The iPad is Great, but Virtualizing the MacBook Air is about Pure Productivity Bliss

I had the chance to make the short trip up to San Francisco last week for the RSA Conference. I had some terrific meetings lined up, and also had some downtime scheduled in between a few of them. Being the “exemplary” 21st century executive that I always strive to be, I figured I could catch up on email, edit a number of documents and otherwise stay connected to help keep the fires burning back at the office during my breaks.

A funny thing happened as I was packing my work bag for the first day of the show. While I’ve been glued to my iPad as the “don’t leave home without it” device for the past year, I suddenly felt the urge to leave it behind this time around. Maybe it was having the foresight of the type of work I needed to tackle that day. After all, it certainly required some heavy lifting. Regardless, I felt myself grabbing for my shiny new MacBook Air, thinking to myself, this really is the one and only device I need to get the job done right today.

Don’t get me wrong. I love my iPad and it has certainly been a great companion device for keeping up on email, reading books and even keeping my child entertained while we’re on the road. The very notion of the iPad is certainly an intriguing one with its brilliant touch screen and countless apps, and I know many would say it works just fine as a productivity device. However, I think at this point I beg to differ and my experience at RSA helped to cement my thinking.
When it comes to getting the important tasks done, I want my keyboard, my processing power and a nice screen. I also want seamless access to my work environment whether online or offline, and the iPad has never been great from that standpoint. That said, I do still want it all on a single device that also contains my itunes and photos.

So what’s the point? The MacBook Air is about the same size as the iPad. It fit right into my work bag and provides the same functionality, plus a whole lot more (there’s something comforting about still having access to Safari and iTunes when the work is done). It’s just as cool, sleek and sophisticated – and it’s a tremendous device for leveraging all the benefits desktop virtualization has to offer. I used MokaFive to work on my corporate desktop at RSA (without worrying about getting the wireless password at each cafe), and I was about as productive at the conference as I am back at the office, barring a few waiters and old friends popping in to help to break my stride on occasion. They were all welcomed interruptions, of course.

We’ve heard so much about enabling the iPad in the workplace recently, but why struggle to support it when the notion of providing employees with a MacBook Air and virtualizing the corporate desktop on such a killer device is one that can and should easily win the day? From my vantage point, we can leave the touch screen and apps for the family outings, and instead consider making the move to what I think just might be the device of our day for creating a happier, more productive workforce.

Bottom line – if you have Apple-hungry employees, lighten the load and try putting a MacBook Air in their hands and virtualizing their corporate desktop, and I think you’ll quickly see what I mean.

Purnima Padmanabhan, VP of Products & Marketing

RSA Conference 2011: BYOC and Security

I presented a session on BYOC and Security at RSA Conference 2011 today. Judging from the turnout (the room was packed), there is a lot of interest in this topic right now as companies are struggling with how to deal with employee-owned devices. When I asked how many people worked at companies that have official BYO programs, only a few people raised their hands. But when I asked how many people use a personal device for work, almost everyone's hand shot up. Too many IT departments either try to restrict access from personal devices, in which case employees work around the restrictions so they can get their work done, or the IT departments put their blinders on and pretend the problem doesn't exist. They would be much better off to actually embrace BYO and make it easy for users to "do the right thing".

Companies stand to save a lot by adopting BYOC programs because they can get out of the business of owning and managing people's desktops and laptops. Support costs are actually lower with BYOC than with corporate-owned devices. Not only that, but BYO actually leads to happier and more productive users. One of our law firm customers had their employee satisfaction national ranking jump from 95th place to 16th place in one year, and the only change they made was to deploy MokaFive and allow their employees to choose Macs. Employees who participate in BYO programs also work longer hours, are more likely to work from home and in the evenings, and are less likely to lose or break their laptop.

Once companies realize their employees are already using their own devices anyway, and it is not that difficult to provide the corporate environment in a managed VM in a secure way while still letting employees and contractors use their own machines, they will start adopting official BYOC programs. Don't get me wrong - there are lot of challenges to setting up a successful BYOC program. But the organizations that embrace this change rather than resist or ignore it will be better off, with lower costs and happier, more productive employees.

Update: The slides for my RSA 2011 BYOC talk are now available online.

Back from BriForum 2010

Just got back from BriForum 2010, it was a great show as usual. This was the largest BriForum yet - both the attendee count and the exhibitor count were higher than ever. We had a table this year and got a lot of traffic. It was nice because most attendees were pretty knowledgeable about desktop virtualization and understood the benefits of client-side execution with central management, so we didn't need a lot of explaining for people to "get" the MokaFive solution. People loved our BareMetal demonstration and the fact you could manage both the BYOPC/work-from-home machines as well as BareMetal from the same management interface.

