Brian & Gabe LIVE #21 - Part 1: We talk to Harry Labana and get his thoughts on VDI security

Listen to the whole episode with Harry Labana here!


Brian: Hey, good morning on Tuesday, March 13, 2012.  You are listening to Brian and Gabe Live.  I’m Brian Madden from San Francisco.  Thanks everyone for joining today.  

Gabe: What?  Do we let Justin run this song?  We didn’t even get to the good part where we get to say O-H & I-O.

Brian: Yes.  Well, I think we were coming quickly up on our 30-second legal limit of being allowed to play songs.

Gabe: Well, the Bitchy Buckeye is Gabe Knuth, sitting here in Omaha.

Brian: Thank you for joining, Gabe.  And Jack is here in the studio with us.

Jack: Good morning.

Brian: And our guest today is Harry Labana.  

Harry: Good morning.  I’m glad it worked out because I know we’ve been trying to get this on the road for a couple of months now.  It’s a good excuse because otherwise last night I would have been stuck at home forced to watch the finale of The Bachelor with my wife.  So, thank you for having me.

Brian: Yikes.  Thanks for coming up here.  It’s a rainy day in San Francisco, which coming from the East Coast, you need a good foot and a half of snow before people stop – they drive at 60 mph instead of 80, if you have more than a foot of snow.  Here, the clouds, the sky turns sort of blue, dark blue, and then immediately there’s 45 accidents.

Gabe: People don’t know how to drive.

Brian: So, today we’re talking about our industry.  I don’t know if we have a specific agenda.  I know we’ve got the chat room running.  Hopefully, you all can hear us with no problem.  What happened this week?  We’ve got Microsoft talking to OnLive.  We’ve got BriForum sessions.  We’ve got – our book is done.  Harry’s here.  So, what do you guys want to talk about first?

Gabe: Let me tell you, writing a book is kind of a pain in the ass.

Brian: We talked about the book in the past.  I think we’ve talked about the book in past weeks.  Our book is called, The VDI Delusion, and the subtitle is, I forget the subtitle, Why Desktop Virtualization Failed to Live up to the Hype and What the Future Enterprise Desktop Will Really Look Like.  Now, when I walked in the studio, I heard Harry saying to Jack something about people need to stop whining about how much VDI sucks.  

Harry: Yes.

Brian: What’s that about?

Harry: Well, I think we’re a little bit schizophrenic in our industry.  What I really mean by that is I think we’re not really looking at it objectively.  On one hand, we’re complaining that Microsoft is not giving us licenses to do desktop as a service.  On the other hand, Brian, pardon my French, but you’re arguing that it’s too expensive, we should just do terminal services, etc.  Having done it and having seen the various blogs and the various articles out there, my view is that you really have to ask yourself when people talk to me about VDI, to do or not to do VDI, what it really becomes is a question of what’s your central computer strategy.  That all sounds very fluffy, but what does that really mean.  All this cloud stuff that’s going on, what are you doing about central computers?  Is VDI just a part of that strategy or are you really thinking about it as a patching problem.

Really, if you’re thinking about desktops as something that’s going to solve patching, that’s as ignorant as you are about the desktop world and where it’s going, then I’m sorry, you’re just ignorant about it.  So, I think the delusion is that people don’t understand where the world is going.  We’re happy to get into some specifics there if you like.

Brian: Of course, we like.  We have in the book we talk about – to be clear also, the title is The VDI Delusion, not the desktop virtualization delusion.  We early on sort of looked at what the promises of VDI were over the past five or six years and then get into what the reality is.  And two of the biggest realities that I talk about and I’ve talked about in the past are that 1) I don’t believe that VDI is about saving money because any tricks you do with VDI to save money would also apply to the traditional desktop world.  And 2) I don’t believe that VDI is about making things more easy to manage.  I don’t believe VDI is about management savings.

I do believe that VDI is about enabling new capabilities and meeting new needs you might have to deliver Windows applications.  So, I wonder if that falls in with what you’re saying about – 

Harry: I think it’s relative.  I think we’re instantly dismissed that it doesn’t save money.  We have to look at that from the context of what we’re saying.  If you look at it as a pure apples to apples comparison compared to your physical desktop, I would agree with that sentiment, but when you add in and as you rightly point out the capabilities part of the discussion, then actually staying on physical depending on the use case can be a lot more expensive.  

Brian: Agreed.  Because the VDI can allow you to deliver these new capabilities for a much lower cost than traditional PC’s.  Absolutely.

