Since the passage of the Telework Enhancement Act of 2010, the numbers of Federal employees teleworking and agencies offering telework options have grown. With the influx of teleworkers and mobile workers come new and innovative information technology (IT) solutions to accommodate remote work. What new IT solutions are available to agencies and remote workers to enable telework? What does the future hold?
This month our “Ask the Expert” column addresses the topic of enabling secure and productive telework in the post-PC era. Bryan Salek, an end user computing solution architect from VMware, answers your questions:
Q: What are the main criteria or characteristics for IT solutions used to support agency-wide telework programs?
A: In my experience, security is the number one criteria for government agencies when implementing virtual desktops. Many Federal agencies embark on the virtual desktop infrastructure (VDI) journey because of security, but regardless of the motivation, security is always critical. Virtual desktops can improve data security significantly by centralizing and controlling the movement of data, improving backup performance and accuracy, simplifying virus scans and mitigation, and improving the security of the data that must leave the confines of the agency’s network.
Other characteristics include lowering total cost of ownership, simplifying management, continuity of operations, improving application performance, and adding new capabilities for users. Many agencies realize other benefits after deployment, such as new disaster recovery capabilities that never existed, the improvement in user morale from eliminating the commute and gaining new flexibility in their schedule, and even an increase in recruiting quality and retention rates.
Q: For teleworkers who do not have government-issued laptops, what other telework IT solutions are available to access resources within a network?
A: Users can leverage their own computer or laptop to securely access their government configured desktop image without installing software on their personal device. Additionally, teleworkers can access network resources from personal devices through virtual private networks (VPN), which have been used for some time. They require expensive licensing and expose risk to the network by allowing internal access to devices of unknown security posture. Desktop virtualization can be used to provide secure access to the user’s agency desktop from outside the network, from almost any device (Windows, Linux, Mac, iPad, Android tablet or zero footprint thin clients) without the need for a VPN tunnel. Further, because all processing is done on the centralized server, and the only data ever leaving the network is screen pixels, there is no risk of data at rest.
Q: What advice can you give end users/teleworkers to ensure good speed/quality when working in a virtual environment? What advice can you offer agency IT departments to ensure optimal performance from outside the network?
A: For end users, the most important thing to understand is what impacts performance. For example, in a VMware View deployment, the only traffic that transits the network from the user’s location to the datacenter is pixel changes, audio, and universal serial bus (USB) data, if redirection is authorized. For the user, this means that degradation in service is likely due to the amount of traffic they are trying to send across the wire, which can be reduced by discontinuing audio or video use and stopping file transfers to/from a USB device. For teleworkers with broadband connections, network throughput is not typically a constraint, and if it is, it is likely because of other traffic, such as a teenager streaming HD video from Hulu or Netflix.
Performance monitoring may include basic resource monitoring, such as over-commitment of processor or memory capabilities, or saturation of the shared storage. Most IT organizations already have tools and expertise to manage this aspect of performance, but network administrators may not understand how the display protocol works and what tools are available to optimize it. My advice to my customers is to get familiar with the tools available to them, and experiment in the lab to master the skills of tuning the environment for different conditions.
Q: One of the requests we hear from the government side is employees who want to use their own devices (or, Bring Your Own Device (BYOD)). What are key considerations when implementing a BYOD policy, and what advice can you offer to manage employee devices?
A: There are quite a few, the most common of which are device support, legalities, security, and cost model. For example, most agencies express concern over supporting users on myriad devices with which the help desk staff is not familiar. This is a valid concern, but has been successfully mitigated by policies and procedures that clearly articulate that the user is responsible for ensuring the virtual desktop client runs properly and they have a properly functioning network connection, including name resolution. Some agencies actually provide an approved list of Internet service providers they are able to support and willing to reimburse service fees for.
Security is obviously a concern, but leveraging a virtualized environment to deliver desktops offers a significant advantage because users can connect securely over PC-over-IP (PCoIP), through the PCoIP Secure Gateway server without the need for a VPN that exposes the network to any potential security vulnerabilities existent on the personal device.
There is no right answer on the cost model, but organizations should consider options and their impact on their budget process and on their end users. Options include government furnished equipment, which is still prominent, though many organizations are seeking to move from this model. Many choose to provide a purchase stipend once every three to four years and provide users with minimum requirements the device must meet, such as specific operating systems or capabilities. Typically, these models also require the purchase of the vendor’s top warranty service contract to ensure the device will be supported for its expected lifecycle. Other organizations mirror their mobile phone model and reimburse users monthly. Again, they typically provide minimum standards and require warranty support or have someagreement regarding downtime and many maintain a pool of loaner laptops to accommodate outages of personal devices.
Q: Are agencies leveraging cloud computing to support mobile employees, including teleworkers? If yes, for which programs/applications? If no, why not?