But without a doubt the best part of BriForum are the quality speakers and technical sessions. BriForum has a core of truly great presenters and speakers who talk technical and avoid FUD and marketing spin. People like Shawn Bass, Ruben Spruijt, Jeroen van de Kamp, Claudio Rodrigues, Steve Greenberg, Ron Oglesby, Tim Mangan, and Rick Dehlinger, just to name a few. And of course the man himself, Brian Madden. The presentations are great with a lot of technical meat behind them and mostly avoid the high-level fluffy marketing speak that you get at most other conferences. They are 75 minutes so you can actually get into some depth. The great presenters are what make BriForum a great event and I'm proud to have had the opportunity to present at the last two BriForums. The organizers also do a good job of treating the presenters well so I'm sure the trend will continue.

This year I did two sessions - one on BYOPC and another on Disk Workloads for Desktop VMs. The BYOPC one was in the first slot of the conference (8:45am!) and was completely full. There was a good mix of people, some of whom had deployed BYOPC, others who were interested in deploying it, and we had a good conversation. The key points were that BYOPC can reduce support costs and lead to happier users (if you do it right), and this change is happening whether you like it or not. Brian in his keynote had a great quote: "If you say there is no way you will allow it (BYOPC) in your organization, pretty soon you won't have to, because your employees will leave and go somewhere else." The other great quote I heard is: "If BYOPC is a competitive advantage today, it will be a requirement tomorrow."

The second one on Disk Workloads was much more technical. I did a deep dive into how I/O in a VM works and what a Desktop workload looks like. The desktop VM workload is quite different than server VM workloads - a typical server VM does 90% reads vs 10% writes, but a desktop is more like 60%/40% or even 50%/50%. Not only that, but the desktop VM workload is very latency-sensitive, and if you have any long latency writes, your user experience will suffer greatly. The load from a single desktop VM can peak at up to 8000 IOPS during certain operations. At the end of the session I did a demo that pitted a VM served from my Blackberry (15MB/sec read, 7MB/sec write, 10-30 IOPS) using MokaFive's optimized virtual disk format versus a normal VMDK on a much faster USB drive. The optimized one booted quickly and was very responsive, whereas the straight VMDK was sluggish, stuttering and unusable. It just goes to show that slow IO performance can make the user experience unbearable, and optimizations can make a big difference.

It was great to meet up again with the BriForum crowd and I'm looking forward to participating again next year!

John Whaley, CTO & Founder

What is the right virtual desktop model for BYOC?

A recent blog post by Brian Madden compares the security differences between Type 1 and Type 2 hypervisors. Brian writes that Type 1 bare-metal hypervisors are “possibly more secure due to the smaller attack surface of the hypervisor.” But he’s quick to point out that neither Type 1 nor Type 2 hypervisors are a one-size-fits-all solution.

After reading Brian’s blog, I thought about MokaFive’s approach to security. The problem with security is that you can’t talk in absolutes: the discussion depends on both the use case and its associated risk profile. If you are completely intolerant of risk, then you have to ignore the benefits of most Internet-based computing and keep your computer offline, locked up in a dark room. But in the real world, you have to support mobile and offline workers so they can be productive, and with that comes some risk. This is true of any computing model, but it’s important to mitigate that risk by choosing the best technology for your needs.

Let’s specifically look at the BYOC model where organizations want to enable computing on employee-owned machines. While there are many models to deliver specific applications from the cloud using technologies such as terminal services or even app streaming, these don’t provide the full usability of the entire desktop environment. So, what are the options for BYOC? There is VDI, but it provides no offline access and contrary to popular belief is not completely secure, either. While the VDI desktop lives in the datacenter, IT has no way to control the endpoint machine accessing the VDI session. Those endpoints could have keyloggers or screenscrapers that can siphon data from the VDI session.

In contrast, with the client-side models, a fully encapsulated VM is delivered to the endpoint, either directly on baremetal (with Type 1 hypervisor), or on top of an existing OS (with Type 2 hypervisor). There is almost unanimous agreement that a Type 1-based model will not work for BYOC, since no user will allow IT to forklift their personal machine. Only when Type 1s are shipped with OEM machines will this model will become viable for BYOC.

Net-net, a Type 2-based client-side model, where a fully managed, encapsulated VM is delivered on top of the user’s existing OS, is ideally suited for BYOC. It provides users access to the corporate environment anytime, online or offline, without impinging on their personal machine environment.

