Amazon Workspaces: You’re Desktop in the AWS Cloud
The cloud-based virtualized desktop is, according to many cloud experts, the up and coming next step toward a complete takeover of all of our computing activities by the cloud. Virtualized desktops hosted in the cloud can take two different forms:
- VDI (Virtualized Desktop Infrastructure) that is provided over the Internet, or
- Desktop as a Service (DaaS), which is still a form of virtualized desktops but is a true multi-tenant cloud service
Persistent desktops: what problems do they solve?
The lack of consistency has long been a source of frustration for computer users, and it’s a pain to have to either spend time changing settings or adapt to a different (even if only slightly) interface when switching from one device to another. It’s not uncommon, either to find that the document a user was working on with one device was saved to that local hard drive and either isn’t available at all on the current device (and in a worst case scenario, will have to be recreated), or the user must lose productivity time to establishing a connection back to the home or work network where the document is stored in order to retrieve it and continue working on it.
Another common scenario is that the user has access to his or her documents (perhaps because they’re stored on a cloud service, perhaps because the user transferred a copy by putting it on a USB drive or sending it to him/herself via email) – but then finds that the application that’s needed to work with it isn’t installed on the new device. Granted, this is less of an issue that it used to be, now that functional online versions of Microsoft Office programs or Google docs can be used from any machine, and many mobile apps can be downloaded quickly and easily (and without paying for them again if the user already owns them) from a mobile OS vendor’s Store – but it still happens. This is particularly true in the case of custom line-of-business applications.
A big advantage of persistent desktops is that both the user’s applications and the user’s data are always in the same place and accessible through the virtualized desktop, so that switching from one device to another suddenly becomes a seamless experience.
From the company’s point of view, the ability to quickly deploy desktops to new users can be a big plus, especially in special cases such as mergers and acquisitions, which seem to be increasingly common in many industries these days. You can bring in a large number of new employees and quickly get them up and running.
The other big thing for administration is that deploying virtual desktops gives you more control over them, more easily, than you might have with dozens, hundreds or even thousands of individual computer desktops. And this is true independently of the hardware. That is, users can bring their own devices – laptops and tablets – or work from their home desktop systems, and you still have control over their work desktops that they’re accessing with those devices. What’s not to like?
Concerns and issues surrounding Desktop as a Service
In spite of the benefits of delivering user desktops as a service over the Internet, as described above, there are downsides, as there are with any technology. Some users and IT pros may be resistant to the idea of a desktop that lives in the cloud. There may be concerns around security and privacy, which are common in relation to any transition to a cloud computing experience. In the case of the desktop, reliability and accessibility might also be an issue for some users, who fear that a loss of Internet connection (or just a loss of connectivity between the user’s machine and the server) could result in an almost total loss of productivity since the desktop is the location, for the average user, where everything lives. It’s their window to the computing world and if that window is closed for any reason, they may feel lost.
Admins may have the same and/or different concerns about DaaS. The major cloud providers offer SLAs that generally start at around “three nines” or 99.9% up time. That’s pretty standard throughout the industry and it sounds good – but in reality that translates to about eight and three quarters hours of down time per year, or almost forty-four minutes per month. While that’s not a lot, that much time without the use of his/her desktop could make a big difference if a particular user happens to be working to a very tight deadline on a critical project at the time that the cloud service goes down.
Another common problem is adapting to the occasional (or sometimes frequent) latency issues that can plague DaaS implementations. Latency doesn’t just add up to a performance hit – it also makes for a frustrating experience for users who aren’t used to the “sit and wait” situation when performing tasks on their desktops. There has to be enough bandwidth to give users an experience that’s the same as or close to what they’re used to when working on a local desktop, because otherwise you’ll end up with very unhappy users.
Different types of applications are more or less affected by latency (or perhaps more accurately, the effects of latency will be more or less noticed by users). Real time communications and collaboration tools such as Skype are noticeably affected, as are multi-media applications that involve high quality video. Applications such as email, or browsing low bandwidth web sites (mostly text and photos), on the other hand, won’t be noticeably affected.
Weighing the pros and cons
Many companies are coming to the conclusion that the drawbacks of putting user desktops in the cloud are outweighed by the benefits, and in particular the cost benefits. Providing the CPU, RAM and disk space for individual workstations can be much more expensive than virtualizing those resources, and DaaS solutions generally add up to significant cost savings over on-prem VDI for most organizations, due to the economies of scale and the difference in expensive administrative overhead as well as the capital expenditure required for the latter.
