A Contributed Article by Danny Allan, Chief Technology Officer, Desktone
There has been a cacophony of noise recently about the
difficulty or impossibility of offering Desktops as a Service (DaaS) to the
market in a technically viable and cost-effective way given the challenges
imposed by Microsoft. Fortunately, these
sentiments and perceived ideas are wrong.
Not only is it possible to offer DaaS successfully, but both Service
Providers are moving on this opportunity and organizations are consuming
it. In order to delve into this issue
and understand it more fully we must first understand what a desktop is, how
cloud hosted services are being offered, and the licensing requirements for
various operating systems.
What is a Desktop?
It is important to first understand what is incorporated in
a desktop or what this term refers to.
This is a religious debate which does not merit a single answer. Is the desktop the operating system? Is it the applications and the data? Is it the workspace where the user performs
their activities? The very term desktop
is a metaphor used to depict an environment in which a user operates and
interacts with folders and files. The
traditional Microsoft Windows operating system has often been associated with
the term desktop because it is here that the user interacts with applications
and data. However, it is important to
note that the operating system itself is of little perceived value. It is essential for the interaction, but the
operating system itself is simply a means for the user to perform their
Knowing that the operating system is essential in this
interaction, it is important to choose one that is applicable for the use
case. Without question, the most common
operating system is the current Microsoft Windows client operating system -
Windows 7. If the organization has not
migrated to this, it is simply a matter of time - being forced by Microsoft
with the impending end of
extended support for Windows XP support on April 14, 2014. Are there use cases for Macs or Linux based
distributions? Absolutely! There are niche areas of support for Linux
with use cases like development and application kiosk type environments, but
they have failed to significantly crack a dent into the mainstream
desktop. While the Mac use case
continues to expand and gain huge traction with the consumer (driven
significantly by the iPod and iPad usage), and also to a lesser extent in the
enterprise, it falls down in one key area: application support.
Most existing corporate applications have been built for the
Windows environment. Not only have they
been built for the Windows environment - but for the Windows client
environment. This sometimes explicitly
will exclude support for session based desktops that run on Windows
servers. While application development
is being driven towards Web based and mobile environments, the reality remains
that the desktop of choice for most organizations is Microsoft Windows 7.
The historical challenge of the desktop is that it the
operating system and software are intrinsically tied to a physical device. This means that the total cost of ownership
(TCO) not only included the management of the operating system, applications
and data; but also of the hardware assets.
The coupling of the physical hardware with the software caused huge
challenges with broken devices and lost or stolen hardware.
Additionally, the decentralized nature of the desktop meant
that there was not always control of the desktop environment and the activity
that happened within it. The application
of Data Loss Prevention (DLP) software, patch management systems and anti-virus
management was only as effective to the extent that they could be consistently
and predictably applied.
These critical administration systems became even more
critical as users were granted the rights to install their own software and
browser plugins. The end user became
familiar with the Windows 7 environment and enjoyed the administrative rights
required to both perform their needed corporate functions and also to quickly
address the computing exceptions that fell outside the default policies.
The promise of virtualized desktops using Virtual Desktop
Infrastructure (VDI) was supposed to solve these problems by bringing
everything into the data center and to enable consistent and comprehensive
controls, but it introduced new challenges with capital expenditures,
complexity and it flew in the face of the industry movement towards elastic,
on-demand cloud utilization.
The National Institute of Standards and Technology (NIST)
definition of cloud computing incorporates five essential characteristics:
on-demand self-service, broad network access, resource pooling, rapid
elasticity and measured service. Each of
these characteristics brings a large benefit to the consumer. It has pushed more and more organizations to
look to the cloud for software or infrastructure needs. It has also given rise to an entire industry
directly responsible for pooling resources and offering cloud services.
However, it is important to note that the tangible assets of
cloud computing are no different than the traditional data center. There is still compute. There is still storage. And there is still networking. The benefit to the end consumer is that these
complexities have been abstracted away into a cloud service. The Service Provider then takes on the task
of orchestrating the underlying assets and licensing requirements and simply exposing
them in a self-service format - either as
a Software as a Service (SaaS), Platform as a Service (PaaS) or as Infrastructure
as a Service (IaaS). This requires the
Service Provider to be able to orchestrate a secure multi-tenant compute/storage/networking
environment that scales to market demand.
Emerging cloud orchestration platforms are very much focused on
accomplishing just this - either on the backend physical asset orchestration,
or on the front end customer facing portal interaction.
It would make sense to apply these same concepts to Desktops
as a Service (DaaS). Desktops operating
systems logically require compute, storage and networking and very much are an
extension of other bundled cloud services such as storage, back-up or
messaging. However, in understanding the
DaaS cloud offering, it is important to understand the licensing requirements.
Virtual Desktop Licensing
Given that Microsoft Windows in the dominant operating
system for desktops, it is important to understand how cloud providers can meet
compliance with their DaaS offering.
There are two
ways that a Cloud Service Provider can offer DaaS: the customer can obtain
Volume Licensing under VDA (virtual desktop access) for full Windows 7 desktops,
or the Service Provider can host a desktop-like functionality under the Service
Provider License Agreement (SPLA) using a Windows Server.
The first option offers the most end user friendly
scenario. The end user can use a fully
featured Windows 7 desktop with the same level of application support that they
are familiar with and used to in the traditional desktop model. Additionally, the IT administrator can
continue to use their existing corporate assets such as Group Policy Objects
(GPOs), patch management software, AV and security software, and other desktop
management solutions on these desktops.
The incremental adoption model is minimal and users can continue to
interact with the desktop in a familiar way.
However, there are two implications to be aware of: the
corporation must be the owner of the VDA license and pay $100 per year for each
access device, and they must also ensure that the Service Provider uses
dedicated hardware for the desktops.
Unfortunately, the first requirement means that the Service Provider
cannot include the cost of the desktop operating system in the monthly service
fee. While they can sell this license to
the customer, the end customer is the owner of this license. (It is important to note that many
enterprises already have this benefit through Software Assurance on their end
points and not further licenses are required for these end points.) One of the benefits of the VDA license is
that the primary owner of the end user access device is entitled to Extended
Roaming Rights. This allows them access to the virtual desktop from any
personally owned devices which are not on the corporate network. The second requirement is more complicated
and is one of the reasons why Windows 7 desktops are not often offered through cloud
providers. The hardware which actually
runs Microsoft software must be dedicated to a single tenant. This means that the cloud orchestration
software must be aware of each tenant quota, and needs to ensure that no two
clients are running Windows 7 desktops on the same server at the same
time. Most cloud orchestration platforms
today do not natively carry this capability and instead simply allocate
resources out of a single large pool of capacity. This is why most cloud providers do not offer
a Windows 7 desktop as a compute model in their Infrastructure as a Service
The second option for virtual desktop licensing is to use a
dedicated Windows Server 2008 R2 operating system and to assign this in a 1:1
model for each user. With the latest
releases of the Server platform comes the ability to enable the Desktop
Experience which makes the Server OS look and behave as the client
desktop. The benefit of this model is
that the Service Provider can take full responsibility for licensing and is able
to share a large pool of compute across multiple tenants. Additionally, unlike Remote Desktop Services
(formally Terminal Services), the end user can be an admin with full
administrative rights to install software and browser plug-ins. This model works very well for the SMB market
where the minimum of 20 desktops cannot be met and where servers cannot be
effectively utilized. It is also the
only option for SaaS providers who want to offer their software suites to end
customers as a service, but where they have no control of the licensing of the
The downside to this second DaaS model is that these are not
Windows client desktops. This means that
application support is unknown unless the IT team is able to fully test the required
software and to validate that they are fully supported in a server OS. It also means that existing GPOs, patch
management software and other management solutions may need to be re-visited
and re-validated for this model. In
short, it is not what either the IT management team of the end users would
choose as their first option. However,
it is the only option for some licensing scenarios.
Successfully Offering Desktops as a Service
The argument has been made repeatedly that there is no way
to successfully launch and maintain a DaaS offering given the restrictions of
Microsoft licensing. This is simply not
true. There are some very critical
requirements for a Service Provider to enable a true and comprehensive DaaS
The platform must offer a multi-tenant
orchestration ability for management, provisioning, storage and networking
within a data center.
It must support the ability to dedicate hardware
for tenants that choose to run full Windows 7 desktops.
It must optionally support the ability to
provision Windows Server with the Desktop Experience enabled for the licensing
use cases when this is optimal.
It must also support the ability to run utility
servers in the same network segment as the desktops.
It should also enable to ability to move Windows
7 workloads around, based on tenant size to take advantage of the best-fit
server hardware model so that large, medium and small sized servers are fully
The platform must scale from 1 to 100,000
desktops to meet the demands of the organization as it grows.
As NIST indicates in their cloud requirements,
it must meet the requirement for self-service in both provisioning pools of
desktops, and brokering connections for users to these desktops.
The platform must support the unique
configuration and domain joining of each model of desktop so that these are
fully functioning members of the tenant domain.
The platform must incorporate a security model
that not only separates each tenant onto their own network segment, but allows
them to securely integrate with their existing corporate assets or third-party
The platform must ensure separation between the
Service Provider and the tenant such that the Service Provider is unable to
access the customer desktops without explicit permissions.
Achieving all of these critical requirements is simply not
possible with the cloud orchestration platforms that exist in the market for
orchestrating server workloads and IaaS.
Likewise, meeting these essential DaaS requirements is not possible with
the traditional on-premise VDI solutions.
Experience has proven that bringing a successful
cost-effective DaaS offering to market requires a purpose built infrastructure
that can orchestrate the delivery of multiple models of virtual desktops, while
maintaining compliance with the appropriate desktop licensing model. Is this possible? Absolutely!
About the Author
As Chief Technology Officer, Danny Allan is
responsible for developing Desktone's technical and service delivery strategy.
Allan educates IT organizations and solution providers on how to design and
deploy hosted virtual desktops and is responsible for the service delivery
operations. He joins Desktone from IBM where, as Director of Security Research
and a member of the Security Architecture Board, he co-authored the IBM Secure
Engineering Framework and helped define the software security strategy.
Earlier, Allan held several senior customer facing and technical strategy
positions with Watchfire. With 10+ years of technology and security experience,
Allan has published several whitepapers and articles, participates in industry
working groups, and has spoken at more than 60 industry conferences. He holds a
Bachelor of Commerce degree from Carleton University.