Harry: And then on the management side, I think it’s a question of agreed not yet, and you’ve probably seen me talking about it.  I always talk about go one to one.  If you really believe what Brian is saying, which I actually believe, then I think the way to achieve it is go one to one to start with.  I think people try and smash together that it’s going to be cheaper to manage and it’s going to save money Day 1.  They just don’t get it.  

Gabe: That’s insulting them though.

Harry: I think that the industry is guilty of – 

Gabe: Embellishments.

Harry: Yes, that’s probably the right word.

Gabe: It’s the nicest one.

Brian: And I’m with you.  The one to one because if you need, I like that because that’s the lowest jump into VDI, if you go one to one, that’s how you have it today.  By the way, for me one to one, I don’t even care about users having admin rights.  If you have admin rights with your users today, move into your VDI.  If you users don’t have admin rights, I still probably want one to one, so that way each user can have the most unique, their applications and all that sort of thing.

Harry: I would disagree with that, and say that if you have admin rights on your PC infrastructure that you can infect your PC, you move those admin rights into the datacenter right next to your app and data and computing structure.  I think you’ve created that problem there.

Brian: If my firewall is around the datacenter, and I put my users inside the firewall, then that’s my own dumbass fault.  

Gabe: But wouldn’t somebody intelligently like, when they’re designing something like this, wouldn’t they still put some sort of barrier in between the user LAN network and the actual data and applications?  It could be fairly permissive much like what you would normally have I guess.  The user is out on the floor with traditional desktops today aren’t, I guess in a lot of situations, they probably do have carte blanche access into the datacenter, but they shouldn’t.  Wouldn’t that practice carry forward into VDI as well?

Harry: Sure.  You could certainly take that approach.  To me it becomes, it’s a high-risk profile because you’re putting everything centralized.  It’s much easier to get from one place to the next.  You talk about security.  I’d argue that app virtualization is one of the greatest security risks that nobody is talking about out there.

Brian: You talk about that right now.  What do you mean?

Harry: Let’s just talk about how we think about the security traditionally, we think about perimeter security, firewall, datacenter, the PC, physical access.  App virtualization is not designed to be a security solution, it’s another thing embellished by the industry that it’s a security benefit.

Brian: You mean app virtualization like the app V, ThinApp, and those kinds of things?  

Harry: All of them.  Because what I’m really talking about is the isolation capabilities.  The isolation sandbox.  It’s a hackers dream.  If I can hack into the isolation sandbox, I have access to other things.  I think we really have to think about security that there are all of these perimeters that are available to us and we have to protect in different ways.  You can’t just sandbox just the PC or just the apps or just the data, you have to have sandboxes around all of them because otherwise you’re going to be root cleared at different sandbox levels.  You’re going to have quite a problem on your hands.  

Brian: The root kit, so now it’s – you mean different levels because before the root kit was on the hardware, but now I can root using air quotes here, air quotes, the hypervisor or I can root the app virtualization container or – 

Harry: Sure.  You could buy a dodgy motherboard from China where there’s hardware, it’s already embedded in the hardware when it’s shipped.  Just go Google, dodgy Chinese motherboards; I’m sure you’re find stuff in hardware.  Where does level of code come in?  Can you infected on a bias level?  This whole point about this trusted boot, how do you provide that in your environment moving forward?  I don’t think it’s just a question of just do you have admin rights or do you not have admin rights, I think that becomes just another layer of management that you have to worry about.

Brian: Do you think this trusted boot is a legit thing?  That people are going to need?  I always figure it was something that Intel did just to sell more Intel products.

Gabe: I thought it was a government thing.

Harry: Again, when I say trusted boot, I don’t necessarily mean TXTPN’s and hardware always, but I think let’s just take it even to the point around consumerization of IT, for example.  If you’re going to have trusted containers, which apps can execute on, are you going to put data in those containers?  That’s a different level of containment.  I think the real questions becomes from an enterprise perspective is how much do you trust that container.  And one way to trust that container is to write it yourself.  The other way is to buy it from somewhere which is not so dodgy.  Again, there are multiple containers that you need to care about because if you look at a lot of the hackers out there and the sophistication out there, they will exploit multiple vulnerabilities at the same time, and that probably carries multimillion dollars’ worth of research.  Those are usually state funded levels of capability.

So, when I talk to a lot of my buddies in the enterprise, kind of chief paranoid officers as I call them, they’re really concerned about this, the level of sophistication and the capital that’s available to get into the infrastructure. 

