IT@Intel White Paper
Intel Information Technology Mobility November 2009
Enabling Device-Independent Mobility with Dynamic Virtual Clients
Executive Overview
DIM would enable us to deliver To enable device-independent mobility (DIM) at Intel, Intel IT is considering the information users need in implementing dynamic virtual client (DVC) technology, which uses containerized the environment they need it, software appliances to abstract the OS; applications; corporate and personal data independent of what device and workspaces; and user-specific settings. In this model, users can access their they are using—giving mobile applications and information from any device, anywhere, anytime.
workers more choice, flexibility, As new client devices and technologies they need it, independent of which device access, and performance. emerge, client mobility—once thought of as they are using—giving mobile workers more disconnecting a laptop from the wired network choice, flexibility, access, and performance. to carry around—is evolving to include: For IT, the benefits of DIM include centralized application and data policy management, cost • Delivering IT services to devices that savings by reducing integration for individual cannot sustain a full IT build, such as hardware platforms, and improved delivery of Dave Buchholz netbooks and smart phones. Technology Evangelist, Intel IT IT services to users. • Providing on-site mobility, where users can move between their offices, labs, and Initial testing of technologies underlying DIM John Dunlop homes, and access their IT environment and evaluation of platform and support costs Enterprise Architect, Intel IT from a variety of devices. during proofs of concept and pilot studies indicate that we can realize a per-platform cost • Separating corporate data from personal Ed Jimison savings of USD 100. Additional cost savings data and making both accessible from Technology Evangelist, Intel IT are possible as platform configurations evolve multiple device platforms. and infrastructure services are changed to Glen Maxson DIM would enable us to deliver the accommodate new platform provisioning and Technology Evangelist, Intel IT information users need in the environment information storage concepts. IT@Intel White Paper Enabling Device-Independent Mobility with Dynamic Virtual Clients
Contents BUSINESS CHALLENGE • Keeping corporate data and application context synchronized and secured across As mobile devices and technologies Executive Overview...... 1 a user’s many devices. proliferate in the marketplace, an Business Challenge...... 2 increasing number of employees at • Maintaining security, manageability, and Intel want to use their personal devices functionality across disparate devices. Solution...... 3 within the enterprise, choosing the best • Helping ensure that new technology Evaluating Existing platforms, applications, and services to DVC Technologies...... 3 solutions co-exist with legacy technology accomplish their jobs and manage their and applications. Building an Architecture lives. This trend is often referred to as that Supports DIM...... 3 • Achieving the best return on investment the “consumerization of IT.” Focusing on Segmented (ROI) for the technology choices we make. Communities...... 6 For example, an employee might prefer a In addressing these challenges, we realized Results...... 6 desktop or notebook PC to access the Intel that we needed to find a solution that network locally and remotely; a lightweight Next Steps...... 7 supports users’ desire for device independence netbook for meetings and long-distance while also benefiting Intel. Conclusion...... 8 travel; and a smart phone for quick access to After researching technologies over a period e-mail, calendar, contacts, and some corporate Acronyms...... 8 of 18 months, we concluded that abstracting or personal content provided by cloud storage. the traditional corporate build environment This combination of devices gives employees from the underlying hardware platform into access to applications and information layers—OS, applications, user data, and user- anytime, anywhere. specific settings—would provide many benefits Intel IT anticipates the need to support to users and to IT. This delivers a stateless employees who carry not just one or two computing model, regardless of the device devices as they do today, such as a notebook accessing it. and a cell phone, but employees who roam Tying applications and services to one single among devices depending on their physical platform and excluding them from others location. This situation raises many challenges: limits users’ mobility and forces them to • Keeping business and personal information think about which device they are using at separate on each device an employee uses, any given time. Device-independent mobility whether that device is owned by Intel or (DIM) allows employees the freedom to use by the employee. any device at any given time to access the
Enabling Employee Productivity with Device IT@INTEL Independence and Rich Client PCs IT@Intel is a resource that enables IT Employee productivity improves with device independence because employees professionals, managers, and executives can choose the device with the best performance and usability for a particular to engage with peers in the Intel IT task without worrying about whether the applications and data they need organization—and with thousands of will be available on that device. For example, using virtual containers on a other industry IT leaders—so you can notebook PC with hardware-assisted virtualization capabilities, employees can gain insights into the tools, methods, have access to multiple environments (corporate and personal) on a single strategies, and best practices that are PC—something that is not possible on a mobile Internet device. However, proving most successful in addressing employees may also want to carry companion devices for travel or home use today’s tough IT challenges. Visit us for light computing tasks, such as access to the Internet, contacts, or schedules. today at www.intel.com/IT or contact Device independence gives employees the flexibility to use the best device for your local Intel representative if you’d each circumstance. like to learn more.
