The IT executive experience

I was listening to a customer on stage at a conference a few weeks ago proudly explaining how he had managed to police the number of devices in his organization. He accomplished this by effectively implementing three key strategies.

1) Create red tape, and make the end user produce business justification and feel silly about why the corporate issued solution was not good enough.

2) Control budget centrally under IT.

3) Find ways to punish people through bonuses who abused his system by purchasing services outside IT.

I thought I was watching the next installment of Jurassic park and the dinosaurs had returned. Surely this guy drove a Lada……. If you are not familiar with the Lada, it’s an old eastern block car that was widely used and deemed to be appropriate and cost effective for the masses by the state. While this may seem like a good idea at first the results over time are eloquently expressed in this video. To me this is where a lot of old school IT thinking is taking us. Creating inertia to bring innovation to it’s knees by not embracing user choice that will lead to new ways to work.

I was actually surprised that this IT executive had that much control in his organization. Then it dawned on me, that this is a respected conference and the best customer example they could muster. I parked the experience at the back of mind, after wrestling with the thought – can IT organizations still be that backward and remain relevant? I know having worked in IT all these years, I would have never survived with that mindset.

Last week I asked a major customer how many MACS they had in their environment. Less than 1% of the environment had IT supported MACS and they were all senior executives. They estimated that 25% of their population weighted towards more senior people had personal owned MACS that they would prefer to use for work. In this particular case the customer was looking to hosted desktop virtualization (HVD, includes VDI and XenApp hosted published desktops/apps solutions) to enable more choice but looking forward wanted to understand what to do about mobility including tablets and offline use.

When I think about these two customers, clearly there is a gap between what people need/want, and what IT is willing to do vs. what is possible. As mobility and SaaS based applications and other cloud based services enable more on demand IT services, the tension between user and IT will only get worse. So this can only be ignored for so long, as business users will demand more choice and the forces of consumerization will continue to reshape the landscape. The stodgy old IT organization of the past will be hard pressed to maintain status quo and remain relevant.

We ask ourselves all the time, what can we do to help the tension between the changing user wants and the IT need to provide governance and manage costs? The better known models of HVD address many of the use cases. However there is still a need to extend the benefits of desktop virtualization technology to millions of laptops to enable new ways for both users and IT to work.

This is why we are announcing XenDesktop feature pack 2, which includes XenClient and XenVault technologies. These technologies are focused on bringing virtualization to the client.

There has been a lot of discussion for some time in the industry regarding the various client use cases and ownership models. Citrix has conducted internal programs for bring your own computer (BYOC), and researched this space with customers and learned a lot. We find it’s helpful to think about two primary use cases.

The corporate owned laptop

Data security on laptops is a huge reputational risk for any company. Check out the laptop loser hall of shame. Anybody who has had to deal with laptop management, understands they are complex to update and recover and user demands for greater control to personalize to their needs results in compromised IT control. All indications are the number of laptops in the world is increasing further compounding the problem and burden on IT.

XenClient

As a bare metal hypervisor, XenClient enables the OS to be delivered as a “bubble” to the laptop that is encrypted, secured and enables us to take advantage of hardware attestation through our partnership with Intel leveraging vPro technology so you boot into a trusted operating system. When this important capability is made available it will help assure an organization that the guest VM is being booted on a trusted piece of hardware and that the corporate issued hardware is booting a trusted guest. The laptop loser hall of shame organizations could have spared themselves a lot of reputational damage if they had had XenClient. How do you measure the cost of reputational damage? It’s something that take years to build and seconds to loose…..

Some people push back and exclaim that the number of machines that support XenClient today is small and therefore this is not relevant. I would ask, for a corporate fleet how many models do you support? I would make a confident guess that it’s a subset of models that you support today if you are a true enterprise customer driven by standards. For those use cases, XenClient today offers a very prescriptive secure solution. For organizations that have far more diverse corporate owned laptop fleets, XenClient offers a way to offer a new more secure model that could be tied to better service levels, and over time the supported device list will continue to grow. Others argue they have full disk encryption solutions deployed. So did I in my previous life. My users hated the performance overhead, the multi stage login and then of course there is the additional cost of the solutions themselves that offer limited flexibility.

Another key use case to consider when thinking about XenClient is what happens in the event of lose or theft of a corporate issued laptop. You can get a taste for the liability this poses here, here and here. To help customers deal with these types of solutions, XenClient provides the ability for you to backup and synchronize critical data in the event of laptop lose and policies to render a laptop useless in the event of theft. Note you do not have to deploy VDI to benefit from this. You are not checking in and checking out a VM from a VDI infrastructure, so restoring your critical data to a secure laptop is a much lighter weight operation with a powerful but straight forward ability for IT to control centrally.

XenClient will also allow you to run multiple VMs on a single laptop so you can provide a user with multiple environments. This opens up the possibility of providing multiple corporate guests on a single machine. One could be very secure where you access corporate data. The other could be slightly more open to allow more access to internet sites within your corporate guidelines. For developers the second guest could be their development/Test/QA environments. They could even have Linux development environments side by side with their Windows development environment, yet still securely able to work from their corporate environment all from one machine. All of this opens up the possibility of BYOC user flexibility on corporate owned assets and enable you to take a step forward if you are not comfortable with the user owned model.

