|
|
|
Can Client Virtualization Revitalize Workplace Recovery? The Workplace Recovery Dilemma – Why Do Good Plans Go Bad? In the discipline of business continuity planning, we historically have operated under the mantra of “Recover the technology + recover the data + recover the people = recover the business.” While this philosophy may be correct, “recover the people” is often overlooked and poorly implemented. While some organizations make the investment and ongoing care and feeding for “hot” redundant work spaces, most organizations are highly dependent upon more cost efficient solutions, such as contracted work space, internal reciprocal agreements, drop shipment or work from home solutions. The overall process of PC management including configuration management, application version management and security patch management are complicated and increasingly challenging when dealing with unlike recovery hardware. Additionally the tools, processes and people involved in PC management and deployment are often times insufficient for the mass deployment needs required during a major response. What have many organizations done to mitigate these challenges? They have put their eggs in a single basket, which is remote recovery (work from home). Home-Based Recovery – Can a Remote Model Overcome our Deployment Woes? In order to enable a remote workforce, many organizations are issuing laptop computers to employees while establishing policies and standards regarding their use, including mandates to bring these devices home each night. Most organizations with this strategy have implemented logical security through PC-based firewalls and a few are picking up the tab for high speed Internet access for their key employees, but this investment may still not be sufficient for all roles and individuals. With the exception of those companies that have implemented a regular remote access model, many have not addressed the underlying process issues that are inherent in a work force that you cannot (literally) see on a regular basis. Is management capable of overseeing a distributed work force…are your people actually working…are they focusing on the correct priorities…are they adhering to the same security standards that are practiced within the office? Companies should be asking whether this model provides confidence that the organization will operate under the controls and principals required in this era of Sarbanes Oxley, GRC initiatives and data privacy concerns. …If not, perhaps we should revisit the overall strategy equation. How can we improve traditional recovery models while still maintaining control of operations and data? Perhaps the concepts of Virtualization can help. Virtualization – Coming to a PC near You When most people think of the term ‘virtualization’ they initially gravitate to servers and storage. For the past few years, organizations have been adopting virtualization methods to assist with “server sprawl” and data proliferation; however, the same concepts are available all the way to the desktop. In fact an emerging field of technology, referred to Virtual Desktop Infrastructure (VDI) is aggressively being adopted in the marketplace. In a recent Forrester publication, over 35% of PC decision makers responded that they have or will be deploying VDI within the next 12 months. There are more than a few of the types of client virtualization that are being implemented within organizations today: Virtualized Local Desktop – The entire desktop operating space (operating system, applications, and local data) is run within a “virtual machine” on top of the PC base environment. These virtual machines operate like any other PC environment; however, they are shielded (or abstracted) from the physical PC hardware. In fact they live as a single (large) file that can be stored either locally on the PC hardware or on remote storage. These files can be easily stored, encrypted and transferred from one machine to another allowing for very rapid deployment or recovery of a desktop image. Since these images are hardware agnostic and are not dependent on PC hardware versions or drivers they can be provisioned easily and remotely. Virtualized Desktop Hosting – In this model, the “virtualized” desktop described in our first model is hosted within the datacenter environment. In fact, many virtual desktops would operate on the same server, allowing for optimized performance management and consolidation of hardware. Additionally this model provides the added benefit of datacenter-quality security within the desktop environment – meaning that business data is processed and transmitted within datacenter protected zones. Some applications may experience a performance increase as a result of proximity and high network bandwidth within datacenter networking. Streaming Applications – Otherwise known as SaaS (Software as a Service) or non-persistent software, an emerging trend in software virtualization is the concept of “streaming” operating systems and applications. In this model temporary objects are created within a server environment, and transmitted to the end user hardware via intranet or Internet connections. These objects have a limited lifespan (i.e. they do not “persist”) and do not rely on end-user systems for data management or processing. Recovery of this architecture is similar to that of your traditional server-based DR and provides great flexibility including load balancing, clustering, failover and traditional recovery. This model is still early in its adoption phase; however, it is showing great promise in the market. Software providers are still trying to adapt their licensing model to accommodate