Brian: Which we provided by buying our IPad and coffeemakers.

Harry: Sure.

Brian: So, you’re now, you’ve been at AppSense for a year or something?

Harry: About 10 months or so.

Brian: So, how is that so far for you?

Harry: It’s been great.  Really, we’re reshaping what AppSense is about, what we define AppSense is going to be moving forward and really how we’re thinking about the world, AppSense is really about, when we think about things like consumerization, VDI, tunnel services, where we’ve come from, it’s really about how do you enable people to work and give them choice in how they want to work.  There’s all this stuff that’s available to you.  And how do you enable that?  And we’re an enterprise company, so there’s a lot of stuff out there, the FUIT, consumerization of IT, but who is focusing on enterprise consumerization?  How do we make that safe?  How do we make that consumable in a sensible way, but with governments and compliance and just one additional point there from an ambitions standpoint?  

The way I look at it is that we’re at an interesting time in history, and all of these people have access to compute.  So, I remember in previous jobs where we used to marvel at compute farms that we used to build and having static workload analysis, but now I’ve got access to that with a credit card and that’s never happened before.  So, with all of this compute that’s become available to people, there’s this massive democratization that’s happening, so how do you bring that to people all over the planet?  In a way that hasn’t been done, what kind of services become possible?  I think just purely focusing on just consumerization is almost delusion.  Maybe I should write a second book, the Great Consumerization Delusion.  

Brian: That sounds fine to me.  

Harry: I think it has to be done in a way that’s sensible otherwise you’re going to have all these interconnected devices, you’ve got all these hardware rooting, and there’s a lot of ignorance in the consumer world.  My mom has no idea about security.  She’s going to use whatever I tell her to use.  I think we have to make it consumable in a way where there’s a set of rules, it’s not just technology, there’s also policy, there’s also governments have to behave and agree.  So, I think there’s a much bigger issue here, at large here.  

Brian: So, what is this?  How do you tell that to enterprises?  Because you’re talking about individuals that have access to compute and that’s all over the world and anyone has access to multipliers and we need to control.  From an enterprise, if I’m an IT pro at a company, and I’m just trying to deal with my users and what’s happening, what do I need to be thinking about?

Harry: I guess it depends on the type of enterprise you are and we could probably take this in steps.  If I think about the, and you’ve probably heard me say this before, I think about the West.  Europe and the United States, essentially we’ve got a legacy here which is the reality.  You’ve got a lot of Windows PC infrastructure, we’ve got a lot of England people in IT, we’ve got a lot of people asleep at the wheel.  There’s a lot of people who are just going to protect their jobs.  But there’s nothing to do with me, nothing to do with AppSense, but I think the client architecture choices that are becoming available, so whether that’s Windows 7, Windows 8, 32-bit, 64-bit, there are types of virtualization, terminal services, VDI, just within Windows there’s tremendous diversity.

I think if anything I would say from the VDI industry’s respect and even large enterprise customers, I think they’re even saying we won’t necessarily always go wall to wall with VDI unless it’s a very specific use case, but we maybe will do some RDS, excuse me terminal services, in my mind, they’re still the same thing.  I think how do you deal with that?  That’s the first, if these different type architectures give you access to different types of use cases, just take the Citrix receiver kind of example, yes, I know you don’t want to use it on your IPad to do things, but it’s a steam valve.  It’s a bridge to the past, and enables you capabilities.  So, that’s kind of step one.  Then when I think you start to get into well, what about all these different cloud services, whether it’s in data, whether they’re new app tabs and people just want to use them.  Since I’ve left Citrix, what do I do?  Let’s be full disclosure.  I use my Mac.  

I use everything on it.  It’s probably not encrypted.  It’s where I probably do all the bad things that I’m not supposed to do.  Do I have access to a desktop virtualization environment?  Well, sort of.  Does AppSense need to upgrad?  Yes. But that’s a different problem.  I want to work in ways on devices that I chose to.  On my Mac, I want to do certain things.  When I want to connect into the network to do certain things like approve timesheets, budgets, some sensitive stuff, that’s fine.  My IPad has been stolen by my children, so I’ve given up.  My point being is that I think there’s this diversity coming.  So, enterprises have to learn how to deal with this choice in a way that’s governed and compliant.  I think from an enterprise, that touches every part of the enterprise.  It touches how data is consumed, what happens to storage, the networks; the whole infrastructure has to be redesigned.


View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.