As I mentioned in my recent DRJ article, there are many kinds of virtualization and all of them can be used to support your disaster recovery or business continuity plan. When you mention the word, most IT staff tend to think of server virtualization. However, application and desktop virtualization can also be of help in your BC planning process. I will first describe how applications and desktops can be virtualized then I will show you how they can be used as part of your BC program.
A virtualized application is not installed in the traditional sense, although it still may be executed as if it is. The application is fooled at runtime into believing that it is directly interfacing with the original operating system and all of the resources managed by it, when in reality it is not. Application virtualization can improve portability, manageability, and compatibility of an application by unpairing it from the underlying operating system on which it is executed.
Server Side Virtualization
There are multiple ways of virtualizing applications. With server side application virtualization (Figure 1), applications run in the data center and are displayed on the user’s PC through a browser or specialized client. The application does not need to be compatible with the operating system running on the PC because the PC is just displaying a window into the application. The beauty of this is that just about any computer system with a browser can be used to access the application, and most malware will not have any effect on the application. I say most because a keystroke logger still could be used to capture information between the PC and the application.
With streaming or client side virtualization, the application resides in the data center but is delivered to the user’s computer to be run locally (Figure 2). Because it is running locally, the resources that normally would be installed into the OS, such as dynamic linked libraries (DLL), code frameworks, control panels, and registry entries are installed into an application container and the entire container is streamed. Because each application is in its own container, negative interaction between applications is prevented.
The container can be sent to the PC every time that it is needed, or it can be stored on the user’s PC for a specific period of time before it expires and needs to be streamed again. The latter method allows for use of the application even when not connected to the network, for example, while on an airplane.
As with the server side virtualization, application updates are easy since there is only one copy of each application and it resides in the data center. This means that only one copy gets updated, rather than needing to push updates out to hundreds or thousands of PCs on your corporate network. From a business continuity perspective, this means that you can store laptops for a long period f time without needing to fire them up periodically for updates.
Another way to virtualize an application is similar to the previous approach in that the application is still packaged into its own container, but it permanently resides on the user’s PC instead of being streamed. When the application needs to be updated, a new container is downloaded to the PC.
An immediate benefit to virtualizing an application in any of the ways shown above is the elimination of DLL hell, which happens when incompatible applications are installed on the same OS. A common and troublesome problem occurs when a newly installed program overwrites a working system file with an incompatible version and breaks the existing applications.
Desktop virtualization or virtual desktop infrastructure (VDI) provides a personalized PC desktop experience to the end user while allowing the IT department to centrally run and manage the desktops. Desktop virtualization is an extension of the thin client model and provides a ‘desktop as a service’ which runs in the data center.
The user does not know and does not care where their desktop is running. They access it through a window, which may be a specialized client or web browser. In fact, depending on the security policy they may be able to access their desktop from anywhere using any device, even one that is not compatible with the desktop OS being served.
Since virtualized desktops are centralized, it is easy to keep them patched, prevent users from installing software or making configurations changes that they shouldn’t, and load balance the users or upgrade their OS as needed without needing to upgrade the user’s endpoint hardware.
When you virtualize a desktop and add virtualized applications on top of it, the user is provided with a brand new PC experience every time that they connect to their desktop. The well-known problem of PCs slowing down as they are used becomes a thing of the past.
And when the user leaves, you don’t need to worry about them taking the data with them as it is in the data center. As part of your termination process, simply remove access to the virtual desktop.
Disaster Recovery and Virtualized Applications
While desktop virtualization can be used to provide protection against information leakage, desktop and application virtualization also can be used for disaster recovery purposes. Since server side virtualized applications or desktops are running in the data center, theft or destruction of the employee’s PC will not cause loss of data since the data usually is stored within the corporate network as well.
However, if the applications are streamed or locked down on the PC, the chances are high that the data will be there too. Your information security policy should require periodic backups of PC data files onto corporate storage where the information safely can be stored with other corporate assets.
The Hybrid Approach
An interesting hybrid approach would combine streamed or local applications with server side virtualized applications or a virtual desktop.
That is, instead of taking backups of user data to static disk or tape, the user’s local data and preferences are merged with a compatible virtual desktop on a periodic basis. After the user’s data and application preferences are captured, they can be served up securely to any PC which the user has access to, whether it be in a work area recovery center, hotel business center, or at a relative’s house.
The opposite can be done as well, where data from virtualized applications can be synced with a user’s local PC. Imagine using Google apps in the cloud on an everyday basis, but when Google is unavailable or you are on an airplane, you can use a local copy until you can reconnect.
When you think virtualization, don’t just think of server virtualization. Application and desktop virtualization can provide powerful tools for both information security and business continuity. Not only do your corporate applications need to be available after an event, but your employees need the resources and infrastructure to be able to get to them. And if your company is like many others, critical data is on employees’ desktops and laptops. Backing up data on employee PCs is not enough; employees may need access to this data within a very short period of time and from a system which either may not be compatible or doesn’t have the proper applications installed to access the information. One of the most flexible and secure ways to deliver applications and data to your employees is to deliver it via a virtualized application or desktop.
Ron LaPedis is a trusted advisor at Sea Cliff Partners which brings together business continuity and security disciplines. He has taught and consulted in these fields around the world for more than 20 years and has published many articles. Ron has two virtualization patents pending and is a licensed amateur (ham) radio operator, instructor, and volunteer examiner. He can be reached at email@example.com.