this new paradigm in computing, so there will be more to come in the coming months. How Does Client Virtualization Enable a Workplace Recovery Solution? Now that we understand the concepts of the technology, how can we use this to support our work area recovery capabilities? Any of the models described above can operate on vendor-independent PC hardware; therefore, it may be time to revisit our warm-site/reciprocal agreements. By limiting specific hardware reliance and providing a complete “virtual” bundle, recovery seats can be readied in minutes to hours with minimal “out of the box” changes required. Many of the virtualization techniques described can be leveraged to even improve upon the capabilities that we have in place for remote recovery, specifically security related concerns. By retaining business data, applications and functions within the server environment and securing local desktop images, an organization has greater control over the flow of business data and can take further steps to protect its intellectual capital against theft or accidental destruction. Making it Work – Considerations for Cultural Acceptance While the technology to virtualize is becoming more mature, many cultural dilemmas still exist that impede this technology from gaining the leverage it needs. Many users become “emotionally attached” to their desktop systems – in good times and bad. Many of the users who complain the loudest about system performance and stability are the same people who will fight the hardest against letting go. Users (and managers) need to understand the added benefits of virtual technology while still providing the base features and capabilities that they have grown to rely on over the years. Typical VDI challenges, including locally attached printers and other peripherals (USB devices) need to be considered in advance of any VDI deployment – in some cases this technology can provide an improved level of management and oversight for these devices (in particular enforcing restrictions to flash drives) than exist today. If one is able to proactively address these issues today, you effectively have managed the same issues (in the future) at the time of recovery, allowing for greater continuity of business processes. Finding the Balance – Leveraging Traditional and Virtual Recovery There is certainly a business case for why virtualization may be right for your operating environment and now let’s discuss the pain points when traditional hot-site methods may be the right choice for your organization. While virtual machines are a great thing, they do not provide similar performance to a traditional desktop system; in particular, the resource-heavy processing systems traditionally used by investment traders, software developer or audio/visual engineers. These systems typically require significant processing power (4 or more processing cores), 4GB or more of memory and high-throughput, multi-monitor video cards. Users typically require a number of additional peripherals (USB, FireWire, or other interfaces) to operate effectively. A typical Virtual Desktop would be configured with a single (or partial) processor, and up to 384 MB of memory – far less than your power user may need. For users with these intense processing needs, an organization would be best served to maintain their hot-site solutions or custom deployment/drop ship processes (for less time-sensitive functions). Standard task-based users (such as call centers, finance, operations, and helpdesk support) can take great advantage of the benefits of virtualized technology. In fact this not only eases the problem of recovery operations, but paired with technology like VoIP can enable a new level of workforce flexibility, including part/full time remote operations, simplified office moves and the leveraging of near-shore or off-shore resources. Considerations, Challenges and Conclusions In closing, Virtualization is another tool that organizations have available in their arsenal to assist the technical challenges associated with workplace recovery; however, it is not appropriate in all situations and requires strong cultural support for its benefits to be fully realized. This technology does not solve the overarching process issues that plague this discipline of work area recovery (management oversight, control of paper-based information records, or HR policy); however, it can provide additional options to manage the risks inherent in some traditional desktop PC operations. As always, defense-in-depth is essential when considering security and recovery events. Do not rely on a single capability or technology as the panacea for recovery, but rather leverage a combination of traditional hot-site, shared-configuration and remote access capabilities to provide for greater flexibility when recovering from an actual event. In today’s world we need to plan against pandemics, natural disasters, technical failures and man-made incidents – it’s always wise to make sure that you always have ‘Plan B’ available (Plans ‘C’ and ‘D’ don’t hurt either).
About the Author Damian Walch, CISA, CISSP, CBCP, MBCI, is a Director with Deloitte & Touche LLP’s Enterprise Risk Services. He has worked with over 120 companies on designing business continuity and availability strategies. He can be reached at dwalch@deloitte.com. Matthew Edward Zielinski, CISSP, CBCP, is a Senior Consultant with the Deloitte & Touche LLP’s Enterprise Risk Services practice, with responsibility for delivering information security, business continuity and disaster recovery strategies and solutions to clients across all industries. He can be reached at mzielinski@deloitte.com.  |