When the Office of Government Ethics migrated to VDI, "we replaced everything — from the keyboards to the edge routers," CIO Ty Cooper says.

Aug 03 2011

What Desktop?

Agencies from the Office of Government Ethics to the Defense Intelligence Agency and FAA look to virtual clients to batten down their systems while holding down costs.

When it comes to three-letter government entities, the Office of Government Ethics isn't the first one most people think of. Yet the 80-employee agency plays a crucial role, helping elected officials avoid conflicts of interest and fostering high ethical standards.

When Ty Cooper was promoted from OGE's chief information security officer to CIO, he decided to resolve a few conflicts and foster his own high standards — mainly in the area of keeping vulnerable Windows PCs compliant with federal security regulations. The solution he chose was to implement a virtual desktop infrastructure (VDI).

"When I was CISO, I became frustrated with the vulnerabilities of all those PCs in a federal environment when you have so many regulations regarding security," Cooper says. "Dealing with those was costing us a lot of time and effort on the help desk side. I thought then, if I ever started my own company, I wouldn't be giving my employees clunky vulnerable machines that will become obsolete in three or four years."

After Cooper became CIO in 2009, the first major IT project he undertook — and the biggest one in the agency's 30-year history — was to move all of OGE's 100 machines to a virtual client environment.

"We replaced everything — from the keyboards to the edge routers," he says. "We replaced Novell eDirectory with Microsoft Active Directory. We replaced GroupWise with Microsoft Exchange and Outlook. We replaced our desktop PCs and physical servers with thin clients and virtual machines running VMware. It was a lot to do at one time."

But being on the leading edge also sometimes means being on the bleeding edge, as OGE discovered. Using Microsoft's Remote Desktop Protocol to deliver virtual Windows XP desktops to thin clients worked fine for most of the agency's office and legacy apps, Cooper says. But the quality of the streaming video was awful, and support for older USB peripherals wasn't much better, he adds.

Because OGE did the integration itself, "my staff had to work one on one with multiple vendors over several months to eventually implement software and configuration enhancements that improved desktop performance and streaming video, though it's still not up to PC quality," he adds.

Cooper is evaluating PC over IP (PCoIP) remote display technology in the hope that it will solve the agency's video issues without requiring the purchase of more powerful hardware.

"I think VDI is fantastic, useful and timely technology, but you need the right pieces," Cooper says. "If you don't have people with VDI experience on staff, get an integrator or other vendor who can bring their lessons learned to your project and avoid the 'gotchas.' "

The Best Defense

Like the OGE, the Defense Intelligence Agency is looking to client virtualization as a way to enhance the security of machines used by its analysts. But saving money and increasing efficiency are also part of the equation.

For the past two years, DIA has been engaged in a multiyear deployment of what it calls its "next-generation desktops" — virtualized thin clients running Citrix XenClient software.

DIA needs to deliver a secure, cost-effective client environment for Defense analysts, notes Michael Mestrovich, senior technology officer for innovation in DIA's Directorate for Information Management.

"Data exploitation and content leakage from IT infrastructure vulnerabilities are leading security concerns for both the private and public sectors," he writes in a white paper. "The rapid evolution of cyberthreats requires a flexible technology framework that thwarts adversaries while promoting the organization's ongoing operational efficiency."

DIA intelligence analysts often have to log on to several classified and unclassified networks each day, which means they must use a different machine for each network they access. Using desktop virtualization lets DIA combine these physical PCs into one system running multiple virtual machines — securely and efficiently.

The agency chose thin clients employing Intel's vPro chips, which let multiple virtual operating environments exist securely on the same physical machine; as well as Intel Trusted Execution Technology to prevent virtual environments from malware contamination. Citrix's bare-metal hypervisor platform, XenClient, ensures that corporate applications and data are isolated from personal data, further increasing security.

As OGE discovered, the Achilles' heel of most traditional VDI solutions is an inability to display high-resolution images or handle heavy computation — both essentials for DIA, whose analysts work with high-resolution satellite imagery. One reason the agency chose the Intel vPro was because of its powerful integrated graphics chipset, Mestrovich noted.

"There's no need for an extra add-in graphics card, since full graphics and media support are already built-in," he points out. "Depending on system configuration, users can switch between integrated graphics and discrete graphics on the fly, gaining more performance for intense graphics workloads with no reboot necessary."

Because the clients are commercial products, they're much more cost efficient than proprietary solutions and much easier to manage, Mestrovich notes. "The movement toward thin clients was an effort to reduce the overhead of traditional PC management and reduce the threat associated with managing thousands of end stations running a well-known and well-exploited operating system."

Up in the Air

The Federal Aviation Administration's Air Traffic Organization (ATO) recently completed three pilot programs testing VDI's ability to reduce total cost of ownership, ease system management and give developers a secure environment to work in without the need for separate development and production workstations.

VDI worked better for some users than others, says Sue Lake, ATO infrastructure manager. Remote users running legacy apps encountered issues, as did users requiring graphically intense apps, though computer-aided design programs actually seemed to run better via VDI.


Government agencies considering a move to virtual clients

SOURCE: 2010 CDW•G Government Virtualization Report

Lake estimates roughly 60 percent of ATO's 35,000 workers would benefit from virtualization, which could potentially save the agency thousands of dollars on end-user hardware. FAA could buy thin clients for 25 percent to 33 percent of the cost of equivalent desktop systems, and they would last several years beyond a PC's typical three- to four-year lifecycle.

Replacing fat PCs with thin clients running virtual desktops does require investing in more computing horsepower on the server side, says Rodney Stanley, ATO client and peripheral manager.

"Since you're removing the desktop machines' local storage, you need to build out your data center to hold all the documents, e-mail, favorites and profiles stored on those machines, as well as the gold images the machines were built from," Stanley says. "Any time you virtualize something, you generally need a lot of hard drive space and a lot of memory."

Lake estimates agencies should expect to wait three to five years before they see a return on their VDI investment. "Patience with VDI is a virtue," she says.

<p>Photo: Drake Sorey</p>