BYOD - How VDI, MDM and DaaS can help you tackle the security challenges
First things first: a BYOD policy sets the rules & framework
A BYOD policy, or bring-your-own-device policy, is a set of rules governing a corporate IT department’s level of support for employee-owned PCs, smartphones and tablets.
A BYOD policy can take many different forms. Some organizations cut back on corporate-issued PCs and laptops, instead giving employees a stipend to purchase and maintain technology equipment of their choosing. More commonly, however, organizations will agree to support personal mobile devices -- at least to some degree -- in addition to corporate-issued equipment. The rules in a BYOD policy often vary depending on a user’s role in the organization, his or her specific device, application requirements and other factors.
The consumerization of IT has highlighted the need for bring-your-own-device policy development. Employees use their own PCs and mobile devices for business tasks whether their IT departments support them or not, and a BYOD policy can help control this usage and mitigate its security risks.
Controlling BYOD: Think about VDI as a form of Mobile Device Management
Virtual desktop infrastructure (VDI) is the practice of hosting a desktop operating system within a virtual machine (VM) running on a centralized server. VDI is a variation on the client/server computing model, sometimes referred to as server-based computing. The term was coined by VMware Inc. In the past couple of years, some large organizations have turned to VDI as an alternative to the server-based computing model used by Citrix and Microsoft Terminal Services.
For BYOD, there is the interesting option of using VDI as a form of Mobile Device Management (MDM).
A critical component of a BYOD, or any mobile device reference architecture, MDM enables a view of devices on the network, in terms of attributes, capabilities and constraints. MDM allows IT departments to monitor how the devices employees are “bringing” to work actually function in the enterprise environment. It’s a complex picture of an increasingly complex scenario.
So how does VDI affect this situation? Simple, it transforms MDM’s view of the device application capabilities by eliminating the issues altogether.
This is not to imply that virtualization teams can simply spin up a VDI instance and solve all BYOD issues. VDI does not always translate well into mobile environments. The applications are generally not optimized for touch interfaces, and for this reason the user experience can be less than ideal. Also, not all mobile devices support the same VDI clients, meaning that administrators have to manage multiple client based access apps on the endpoints.
Nonetheless, VDI has strong appeal from a security perspective. VDI on a mobile device is almost like Outlook Web Access on a traditional PC. Email administrators aren’t generally worried about which web browser or PC type the application is running on. They simply manage the backend server environment. This creates a separate logical space where the endpoint is agnostic.
Further, VDI provides similar access methodologies to those of mobile devices. The argument for VDI also includes the notion that it can be sandboxed, which means it is running its own contained process, separate from the native processes of the host device.
There is no reason why MDM solutions cannot compliment VDI solutions. After all, the basic challenge of delivering the Wi-Fi settings, certificates, and basic native applications to a particular smartphone is easily addressed with MDM solutions that allow administrators to accomplish the task by simply send an email, text message, or URL to the user. The user will click on the URL and automatically get their device configured for access. They do not need to worry about downloading the right applications, entering the right settings, or any setup issues.
It should be noted that some applications just don’t work well in a smartphone/VDI only type environment, such as office productivity suites, and in these cases administrators must use MDM to push out and configure specific mobile applications that are functioning in the user’s environment.
MDM and VDI should not be an either/or discussion. MDM is not inherently a security component of a BYOD program, and VDI offers full security capabilities. As such, both solutions complement each other well, and increasingly I’m seeing environments where both are being used. VDI is being used to handle application security and user context, while management of device provisioning and user settings is handled with MDM. This balance will be interesting to observe and help shape as BYOD and mobile productivity continue to ramp up.
No internal capacity for VDI? Think about using DaaS to host your VDI back-end
Desktop as a Service (DaaS) is a cloud service in which the back-end of a virtual desktop infrastructure (VDI) is hosted by a cloud service provider.
DaaS has a multi-tenancy architecture and the service is purchased on a subscription basis. In the DaaS delivery model, the service provider manages the back-end responsibilities of data storage, backup, security and upgrades. Typically, the customer's personal data is copied to and from the virtual desktop during logon/logoff and access to the desktop is device, location and network independent. While the provider handles all the back-end infrastructure costs and maintenance, customers usually manage their own desktop images, applications and security, unless those desktop management services are part of the subscription.
Desktop as a Service is a good alternative for a small or mid-size businesses (SMBs) that want to provide their end users with the advantages a virtual desktop infrastructure offers, but find that deploying a VDI in-house to be cost-prohibitive in terms of budget and staffing.
See also the attached whitepaper on DaaS and this blog entry on Cisco systems for BYOD: