A policy regulating file storage is helpful, too.

Security experts also advise encrypting data through an SSL VPN tunnel and requiring two-factor authentication to ensure only authorized users access virtual desktops. In the event that a device is lost or stolen or an employee is terminated, some VDI vendors offer the ability to remotely wipe, kill, or lock a device, as long as it’s connected to the network–a must-have security feature.

Offline, Off The Radar

For many companies assessing VDI, the model falls short the minute the network is unavailable, since the client desktop resides on the server. Twenty-seven percent of respondents to our Desktop Virtualization Survey cited “users need the ability to work while disconnected from the network” as a reason for not adopting VDI. And some features, like the client kill option referenced above, require network access.

Sonnenschein’s Jurczyk says that Follow Me PC 3.0, which will include the yet-to-be-released XenClient bare-metal hypervisor, will be an answer to that problem. XenClient, expected by year’s end, is an offline version of XenDesktop that solves the problem of needing network access in order to run a VDI session by letting users download their virtual desktops off the server and work locally. VMware View 4 also offers an experimental offline desktop that lets IT shops run a managed virtual desktop locally. Existing policies for the virtual desktop continue to be applied and enforced. Later, the desktop is checked back into the data center for resynchronization.

Once XenClient is in place, “we’ll be able to do everything we do today, in a disconnected state,” Jurczyk says. Sonnenschein’s users are productive while offline, such as when traveling on an airplane, because the firm provides laptop users with local applications. Overall, the firm thinks the benefits of a virtual desktop for traveling practitioners outweigh the shortcomings.

Still, vendors realize that for most companies, offline access is a roadblock, and they’re scrambling to address it. Companies such as MokaFive, Virtual Computer, VMware, and Wanova offer specialized offline virtual client-side desktops.

The popular MokaFive LivePC, for example, lets employees download virtual desktop images and run them locally on a PC or Mac. MokaFive LivePC addresses the security problem by checking into a policy server when an Internet connection becomes available. Any change in employee status that affects virtual desktop access can be enforced immediately, including a complete remote wipe of any virtual desktops downloaded by the client. IT retains control of the virtual desktops via policies for security, access control, peripheral usage, personalization, and network configuration, says Purnima Padmanabhan, VP of products at MokaFive. The product suite also lets IT administrators remotely terminate LivePC on a device if it’s lost or stolen.

Looking ahead, there’s consensus among industry watchers that in as little as five years, current barriers to VDI adoption–including the inability to work offline–will be overcome. Telecom companies worldwide are upgrading their networks–3G followed by 4G will be ubiquitous, and there simply won’t be any offline. At the same time, expect Wi-Fi hotspots to become more prevalent across cities and towns, stores, and modes of transportation.

Still, for now, some IT pros see current VDI solutions for the offline problem as insufficient–and reason for employees to push back. Ultimately, it’s up to each company to assess the needs of its mobile workforce, understand the limitations of offline access, and decide if VDI is right for them.

But don’t hold back too long. This technology has the potential to be as powerful a game changer as server virtualization has been. It’s all about how we choose to manage our desktops, and the quality of the experience we want to deliver to end users. Consider arming your mobile workers with this new breed of thin client–before competitors outflank you.