MokaFive supports a Type 2 model today while allowing you to grow to a Type 1 approach in the future. We leverage the MokaFive player residing on the client to provide additional protection against risks associated with BYOC. I have outlined below our approach with seven layers of security that protect against your concerns:

1. Host checker

• Checks for basic performance characteristics of the machine. It can also be extended to check for any other security characteristics of the host (such as configuration and execution status of anti-virus software) prior to the launch of the virtual desktop.

2. VM encapsulation

• Encapsulates a full, locked down OS controlled by IT. This allows IT to completely control the patch level and GPO security settings.

3. VM encryption

• Encrypts image with AES 256, including the base image and all user data. We also intercept all I/O that the hypervisor writes to disk or to memory, and this data is compressed and encrypted.

4. Tamper resistance of both code and policies, and copy protection

• Attempts to alter the executable or configuration will disallow the Player from running. Also, by policy, IT can disallow users from moving images from one machine to another.

5. AD authentication / Two-factor authentication (RSA or PKI)

• Integrates with Active Directory to enforce users’ authentication prior to virtual image access. Optionally, IT can configure RSA SecurID or PKI as a second authentication factor for additional security.

6. SSL

• Communicates with the server over SSL. Clients validate the server’s SSL certificates against a Certificate Authority.

7. Policies

• Enables administrators to have fine grained, centralized control of operational and security polices, such as peripheral access, and ability to drag and drop files from host to guest or vice versa.

Simply put, MokaFive is one of the few vendors that provides a secure, fully managed virtual desktop model for a BYOC model. Stay tuned: in an upcoming blog, we will talk about BYOC best practices.

Purnima Padmanabhan, VP of Products and Marketing

Prediction Piece 2010: BYOPC for Today’s Workforce is a Reality

Is the only driver behind BYOPC attracting and retaining Gen-Y'ers?

Sure, the freshly minted college graduates who are entering your organization today were born in 1988. All they know is instant gratification of having information at their fingertips. As our CTO, John Whaley mentioned in a reply to Andi Mann's article, Is BYOPC Really Key to Attracting Millennials?, "a company that adopts a BYOPC program is more likely to attract millennials just by the fact they consider adopting such a program," not necessarily because it's just a perk to lure them in. Giving them the ability to bring in their hardware of choice, aka Mac, makes you look like the trend-setting, understanding employer (and then you put them to work, of course).

But is this attempt purely altruistic? We think there other drivers worth considering – namely, cost. There are deep cost advantages – some underneath the surface and worth the time to consider. By requiring employees to bring their own hardware, you get out of the hardware support business. Or if you're less inclined to give them complete choice, you have the option of corporate issued choice – you retain your volume discounts and offer a catalog of choices. Think about the flex initiatives that are growing in popularity, where companies are aiming to lower overhead by keeping workers in the office for fewer hours during the week, or fewer days. Now think of BYOPC as synonymous with use of home computers – which is more "use your own" rather than "bring your own." Here, real estate costs can be eliminated, which can represent a large percentage of the operating budget.

A client based managed VM can not only address the above scenarios in a very cost effective way, it can also eliminate the security risk associated with allowing corporate access from unmanaged, unknown endpoints. Cost effective – because it 1) Negates the need to deploy vast amounts of server infrastructure that server hosted virtual desktop solutions require; 2) Allows your users to leverage the distributed assets on hand such as personal PCs 3) Enables you to support new green initiatives such "work from home" and productivity initiative such as "Platform Choice". Secure – because it 1) Eliminates the worry of VPN clients tunneling into the perfect lockdown corporate world from dirty machines since the VPN session can now be established only from within the secure lockdown VM; 2) Removes the need to subject a user to time consuming extensive host AV scanning/could quarantining process.

If BYOPC has not looked that promising before – then it is time to look at it again. This time not just for Gen Y’ers but also for the cost saving that it can deliver to you.

MokaFive solves these exact problems while realizing the cost benefits of eliminating hardware costs, real estate costs, backend infrastructure costs, and excessive overhead. MokaFive's virtual desktop is an isolated virtual machine that sits on the endpoint – yet is fully managed, tied to a server behind the enterprise firewall that filters down policies and settings for the virtual desktop to completely lock it down and ensure safe access to the network. Whether corporate-issued choice (Mac or PC), true BYOPC or work-from-home, the cost savings are clear.

Purnima Padmanabhan, VP of Products and Marketing