It’s also important to realize that XenClient is not limited to just serving up multiple guest OS VMs. It is a very flexible architecture that can be extended further to enable specialty VMs to perform different service functions. This begins to open up so many possibilities beyond the immediate security benefits. Over time it is not a leap of faith to think of use cases like security scanning being performed by dedicated VMs. Perhaps there will be specialized VMs that perform the tasks of patch management, VMs that update software, VMs that run just one app more securely and synch back to data center. The possibilities are endless, and as the eco system evolves it will be fascinating to watch innovations surface as the industry begins to realize what is possible.

Contractor or employee owned laptop

Interestingly a number of customers I have spoken to in regulated industries, have told me that they would like to get rid of all or at least significantly reduce the number of laptops they manage to help reduce risk. For them hosted desktop virtualization is a more secure environment to let users access from personal owned laptops that are self managed. These are also the customers that are interested in using multiple VMs on a single user owned machine machine with XenClient. Some argue that there are legal issues here. However based on the feedback that I have received from these customers they interpret these concerns as unfounded if they secure the corporate operating system on the user owned device. The usability of multiple VMs on a single machine is something that will continue to evolve and will be an interesting area of innovation to watch.

Clearly there is no silver bullet that fits every customer. So depending upon your needs it’s prudent to understand the options. More importantly, understanding that today XenClient is primarily driven by security and the ability to centrally provide updates to distributed laptops is key. XenClient can be used in a simple single VM mode for greater security and multi VM mode for more flexibility using employee owned or corporate owned assets. I’ve blogged about this previously.

XenVault – enabling portable data

There is a valid argument put forward, that for the BYOC use cases, not every user needs a full rich desktop experience. All they need is quick access to an application, some data securely and of course they want mobility. Further there are many cases where users have older hardware that is not capable of running a hypervisor or there is just not enough horsepower on a lower end machine such as a Netbook. Once again hosted desktop virtualization would provide a solution. But in cases where hosted desktop virtualization has not been deployed or where there is the need to work offline another solution is required. XenVault is a new technology designed to meet these use cases. Essentially it is a secure area on the operating system where all application and data I/O is securely redirected. In many respects it’s like having a virtual secure USB drive with you. The difference now is that you don’t have to carry it around, worry about losing it and IT does not have to invest in fleets of USB drives for their staff. XenVault is designed to be transparent to users and quick for IT to setup with remote lock and delete data features. Joe Nord has a good blog that explains some of the inner workings. XenVault provides contractors and employees on consumer owned machines, apps and data on-demand in a secure manner and IT the ability to de-provision instantly.

For me this is yet another example of the benefit that virtualization can bring to desktop use cases. Making data securely portable and simple to access takes another step towards the stateless desktop as I wrote here. The stateless desktop helps us move away from hard coding all our configuration into a single OS image and then trying to manage all the complexity. Abstraction at all levels of the desktops enables greater agility. XenVault is a great example of what can happen when you think about the abstraction of data, that is typically addressed by file shares on a network that assume you have connectivity. Instead now you can protect the data and use it where and when you need. The focus on protecting the data makes it lightweight, no need to install a heavy weight shell like a Type 2 hypervisor solution that would be very clumsy as a data portability solution across multiple machines. Now if I don’t have my machine, and need to look at data securely I have a technology that could provide me that access and not leave unsecure footprints. If somebody sends me a file share with a sensitive document, I have a place to download and view it securely offline on a Netbook that may not belong to me. Many new possibilities begin to open up because the data is abstracted in a stateless desktop.

Personally I’ve been amazed at how quickly Citrix has been able to bring XenVault to market. Here’s the internal scoop. Over the holiday period in late 2009, our CEO Mark Templeton kicked of a competition called Moonlight (since it was an after hours project) for anybody within Citrix to come up with a solution. Within weeks we had multiple entries and a team led by Joe Nord picked a winner and we announced it at Citrix Synergy in San Francisco in May 2010 and now we are going to market. That’s rapid development! I’m very proud of our teams who pulled it off, I am sure they will look forward to community feedback as you kick the tires.

Can stodgy IT remain relevant?

I am sure it can, and there is plenty of precedence. The real question is, what does that do for your organization and the kind of people it will attract? Do you really want your IT leaders up on stage with a Lada mentality? Or do you want your IT leaders looking beyond constraints and embracing solutions that empower user choice, increase security, improve manageability, optimize provisioning and de-provisioning, increase satisfaction/productivity and drive greater organizational agility?

Mobility and diversity of client devices will continue to grow. The laptop will represent a big chunk of that market. Anything that technology can do to reduce the risk while making users lives easier surely is a positive step forward for our industry. Client virtualization is the next phase in the evolution of desktop virtualization that will enable users to work in new ways. It will provide central control for IT, and flexibility will be retained for users while keeping corporate data secure.

As you think about your laptop environment for Windows 7, will it be just more hair pulling trying to secure and update the new, most likely growing laptop fleet? How do your users feel about your current secure laptop experience? Why not consider XenClient and XenVault as part of those plans and extend the benefits of desktop virtualization to the Laptop?