Regardless of the virtual desktop solution you are using VMware VDI, Citrix VDI, or Ubuntu VDI, or even if you decided to just use a VDI in a box solution, helping your users update their business continuity plans (BCP) for VDI is an absolute must for every CIO.
Just to be clear, I am not talking about the IT department creating a VDI disaster recovery plan or adding VDI to an existing DR program. No, this post is aimed at ensuring the users depending on VDI have a contingency plan in place to continue their operations when VDI fails – and it will.
For many CIO’s this is probably the last thing you want to be reminded about on your VDI implementation. If your project was anything like others you have battled through the disk I/O issues and the unexpected storage demand for VDI with only a few scars and maybe a little budget left over. You may have even decided to add VDI Blaster to get a few more years out of those old PCs and hopefully deliver the ROI you promised.
And yet, you probably still have real fears VDI will get you fired if it doesn’t perform as advertised. So before you start celebrating the accomplishment with your team you need to ensure your institutional BCP is updated for VDI.
Desktop Virtualization Models
I am a firm believer every manager should have a solid understanding of what it takes to run their operation. Today that means having a solid understanding of the technology used by your department including the software and systems. Afterall, you are the “owner” of the systems that you CIO runs for you. So when it comes to the desktop virtualization and VDI used by your teams you need to have at least a kitchen table understanding.
Desktop virtualization is more than just VDI (virtual desktop infrastructure). The traditional form of desktop virtualization is based on an extension of server virtualization where a virtual machine managed by the IT department is hosted in the data center and served up to a remote user over the network.
This model is referred to a centralized model or connected model. But without network connectivity to the data center and the end-user does not have a functioning desktop.
Remote desktop is another form of virtualization which does support offline capabilities by installing a “hypervisor” on the end users machine that receives the virtual desktop image from the data center to be run locally.
There are two forms of this model. Type 1 which does not use a locally installed operating system and Type 2 where it does. Remote desktop allows the end-user to continue working offline with local applications even when connectivity is lost to the data center.
Because the remote desktop model relies on running the virtual desktop locally it requires more resources on the desktop than the centralized model with Type 2 being the more resource intensive of the two.
One last bit of background. Today there is a whole range of device options for running virtual desktops from zero clients and thin clients on up through hybrid “thintops” along with the traditional full desktops, laptops and tablets. Because many organizations are implementing VDI to avoid PC refresh you are likely to find older desktops with fewer resources mixed with newer PC’s laptops and tablets.
If you are a non-IT manager and you don’t know which model of desktop virtualization has been chosen for you or if you have Type 1 or Type 2 remote desktop or some combination, you might want to find out before circumstances force it upon you.
Business Continuity Overview
Business continuity planning (BCP) is a process of developing a plan to continue operations during abnormal circumstances or following a major disruption. Sometimes referred to a business contingency or continuance planning the goal is for each functional area of an organization to have a basic plan in place which can be executed in the event of a disruption to normal operations. That means the BCP provides for the minimum capability to keep the business going until normal operations can be restored or a longer term plan can be put in place.
If you are the director of admissions what would you need minimally to provide the essential services and would that be different depending on when in the year it happened? What about the bursar office or alumni relations?
Ordinarily a BCP is developed by first conducting a business impact analysis (BIA) which is an inventory of the core functions of each department and the systems, materials and people required to perform it. The BIA usually has connections to enterprise risk assessments to identify which functions and processes should be accounted for in the BIA based on criticality to the business or risk. Here is a simplified diagram to help see the relationships.
Risk assessments, BIA’s, and BCP’s are intended to be maintained documents which get updated as changes occur in any of the elements. Because of their importance regular reviews are also customary to ensure nothing has been overlooked and that staff are familiar with the plans.
The IT department is no exception. CIO’s should also conduct IT risk assessments (ITRA), BIA’s for their core functions and processes, and develop BCP’s. The most common mistake CIO’s make is to think their DR plan is enough – it’s not.
Ordinarily that is done beginning with a traditional BIA Questionnaire administered by IT or published using SharePoint or similar platform for self service and regular automated update reminders. You can download a free BIA questionnaire here for subscribers which you can edit to fit your own needs.
The DR plan relies on this data but is more about recovering the systems and restoring normal operations of the technology and service. The ITRA, BIA, and BCP are much more than that and often involve contemplating scenarios which do not include DR such as with pandemics.
Another common mistake CIO’s make is to not recognize that any DR mus be driven by the BIA’s and BCP developed by the other departments because any DR plan developed by IT in a vacuum is probably not worth the paper it is printed on.
VDI Business Continuity
The effect of having virtual desktops on business continuity is that it changes the underlying IT risk assessment of the departmental functions which depend on the desktop. But more simply, it likely means you may not be able to count on PC’s as you probably had before.
Ideally, within the VDI project plan there would have been specific tasks int he work breakdown structure to update the ITRA and any BIA’s and the BCP’s for all affected departments. The reason it needs to be done early in the project lifecycle is so changes can be made early to account for the continuity requirements.
In the event this crucial step was skipped in your project you can still circle back and do the assessments and planning. In fact, many organizations have a regulatory compliance requirement to do so. I realize this may seem like a massive undertaking since most organizations do not have a BIA or BCP in place and must start from scratch.
If that is the case, focus your efforts on considering how you will operate if your team losing connectivity tot he data center if you are using a central VDI model. This will probably involve paper or a few non-VDI devices pre-loaded with the essentials. If you are running a remote desktop configuration, consider what plans are needed when offline and how that might change for a prolonged period of offline operations