In a previous entry on desktop virtualization, I said that I would follow up with a discussion about the ways to virtualize desktops and applications so that they run in your data center where they are easier to safeguard and upgrade. I apologize for the wait, but here it is.
A virtualized application is not installed in the traditional sense, although it still may be executed as if it is. The application is fooled at runtime into believing that it is directly interfacing with the original operating system and all the resources managed by it, when in reality it is not. Application virtualization can improve portability, manageability, and compatibility of an application by unpairing it from the underlying operating system on which it is executed.
There are multiple ways of virtualizing applications. With server side application virtualization, applications run in the data center and are displayed on the user’s PC through a browser or specialized client. The application does not need to be compatible with the operating system running on the PC because the PC is just displaying a ‘window’ into the application.
With streaming or client side virtualization, the application resides in the data center but is delivered to the user’s computer to be run locally. Because it is running locally, the resources that normally would be installed into the OS, such as dynamic linked libraries (DLL), code frameworks, control panels, and registry entries are installed into an application container and the entire container is streamed.
The container can be sent to the PC every time that it is needed, or it can be stored on the user’s PC for a specific period of time before it expires and needs to be streamed again. The latter method allows for use of the application even when not connected to the network, for example, while on an airplane.
As with the first method, application updates are easy since there is only one copy of each application and it resides in the data center. This means that only one copy gets updated, rather than needing to push updates out to hundreds or thousands of PCs on your corporate network.
Another way to virtualize an application is similar to the previous approach in that the application is still packaged into its own container, but it permanently resides on the user’s PC instead of being streamed. When the application needs to be updated, a new container is downloaded to the PC.
An immediate benefit to virtualizing an application in any of the ways shown above is the elimination of DLL Hell, which happens when incompatible applications are installed on the same OS. A common and troublesome problem occurs when a newly installed program overwrites a working system file with an incompatible version and breaks the existing applications.
Desktop virtualization or virtual desktop infrastructure (VDI) provides a personalized PC desktop experience to the end user while allowing the IT department to centrally run and manage the desktops. Desktop virtualization is an extension of the thin client model and provides a ‘desktop as a service’ which runs in the data center.
The user does not know and does not care where their desktop is running. They access it through a ‘window’, which may be a specialized client or web browser. In fact, depending on the security policy they may be able to access their desktop from anywhere using any device, even one that is not compatible with the desktop OS being served.
Since virtualized desktops are centralized, it is easy to keep them patched, prevent users from installing software or making configurations changes that they shouldn’t, and load balance the users or upgrade their OS as needed without needing to upgrade the user’s endpoint hardware.
When you virtualize a desktop and add virtualized applications on top of it, the user is provided with a brand new PC experience every time that they connect to their desktop. The well-known problem of PCs slowing down as they are used becomes a thing of the past.
In that previous post I showed how desktop virtualization can be used to provide protection against information leakage. Desktop and application virtualization also can be used used for disaster recovery purposes. When the applications or desktop are running in the data center, theft or destruction of the laptop or desktop will not cause loss of data since the data usually is stored in the center as well.
If the applications are streamed or locked down on the PC, the chances are high that the data will be there too. Your information security policy should require periodic backups of PC data files onto corporate storage where the information can safely be stored with other corporate assets.
An interesting hybrid approach is to sync the user’s native or virtualized PC-based desktop and applications with a streamed desktop and applications. That is, you periodically synchronize the user’s standalone desktop and applications with the user’s streamed environment. Users securely can access their data from any PC connected to the network but they still can work offline using the desktop and apps on their laptop.
Imagine using Google apps in the cloud on an everyday basis, but when Google is unavailable or you are on an airplane, you can use a local copy.