2 www.intel.com/IT Enabling Device-Independent Mobility with Dynamic Virtual Clients IT@Intel White Paper
corporate information that they require in Our planned solution consists of three steps: endpoints. This lets the user access files a format that is tailored specifically to the evaluating existing DVC technologies, building anywhere, anytime, and eliminates the platform they are using. an IT architecture that supports DIM, and need for IT to back up this data. Cloud implementing DIM in segmented communities storage also provides an opportunity for DIM provides users with greater choice, flexibility, rather than waiting for a solution that meets IT to create and manage file retention access, and performance, while providing the needs of all users. policies, leverage efficient file storage and Intel IT with centralized application and data archival technologies, and enable more policy management, cost savings by reducing effective legal discovery practices. integration for individual hardware platforms, Evaluating Existing and improved delivery of IT services to users. DVC Technologies • Client virtualization. Client virtualization We have evaluated several of the available DVC is an important building block for services technologies that support various aspects of DIM. abstraction. It allows us to separate the SOLUTION • OS streaming. OS streaming allows IT hardware, OS, application, and user-specific settings layers, making it possible to To implement DIM, we are considering to step away from platform engineering; change one without affecting the others. using dynamic virtual client (DVC) tech- instead, we would use platforms as delivered nology to abstract the OS, applications, from the OEM. The OEM is then responsible Building an Architecture user data, and user-specific settings so for supporting the native OS, drivers, and so we can deliver them independently to a on for these platforms. that Supports DIM Our evaluation of existing DVC technologies wide variety of devices. • Application streaming. Similar to OS made it clear that virtual containers are the streaming, isolating applications into Abstraction of components, such as the OS key component to building an architecture their own virtual containers simplifies and applications, into virtual containers enables that supports DIM. As shown in Figure 1, the application maintenance and allows users faster turnaround time on upgrades and new overall DIM architecture is based on extensive to access the applications they need from capability introduction, and provides greater use of internal and external cloud storage the device they choose. flexibility and faster solution development at and services, which in turn provide data and lower cost. • Cloud storage. Secure cloud storage applications to a broad range of devices. enables removal of user data from client
Internal Cloud Services
IT Application Layer Client-side Corporate Data External Cloud Device Awareness File Caching Services Session Synching Cross-Platform
User Personality Awareness Device Independence
Application Security Data Security and and Manageability Manageability Personal Data and Services
Pay as You Go
Consumer Choice
Best-of-Breed Applications Security and Manageability Polices Offline Capability Consumer Security and Application Location Awareness Co-existing IT and Consumer Environments Manageability
Television Auto Internet Cafe Corporate PC
Netbook Smart Phone Mobile Internet Home PC Device
Figure 1. Device-independent mobility (DIM) involves a broad mix of capabilities and services, consumed by a wide range of devices.
www.intel.com/IT 3 IT@Intel White Paper Enabling Device-Independent Mobility with Dynamic Virtual Clients
Software Streamed on Demand
Application OS Image Client-side Streaming and Streaming Virtual Containers Virtualization Master OS with Master Applications with All Updates and Patches All Updates and Patches Virtualized Application Virtual Container with Streamed OS and Virtualization Layer OS and Applications Streaming Server Based on Applications Intel® Xeon® Processors Local OS Virtualization Layer
Intel® vPro™ Intel vPro Intel vPro Technology Technology Technology
Client Network Server
Figure 2. Dynamic virtual client (DVC) technology enables device-independent mobility (DIM).
USING CONTAINERIZED SOFTWARE endpoints, which now exist as a back-end SEPARATING PERSONAL AND APPLIANCES service, need to be patched. The next time CORPORATE WORKSPACES AND DATA The abstraction of the OS, applications, data, a client connects, it will synchronize and As shown in Figure 3, the DIM model stores and user-specific settings into containerized be updated. personal and corporate data in separate software appliances, also referred to as layers, virtual containers. The end user stores Once we have built a DIM architecture in which is central to the DIM concept. This abstraction personal information in a personal container, all the layers are truly abstracted, we will have is accomplished using DVC technology. either on the device itself or in a personal achieved a stateless computing model, where cloud, and it is the end user’s responsibility By encapsulating the dependencies of an many clients share a single base OS image and to manage this data, including running application or data set into a self-contained base application layer. These layers are identical backups. Corporate data is stored securely unit, containerized software appliances can across each platform, which greatly simplifies in a corporate container and is managed in dramatically simplify software deployment IT’s management environment because we can accordance with corporate policies. by freeing users from having to worry about patch a centrally managed component on the resolving potentially complex OS compatibility back end instead of in tens of thousands of Data separation offers two important benefits: issues, file dependencies, or undesirable unique footprints. • Improved data security and stability. interactions with other applications. Figure 2 illustrates how DVC technology Hardware-assisted virtualization, such as Additionally, containerization improves supports DIM. On PCs with Intel® vPro™ Intel vPro technology, not only improves security by isolating one application from technology, application streaming, containers, performance, but enables secure separation another. If the security of one appliance is and virtualization provide flexibility in which of the personal environment from the compromised, or if the appliance crashes, applications and data are provided on a corporate environment. In this manner, other isolated appliances are not affected. particular device. When connected to the negative events in the personal space, Containerization also simplifies IT’s task of server, the appropriate applications and data such as computer viruses or application configuring and deploying security patches, can be synchronized. corruption, have no effect on corporate because only a small number of client data and applications.
4 www.intel.com/IT Enabling Device-Independent Mobility with Dynamic Virtual Clients IT@Intel White Paper
• Reduced liability. DIM provides content During our technology evaluation, we separation at the client level by design, considered several technologies that which means less personal content will support OS and application streaming and Virtualized IT OS end up in the corporate infrastructure. virtualization, including: IT Applications It may also be possible to limit the Virtualized • Type 2 hypervisor or hosted virtualization User Corporate Data passing of company content back to the Personal OS • Directed I/O-based hardware virtualization, User Applications personal file system, or at least have Virtualized IT offered on PCs with Intel vPro technology Services and User Personal Data the system detect when this occurs. As Management Layer we implement DIM, we need to address • Type 1 or client native hypervisor-based information storage and flow to protect virtualization Client Native Hypervisor both the company and the individual from • Virtual container security, manageability, BIOS/EFI Supporting information loss and misuse. Intel® vPro™ Technology with and mobility Intel® Virtualization Technology
Using an internal cloud for storing work- We evaluated these technologies within PC with related documents helps improve document existing user segments throughout Intel, Intel® vPro™ Technology retention management and protection of including a proof of concept (PoC) for the Intel corporate intellectual property. In addition, call center in Costa Rica. We also assisted with implementation of an internal cloud an evaluation of these technologies in one of Figure 3. Intel® vPro™ technology enables eliminates the need to back up clients using Intel’s main business groups and ran a PoC in separate virtual containers for personal and corporate use. a connected network backup system and our IT training rooms for which we’re now in enables new data archive and legal discovery the process of deploying a permanent solution. processes, which have significant cost savings potential. IMPLEMENTING INTERNAL CLOUD Once there is widespread use of cloud INFRASTRUCTURE AND EXTERNAL CLOUD SERVICES storage services, IT can implement a tiered storage strategy that offers several benefits: Cloud computing is an important enabling technology for DIM, as it provides the ability to • Minimizes the cost of archival storage. store corporate data in the cloud and to access • Enforces data retention policies, thereby and synchronize this data between devices. reducing the amount of information being In general, cloud computing provides services stored and managing the legal liability and data that reside in shared resources, and of information being kept longer than it any authenticated device can access those needs to be. services and data over the Internet.
