When VDI and DaaS were first introduced, many claims were made for their superiority over distributed desktops. They were cheaper, faster, more secure, easier to manage, etc. At the time, with few exceptions, these claims were no more than fantasy. Over the last few years, though, sufficient improvements in the core platforms and underlying infrastructure have brought some truth to most of these claims. Management tools have improved beyond measure. High-performance converged infrastructure appliances can deliver performance as good as or better than even that of the fastest desktops, and they do so at a cost that is less than that of a managed, enterprise-class desktop PC.
As the technology has matured, so have the marketing messages employed by vendors and service providers. VDIs’ (you can assume from now on that any mention of VDI applies equally to DaaS) advertised benefits today commonly focus on business agility, alignment with mobile-first business strategies, and their role as a key element of the broader digital workspace. DaaS extends these benefits to incorporate those it has in common with the other “as a Service” platforms.
The one thing that hasn’t changed is security. Despite any claims to the contrary, VDI is no more secure than a conventional desktop. It can’t be: it’s just a copy of Windows (Server or Desktop—it makes no difference which) running on a hypervisor, and all connected devices are vulnerable to attack. The best that can be said for VDI is that having all the desktops in one place makes it far easier to ensure compliance with security controls, and that with nonpersistent desktops, recovery from malware infection is usually never more than a reboot away.
Let’s put this in simple terms that anyone can understand. Neither VDI, nor DaaS, nor any other Windows desktop technology is immune to malware. Yet, here it is:
There was a time when I might have been prepared to tolerate claims that VDI offered some degree of increased protection from malware. But then, there was a time when advanced persistent threats and zero-day exploits delivering ransomware were not everyday occurrences. At best, single image management and rapid desktop refresh offered the ability to reduce the window of opportunity for malware to cause damage. Today, they offer scant protection against any of these threats. If you want real protection from malware, you need to look at tools like Bromium vSentry. I covered vSentry for TVP Strategy when it was first introduced in 2012 as a major advance in malware protection, but to be clear, this is a third-party component and not a part of any out-of-the box VDI or DaaS offering today.
There are no excuses for any service provider who claims that a DaaS solution that relies on conventional malware protection, single image management, and rapid desktop refresh offers any real protection. None at all. Right now, the best advice that I can offer to a business customer considering VDI or DaaS is that if the salesperson makes any claim about VDI eliminating the need to worry about viruses, show them the door and go talk to someone else. If you are a service provider making such ill-considered claims, then come talk to us, and we will put you back on the right track.