Re: Fwd: [ITSM] VDI for Administrative/Academic Staff desktop/laptops?

[Frank Barton <bartonf () HUSSON EDU>]

Ronald,
  We use Full VDI for our student computer labs, and use virtualized
applications for some of the business critical applications, and I wanted
to take a moment to explain how we addressed these concerns using Citrix
XenApp/XenDesktop (or whatever they're calling it these days).

We have a VMWare cluster that runs multiple virtual servers for each of the
pools that we have, spread across multiple physical hosts. This improves
the fault tolerance.

We have, as I mentioned above, different pools that run different
applications, on different virtual servers. This way sensitive data never
"touches" the virtual servers that the students use for their computer lab
work. The question comes down to how many pools you need, and how you want
to segment work-spaces. In fact, we believe that this improves our data
security, as the data that is being processed never leaves the servers, and
never really "touches" the end-user desktops/laptops (It is displayed, but
not stored)

When it comes to network segmentation, we use Machine Creation Services to
spin up new machines as needed, and MCS can be told which virtual network
to create the machines in.

We've been very happy with our solution

Frank

On Mon, Jan 22, 2018 at 12:58 PM, Ronald King <ronald.king () morgan edu>
wrote:

> Thank you for your response.
>
> A few of my security concerns:
>
>    - Potential lack of fault tolerance - Single system hosting
>    environment/VDs
>    - Uses in sensitive areas such as HR, Admissions and Finance
>    - Lack of network segmentation - Same VDI solution for students as the
>    areas mentioned above.
>
> We are considering 2 years down the road..
>
> Thanks again!
> Ron
>
> *Ronald A. King, CISSP*
> Chief Information Security Officer
> Morgan State University Office: (443) 885-3372
> 1700 E. Cold Spring Ln
> <https://maps.google.com/?q=1700+E.+Cold+Spring+Ln&entry=gmail&source=g>.
> Email: ronald.king () morgan edu
> Baltimore, MD 21251 URL: http://www.morgan.edu
>
> *Growing the future ... Leading the world*
> <http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>
>
>
> On Mon, Jan 22, 2018 at 12:30 PM, Haselhoff, Brent <
> brent.haselhoff () wku edu> wrote:
>
> > We have piloted VDI a couple of times.  Our focus was mostly for labs,
> > but we did discuss deploying it to select Faculty/Staff that only needed
> > access to basic things like Banner and email.  Ultimately, things like poor
> > video performance kept us from doing more than a small deployment to a
> > computer lab.  Our largest deployment was Citirx running on VMWare, but we
> > tested Hyper-V as well.  In both cases we used various thin/zero clients
> > from Wyse.
> >
> >
> >
> > I actually like the concept of VDI from a security perspective.  The idea
> > of being able to test various patches and then deploying them to everyone
> > is really appealing.  What are your security concerns?
> >
> >
> >
> > Brent Haselhoff
> >
> > Manager, IT Security and Identity Management
> >
> > brent.haselhoff () wku edu
> >
> > 270-745-2012 <(270)%20745-2012>
> >
> >
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> > SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Ronald King
> > *Sent:* Monday, January 22, 2018 11:17 AM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* [SECURITY] Fwd: [ITSM] VDI for Administrative/Academic Staff
> > desktop/laptops?
> >
> >
> >
> > I am posting this here for my colleague. Also, I have my reservations
> > from a security standpoint, so any input related to security would be
> > welcome.  Feel free to contact me directly if you like.
> >
> >
> >
> > From: *Andrea Tanner* <andrea.tanner () morgan edu>
> > Date: Mon, Jan 22, 2018 at 11:44 AM
> > Subject: [ITSM] VDI for Administrative/Academic Staff desktop/laptops?
> > To: ITSM () listserv educause edu
> >
> > Are any of you running VDI deployments for faculty and staff
> > desktops/laptop replacements (computers outside labs and classrooms)?  I am
> > talking about "complete" VDI hardware replacements and not virtual machines
> > connecting via software on a standard Mac/PC laptop or desktop.
> >
> >
> >
> > If you are running a VDI technology for faculty and staff machines, what
> > hardware have you deployed and what sort of issues have you run into while
> > deploying?  What does your deployment look like in terms of the departments
> > or individuals?
> >
> >
> >
> > For those of you who are not running any sort of VDI desktop replacement
> > for faculty and staff, please feel free to jump in with your comments about
> > if you are looking into this for your institutions today and why or why
> > not.  :)
> >
> >
> >
> > Thank you so much for your input and thoughts!
> >
> >
> >
> > Andrea Tanner, M.S.
> > Assistant Director of Client Services
> > Morgan State University
> > andrea.tanner () morgan edu
> > (443) 885-4445
> >
> >
> >
> > Thank you,
> >
> > *Ronald A. King, CISSP*
> >
> > Chief Information Security Officer
> >
> > Morgan State University Office: (443) 885-3372
> >
> > 1700 E. Cold Spring Ln
> > <https://maps.google.com/?q=1700+E.+Cold+Spring+Ln&entry=gmail&source=g>.
> > Email: ronald.king () morgan edu
> >
> > Baltimore, MD 21251 URL: http://www.morgan.edu
> >
> >
> >
> > *Growing the future ... Leading the world*
> > <http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>


-- 
Frank Barton
Security+, ACMT
IT Systems Administrator
Husson University