• Provides content index and search services We envision a mix of internal and external for legal discovery and information reuse. cloud services. We define an internal cloud We can start to realize the many benefits of as an internal IT environment with cloud properly managed information with thoughtful computing characteristics, whereas external management of corporate content within the clouds are provided by suppliers. DIM framework. Internal clouds can have most of the features of external clouds. They can use IMPLEMENTING VIRTUALIZATION similar technologies to host cloud-aware Virtualization provides portability of workloads applications and to provide a dynamic across devices and is important for legacy infrastructure that responds to demand application compatibility and coexistence of and fault signals. multiple workloads.
www.intel.com/IT 5 IT@Intel White Paper Enabling Device-Independent Mobility with Dynamic Virtual Clients
As was shown in Figure 1, the internal cloud SMART PHONE PILOT PROJECT To answer these questions, we developed a would provide the IT application layer and With the advent of encryption on smart PoC to test using netbooks in the workplace. corporate data for DIM, while an external cloud phones, we have been able to proceed with We tested three brands of netbooks and three would provide personal data and services. a pilot project that will explore the feasibility separate scenarios, with the following results: of providing corporate e-mail, calendar, • Locally installed IT build. This was secure Focusing on Segmented and contact information services on users’ but expensive. Communities personal smart phones. • IT build run as a virtual machine. This To realize a maximum ROI while implementing Previously, we provided these services only on can be costly and unsecured, and degrades DIM, we need to identify solutions that smart phones purchased by Intel for employees. performance. address existing and emerging requirements Now, for the first time, we will be providing rather than waiting for a solution that meets • Locally installed OEM-provided OS with services by enabling native applications on the needs of all users. This approach allows an enterprise workspace provided by a different devices that employees purchase us to implement new solutions more quickly, virtual hosted desktop (VHD) interface. themselves. obtain a more immediate ROI, and collect This adequately addresses the value crucial feedback we can share with suppliers, Our pilot project started in February 2009 proposition for using netbooks in the architects, and engineers. with 300 participants; we anticipate that it enterprise as complementary devices will last about one year. During this period, to users’ primary workspaces. We have identified three DIM use cases that we hope to answer the following questions: could be implemented in the short term: Our PoC results indicated that netbooks, • Can we move away from the model of when used as companion devices, can • Delivering IT services to devices that buying personal devices for users while improve employee productivity through better cannot sustain a full IT build, such as still benefitting from the productivity gains mobility, connectivity, and access to corporate netbook, mobile Internet device (MID), such devices offer? data without increasing platform provisioning or smart phone. • Does DIM provide a significant reduction in and support costs, or appreciably increasing • Providing on-site-mobility; users can move IT support costs? security risks due to platform mobility. freely between office, lab, and home, and • Is it possible to provide IT services in a Figure 4 shows the aspects of DIM that our access their IT environment from a variety secure manner on personal devices, and is netbook PoC supports. of devices. this viable in the enterprise environment? The VHD usage model reduces the • Separating corporate data from personal • Can personal devices support IT services, commingling of corporate and personal data and making it accessible from or are they more appropriate only for information assets. This data separation multiple platforms. personal applications? reduces the burden on IT to back-up non- Each of these use cases exercises a slightly corporate information. It also reduces legal different aspect of DIM and will enable us to NETBOOK PROOF OF CONCEPT exposure by limiting the amount of personal gain valuable experience and information that Netbooks and other small form factor devices information that’s stored on PC platforms we can use as we continue to build our DIM such as MIDs are becoming more popular with and back-up storage systems. architecture. employees, who want to purchase them and bring them into the workplace. We needed to BENEFITS Results investigate what the impact on IT would be if As shown in Table 1, DIM offers many Two current projects are helping us explore the we allowed this: benefits—both to users and to IT. During practicality of DIM. One involves providing e-mail, our PoCs, for example, testing of technologies • Would the security risk be acceptable? calendar, and contact information on smart underlying DIM and evaluation of platform phones; the other explores the practicality of • Would netbooks increase IT support costs? and support total cost of ownership (TCO) using netbooks in the enterprise environment. • Would netbooks negatively affect user indicated a per-platform cost savings of productivity? USD 100.
