There has been a lot of discussion around Reverse Seamless and its value over the years. Recently RES Software announced a standalone version for $15 per user, which Brian wrote about on SearchVirtualDesktop.com calling it "super cool as a stand alone feature for $15 per user." Well I disagree. It's not a super cool feature at $15. It's an extremely expensive feature that carries a security risk.
I was recently discussing the feature with one of my few security friends. He just gave me a puzzled look and asked, "Are you really going to trust all the URL redirection, launching random apps, and potential remote interaction with your data center from a small third party sitting on top of yet another third party protocol?" He went on to educate me that I would have a very hard time passing an internal security review. He would require a lot of evidence that RES has a supported secure solution with whichever protocol they sit on top of. He went further and talked about existing vendor clients that have security holes despite the expensive efforts that are put into things like penetration testing. So adding something that is quite invasive on top represents a lot of trust that one has to place in two external parties interacting in the right way.
Nothing like a security guy to kill progress :-)
I argued, "Yeah that's all fine, but risk is assumed with any third party that we have on top or under a Microsoft operating system such as VMware ESX and Citrix XenDesktop/XenApp. This is even riskier with the smaller vendors." He agreed that this true and these are assumed risks and we have to patch those, ugh! He still felt that messing around with remote interaction and arbitrary application launches represented a greater risk, and when it came to security patches for things like Citrix Receiver he remained concerned about how well the various companies would cooperate. He felt it would be less risky if they were just trying to make existing features that are secure from the core vendor better. The example he cited was people doing things to RDP that leverage the core protocol.
I'd never really thought about it form this angle before, but I guess he has a point even though I could argue whatever and go for a risk exemption if the business need is greater. I would not however be willing to do that due to the $15 price. I see this as another virtual channel in the protocol stack. Imagine if I had to pay $15 for every virtual channel inside HDX or RDP! Also, I'd probably only want to use this for a subset of my population at certain times and have great difficulty in predicting who and when. This like many other software purchases likely ends up in buying more licenses than needed.
I tried playing around with the math to see what RES are thinking. At $15 they would need to sell 67,000 licenses to only make a million dollars. The reality is they will have to discount in many cases to let's say $10 which makes it 100,000 licenses for a million bucks. Would I even pay $10? No way, I look at the spend of the entire desktop software stack and this to me would be worth perhaps $0.15 at best compared to the value and use of the all the other crap I have to run. So what does that do the market opportunity of this standalone feature…..?
It doesn't just stop at security and price. Integration into other advanced protocol features such as Aero, etc. is not something RES will be able to do easily, especially if there's next-to-zero revenue for this feature. These are core features that the protocol vendors will build over time. Hence Reverse Seamless must be a native, integrated, secure feature of the base protocol that continues to evolve. It's a requirement to address many desktop virtualization use cases and hence the price is FREE. There is no standalone sustainable business here.
I am not trying to knock RES for having the foresight for filing a patent in this space and will even congratulate them on their innovation. I do not however understand why they think they can make any money out of this. This is a FREE feature to address a desktop virtualization requirement. If RES was smart, why not get paid by the larger players so they can hurry up and make this technology available to the masses so we can all have the feature to help us with implementation. License the darn thing and stop wasting time with this $15 per user nonsense. Until then as far as I am concerned RES is just playing patent troll and holding our industry back and hence I suggest they are boycotted.