I don't want to upset anyone or give the impression that I am off base or naive or somewhere in between, but it seems that VDI, bring-your-own-device and mobile device security should not be that big of a concern.
Stated differently, are security concerns about a virtual desktop infrastructure (VDI) and mobile devices the last refuge of the scoundrel?
Perhaps the story of my VDI/bring your own device (BYOD) project will explain why I ask this question.
Over the years, I have tried various ways to balance uptime, service levels and customer satisfaction. I was an early adopter of the managed desktop concept. While I loved the service levels associated with almost immediately getting a customer up and running after a hard drive failure, my customers hated not being able to install software or save anything to their hard drive. When desktop virtualization came along, I decided not take an immediate plunge, but first experimented to see if it really offered the balance between operational excellence and customer service.
Our first experiment involved members of the IT staff. We purchased a couple of tablets and worked out the VDI issues -- which were numerous. At its core, VDI shifts the computing power from the device to somewhere else. This shift puts additional load on the network connection and the data center. From our experiment, we learned that some of our locations were VDI-capable while others were not. Knowing this set us up for our second experiment: unleashing VDI on a group of customers.
More on mobile device management
Evaluating mobile device management products: Seven categories
A CIO's guide to mobile device management in the workplace
Balance business and IT when creating a mobile device management policy
For our customer experiment, we had a ready and willing pilot group. Many members of our staff already had tablets and wanted to do something with them besides play Angry Birds during boring meetings. We selected 50 volunteers and deployed to them a virtual desktop. This experience went well enough that we quickly expanded the pilot.
This experiment worked so well that some people on my staff -- the "scoundrels" who seek refuge -- could sense us trending toward a BYOD policy and imagined the big changes that would make their skills less necessary (much less device configuration, management and computer break/fix). With bring your own device becoming more of a reality, they raised concerns about BYOD and mobile device security. The same people who did not think that security on a laptop -- which can actually hold a whole bunch of sensitive data -- was too big of a deal were suddenly experts on the security risks of tablets and smartphones. Since VDI shifts data to the data center or cloud and behind our traditional, tested and proven security systems, it is likely much more secure than on the laptop or PC that the BYOD device replaced.
As with all things security, I have found it is good to assess the risks before implementing policies and technologies. Let's start with the sensitivity of our data. The most sensitive information on my device is the salary information of my staff and the status of my projects. If someone unauthorized gets a hold of this data, it might be embarrassing to me and others but will not hurt my organization. If someone hacks into my smartphone and reads my email, I suspect they will feel sorry for me rather than get some juicy competitive information. My risk assessment considers the types of information retained on a BYOD device and the sensitivity of that data. In all but a few cases, the risk is pretty low.
So, don't let the scoundrels with concerns about security slow down your VDI, BYOD and mobile strategies and projects. The advantages far outweigh risks. And, as the devices get smarter, someone will develop enough mobile device security measures to satisfy the need. This allows you to be more strategic, innovative and rational.
Niel Nickolaisen is CIO at Western Governors University in Salt Lake City. He is a frequent speaker, presenter and writer on IT's dual role in enabling strategy and delivering operational excellence. Write to him at firstname.lastname@example.org
This was first published in October 2012