I recently took the chance to investigate the virtualization market a bit deeper, namely the market for Virtual Desktops as I have been used to server virtualization and the different flavors thereof for some time. While server virtualization was pretty much straight forward with regard to approach and deployment and those systems – once deployed – had little to no influence on how one runs his environment from a management perspective, Desktop Virtualization does seem to put some new obstacles in the way when it comes to identities, access to resources and management thereof.
While most large vendors like VMware, Microsoft and Citrix are eager to round-up their offerings with tools around deployment management, load balancing and session brokerage up to live-streaming of virtualized applications into the also virtualized Desktops, the access to, usage and separation of resources sometimes is not really that well thought through. As an example, it scared the hell out of me, that "security" as kill-all term was highlighted as the differentiator between the "Professional" and "Platinum" varieties of one vendor. Say, what?
How long have we personally, how long has the community preached, that "security" needs to be integrated right from start, should be basic and mandatory and not an additional feature which you have to pay a premium for? Despite the fact that this may in detail refer to features one will only reap benefits from when deploying a massive enterprise-scale solution, the decision of using and deploying the necessary security barriers and segregations should remain with the customer and should not be "suppressed" by licensing schemes.
One thing that really gave me the shivers though, was the idea of an identity management within the virtualization technology: if you strip the OS from the machine, then strip the user-profile from the OS and finally strip the applications from this to mix & mash them all together during run-time, one does not only have to take care of the traditional "who has access to what" question but also make sure that the "on-the-fly" provisioning of the applications to the virtual desks and the access rights within those can be managed properly. While I am totally PRO desktop virtualization regarding software management, efficiency and especially regarding updates ad patches, I yet did not find a virtualization engineer who could explain to me in detail how this whole monster is handled identity-wise...