6 www.intel.com/IT Enabling Device-Independent Mobility with Dynamic Virtual Clients IT@Intel White Paper
Internal Cloud Services
IT Application Layer Client-side Corporate Data External Cloud Device Awareness File Caching Services Session Synching Cross-Platform
User Personality Awareness Device Independence
Application Security Data Security and and Manageability Manageability Personal Data and Services
Pay as You Go
Consumer Choice
Best-of-Breed Applications Security and Manageability Polices Offline Capability Consumer Security and Application Location Awareness Co-existing IT and Consumer Environments Manageability
Television Auto Internet Cafe Corporate PC
Netbook Smart Phone Mobile Internet Home PC Device
Figure 4. A proof of concept (PoC) determined that our netbook use case meets a number of criteria for device-independent mobility (DIM).
NEXT STEPS As DVC technologies evolve, we will continue Table 1. IT and User Benefits to implement new infrastructure services IT Benefits User Benefits DIM presents a major challenge for that support the DIM model; champion Focus on supporting More platform choice IT: We must change the way operate. improvements to Intel vPro technology; services rather than devices Today, IT-provided data, application, collaborate with hypervisor ISVs to bolster Centralized manageability Built-in device-awareness OS, and hardware layers are tightly application virtualization and streaming; and security of corporate presents applications and integrated and device-specific. To information assets data that are appropriate and continue moving forward with server implement DIM, we need to think for a given device virtualization. We will also look for additional about these components as services. Lower total cost of Enhanced mobility for We also need to understand and DIM use cases and complete more PoCs. ownership for IT applications and user data resolve security issues as we land There are also industry-wide opportunities to Reduction in required Cross-platform support IT resources IT services on each new device. develop products and tools that enable DIM. While e-mail, calendar, and contact For example, although server virtualization information are obvious choices for has matured over the past 10 years, viable consumable IT services, we need to client virtualization technologies on PCs with determine which other applications Intel vPro technology are just now beginning to enable for DIM. to emerge, and supporting industry standards are still in their infancy.
www.intel.com/IT 7 CONCLUSION DIM lets IT manage the thing that’s most important to the enterprise—its information ACRONYMS With the consumerization of IT, assets—and better control its platform managing clients in an enterprise DIM device-independent mobility provisioning expense by delivering applications environment is becoming more DVC dynamic virtual client on demand, supporting offline usages as complex and costly. Users are MID mobile Internet device necessary, and by supplying virtual work demanding access to corporate environments where they make sense. Users POC proof of concept applications and data from multiple also benefit by being able to choose the most ROI return on investment devices, some of which IT does not own or manage. DIM, based on DVC appropriate device for their task and location. TCO total cost of ownership technology, enables user choice and VHD virtual hosted desktop flexibility while allowing IT to focus on delivering services rather than managing hardware platforms.
For more straight talk on current topics from Intel’s IT leaders, visit www.intel.com/it.
This paper is for informational purposes only. THIS DOCUMENT IS PROVIDED Intel, the Intel logo, Intel Core, Intel vPro, and Xeon are trademarks of Intel “AS IS” WITH NO WARRANTIES WHATSOEVER, INCLUDING ANY Corporation in the U.S. and other countries. WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR * Other names and brands may be claimed as the property of others. ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE. Intel disclaims all Copyright © 2009 Intel Corporation. All rights reserved. liability, including liability for infringement of any proprietary rights, relating to use of information in this specification. No license, express or implied, by estoppel or Printed in USA Please Recycle otherwise, to any intellectual property rights is granted herein. 1109/JLG/KC/PDF 322694-001US