Manage Your Virtual Desktop with Layers

By John Whaley
published: Tuesday, July 28 2009

Desktop management is becoming more and more challenging. Today employees are far more tech-savvy than they were just a few years ago. This has led to greater productivity, but also increased the demands on technology. Employees need flexibility to be productive. They expect to have access to information wherever they go, whether they are in the office, at home or on the road. People want to be able to install their own browser plugins and drivers for their home printers. They expect to be able to do research on Google, network on LinkedIn, pay their bills online, and connect with friends on Facebook anytime. The distinction between work life and home life is blurred - people work from home, and do personal tasks at work.

Business needs also present their own set of technology challenges. Regulations such as Sarbanes-Oxley, HIPAA, and the data breach notification laws that exist in most states, make security breaches very costly. Malware has become increasingly vicious and an attack can instantly cripple an organization and cost millions of dollars to clean up. Furthermore, the current economic climate introduces a whole other set of difficulties. Today's IT organizations have to do more with less: Budgets have been frozen and hardware refresh cycles have been extended. Additionally, there are more temporary and contract workers, which in turn introduces new provisioning and de-provisioning issues. And despite all these circumstances, IT is expected to move more quickly than ever to keep up with the accelerating pace of business.

The problem is that desktops are monolithic. Everything - the hardware, operating system, corporate applications, user-installed applications, plugins, user data - are all mixed up together so it is difficult to manage or control one without affecting the others. For example, locking down the operating system may make it more secure, but that could prevent the employee from installing an application or plugin he or she needs to be productive. To further complicate the situation, different parties are often responsible for different components. The hardware may be employee-owned, while the operating system is provided by a desktop engineering group, the corporate applications are supplied by the department, and the security updates are controlled by yet another group.

Desktop virtualization has been heralded as a panacea to these problems. By separating the software from the hardware, desktops become easier to manage. However, simply moving the desktop into a virtual machine does not solve the fundamental issue of managing the desktop, nor the fact that different parties are responsible for different parts of the desktop and these parties have conflicting concerns. Traditionally these issues have been resolved by either locking down the desktop, reducing functionality and thereby end-user productivity, or by giving each user their own unique desktop instance, which leads to image sprawl and makes them difficult to manage. But there is another way.

Virtual Layers

Just as you can use virtualization to separate software from hardware, you can similarly use virtualization to separate a desktop into virtual layers that can be managed individually. These layers are dynamically composited to provide a single unified view of the system. For example, you can separate the desktop into a layer for the operating system, a layer for targeted corporate applications, a layer for user applications and a layer for user data. Each of these layers are kept separate and can be managed individually, but to the user it looks and feels like a traditional desktop.

Separating the desktop into layers gives you power. The fundamental power of virtualization comes from adding a level of abstraction. This allows you to easily add, remove, update and rollback individual components. It also empowers you to reuse the same components across different instances. Applying this technique within the desktop gives you flexibility and leverage on a fine-grained basis. You can use the same base operating system image for everyone and then layer customizations on top. This means you no longer need to individually manage, patch and update thousands of separate copies of the operating system. Instead, you simply manage your one golden image which all users share - saving you from a management nightmare. Likewise, any applications that are not distributed to all users - perhaps due to licensing restrictions - can be placed in a layer and targeted to only the users entitled to the application. The OS and application layers are sourced from the golden image on every boot, which means they are always up-to-date. If an image gets corrupted or attacked by malware, the user can immediately recover by restarting their desktop. This also avoids the problem commonly referred to as "Windows rot" - the tendency for a Windows installation to get slower and slower over time.

Separating the user personality into its own layer(s) apart from the system layer also allows each user to have their own customizations (if permitted) by automatically layering them on top of the standard IT-provided system image. When the user-installed applications are separated from the user documents and the user breaks their system by installing incompatible software, they can easily recover by reverting or rolling back the user applications layer and nothing else. The rest of the system, including the latest changes to their documents, remain unaffected. Backups become much easier and more efficient as well - by simply backing up the user layer, you can get an efficient backup of just the user personality without the overhead of backing up the whole system, and thus recovering from a crash also becomes much easier. By splitting the user layer into user data (which is backed up) and ephemeral datawhich is not backed up), backups become even more efficient because they can skip temporary data such as Web caches or mail files that are also stored on the mail server.

Virtual layers are an application of a well-known principle in systems design called "separation of concerns." Separation of concerns means that you decompose a complicated problem into a set of meaningfully-distinct pieces that you solve individually, then compose the solution from the individual parts. Virtualization is the key technique that allows this separation while still providing a composite view of the whole.