A: Absolutely! Most agencies are developing their cloud strategy and many are already deploying. In many cases, this strategy is focused on a private cloud initially, where the agency still maintains tight control of their resources but gains the elasticity, automation, and improved visibility and management. The inclusion of desktops in this private cloud is a natural extension and this is the most common deployment model we are seeing today within the Federal government. In addition, a cloud-based approach to application entitlement, like VMware’s Horizon App Manager, provides delivery and secure authentication to provide user access to individual applications across any device.
Q: What is the difference between public and private cloud models? Which has higher adoption in the Federal government and why?
A: A public cloud is an infrastructure made available to the general public or a large industry group and is owned by an organization selling cloud services. A private cloud is operated solely for an organization, usually onsite (internal). Private clouds definitely have a higher adoption rate among Federal agencies at this time because they give agencies total control over the configuration, management, compliance, and security necessary to ensure high performance of mission-critical applications and associated levels of security assurance.
While private cloud currently dominates, most Federal agencies are leveraging a combination of both private- and public-cloud architectures. Industry refers to this as a hybrid-cloud model. Many cloud service providers are evolving cloud architecture models to mitigate security and other data-centric concerns. Agency adoption of these "cloud providers" is underway and made easier with standards such as the Desktop Management Task Force (DMTF) and International Standards Organization (ISO) standard Open Virtualization Format 1.1 (OVF) and Application Programming Interface (API) inter-connectivity, like VMware's vCloud API, that allows for extended management and control into the service provider. Virtualization is the foundation of any version of cloud because it delivers the flexibility, agility, and resilience that cloud promises.
Q: What steps should agencies take as they consider cloud applications for teleworkers?
A: As discussed in some of the other answers here, the biggest concern about cloud applications is security. Within that broad category, two major concerns are password management and access controls. Specifically, what most organizations have experienced, and you can probably confirm from your personal experience, many applications have different authentication mechanisms and even those using standard username/password credentials have different policies for password complexity and change frequency. This leads to users recording their passwords in an application or encrypted file, in a text file on their desktop, on sticky notes, or in a notebook. More critically, in many cases, these accounts are created directly by users, and even if they are provisioned by IT, there are no access controls, and the deprovisioning process is manual and error prone. For example, users may have an enterprise account at Salesforce.com, Google Docs, or Dropbox. If employment is terminated, there is a manual process for IT to disable or remove the accounts. If this isn’t done in a timely manner, that user could maintain access to sensitive information contained in their account for days, weeks, or even months.
That was a long introduction to the answer; that the security model of the application and the account management capabilities must be evaluated carefully. The cost model of the application should also be considered to determine if it makes financial sense to use the cloud application instead of a legacy application that can be run internally. Data backup and archiving options should be evaluated as well. Once a decision is made, IT must revamp its account provisioning and deprovisioning procedures to ensure proper access.
Q: How does use of the cloud differ for teleworkers and non-teleworkers?
A: One of the advantages of moving to the cloud is that the application experience is the same regardless of the user’s geographic location. In many cases, the form factor of the end-user device can affect the usability of an application, but as the prominence of mobile devices continues to increase, the user interfaces for these apps are becoming more independent, with the exception of screen size limitations on smart phones. For example, Horizon App Manager enables users to use their domain credentials to authenticate to the IT-controlled application store and all app authentications are performed using secured token exchanges. This eliminates the risk of users writing down passwords to apps that could contain internal information and allows IT to automate the access and deprovisioning of accounts when a user no longer requires access to an application or leaves the organization.
Q: What programs are in the cloud, and which will move to the cloud in the next 12 months?
A: That depends on whether you are referring to a private or public cloud. In the private cloud, any service that can be virtualized is a candidate. As for the public cloud, at a minimum, you can expect to see movement of document management, email, collaboration tools, web services, etc.
Q: What mobile access or technology trends do you believe will have the greatest impact on Federal telework/mobility in the next five years?
A: Secure single sign-on technologies, such as the use of Security Assertion Markup Language (SAML) tokens, will enable Federal agencies to maintain central control of application user accounts and improve the security of user credential transmission over basic Secure Sockets Layer (SSL) web, the form of authentication used most commonly today. The reality of secure single sign-on to all enterprise desktops, applications and data from any device, in any location is a reality today. IT can leverage policy-based management to limit access to certain applications from specific devices or network locations to adhere to data management policies. This will change the way we access applications and data for all users, regardless of location.
Other contributions will come from the increased availability of high speed data networks and devices which are more capable and less expensive, promulgating our personal and professional lives.
About the Expert: Bryan Salek is an end user computing solution architect on the Federal team at VMware, who works with customers and partners to successfully deploy desktop solutions. He has been with VMware for more than four years and formerly worked as a technical account manager for both commercial and Federal customers. Prior to VMware, Bryan worked for a large systems integrator on several IT service contracts for DoD organizations, after leaving the U.S. Air Force in 2002.