DaaS, like other “as a service” computing, cuts the need for capital investments and shifts that cost to fixed and predictable on-going monthly or annual fees, thus moving big chunks of budget from CapEx to OpEx (capital to operational expenses). It also provides fast scalability (both up and down) and fits better into today’s “agile” model of doing business.
Once you’ve decided that DaaS is the right option for your org, you’re faced with the challenge of evaluating different DaaS providers and determining which is right for your needs. A comprehensive comparison of DaaS providers is beyond the scope of this article, but many companies today are using Amazon’s AWS (Amazon Web Services) for their IaaS, PaaS, cloud storage, and other cloud computing needs. If you’re already an AWS customer or if you’re considering AWS services in general, it makes sense to check out their DaaS offering when you decide to put some or all of your users’ desktops into the cloud.
Amazon’s DaaS: Workspaces in the AWS cloud
Amazon’s DaaS offering is called Amazon WorkSpaces. This can be a lower cost alternative to expensive and difficult to configure (and manage) VDI deployments in your on-premises data center, while giving users similar functionality. The nice thing for users about VDI, in comparison to traditional local desktops, is that they are able to have the same experience and interface regardless of whether they’re connecting from a PC at the office, a home computer or a laptop. They can even get that same computing environment when using a Mac or iPad, a Chromebook, or an Android tablet (including, of course, Amazon’s own Kindle Fire), as Workspaces supports all of these.
Workspaces is a robust DaaS solution that will work in conjunction with your company’s Active Directory, making it easy for users to sign onto their desktops with their current credentials that they use in the enterprise. It also makes things easy for admins, taking much of the burden of deploying and managing VDI off of you; Amazon takes care of such tedious tasks as desktop OS patching, and there are a number of different “bundles” of the service that you can subscribe to, depending on what your hardware and software needs are.
But what is it really going to cost?
We all know that service providers’ claims of gargantuan savings by adopting their services sometimes pan out and sometimes they don’t. Hosted desktops have been touted in many circles as a way to lower your TCO but sometimes there are hidden costs. In general, DaaS is more cost effective than VDI, which can be difficult to scale and upgrade because it’s usually built on enterprise (vs. cloud) infrastructures.
Within the DaaS options, though, there is a wide variance in pricing structures and ultimate costs. Some DaaS providers set a minimum number of desktops that you have to order, or set minimum usage requirements. Some charge licensing fees for the operating system separately. Others require that you commit to a long term contract (one year is common) so you’re locked in for that time period even if you find the DaaS solution doesn’t meet your needs.
When Amazon first released their WorkSpaces service in 2013, Gene Marks over at Forbes.com asked if it was Too Good to Be True, and in the end concluded that the cost – which on the face of it seemed considerably lower than that of the company he was using to host his 10-person company’s applications – after adding in the cost for Exchange and migrating databases would end up at close to the same per-month per-user outlay.
That was two years ago and the market has matured somewhat over that time. Amazon offers three WorkSpaces bundles as well as a couple of applications options, which we will look at now.
AWS WorkSpaces pricing options
As a cloud service, Work Spaces is a subscription that you pay for on a per-desktop per-month basis. Unlike with some services, you are not required to sign a contract that locks you into Work Spaces for any set period of time. You can delete some or all of your Work Spaces as your changing needs dictate and you’re charged only for those Work Spaces that you use that month. That means if you have a user who takes a two-month leave of absence and that Work Space is never launched, you won’t be billed for it. That’s a big advantage over deploying your own desktops (for instance, from a local Remote Desktop Server) since you would be incurring the costs of that desktop whether or not it was used.
In order to provision Work Spaces to your users, you have to have an AWS account; it’s not a standalone service. Of course, Amazon offers free accounts for one year that include 750 hours of EC2 usage (Windows or Linux t2 level, 5 GB of S3 storage as well as RDS (relational database) and Dynamo DB (No SQL database) and a number of other services. Note that after one year, you have to pay regular rates, and you have to sign up with a credit card to get the free trial, since you’re charged if you exceed the usage caps. Individual users themselves do not need to have AWS accounts.
The basic Work Space for each user runs the Windows 7 desktop operating system experience, running on Windows 2008 R2 servers and has Internet Explorer 11, Firefox and 7-Zip installed already. You can install your own software. You do this using Amazon WAM (Work Spaces Application Manager), which comes in two versions, lite (which is free) and a more full-featured standard version, which costs $5 per month per user. We’ll discuss later in this article series how to use WAM to add software to Work Spaces.
Cost per user
The cost per user for Work Spaces depends on the hardware configuration that you need for each desktop. That, of course, is dependent on what software the users use, how much data they need to store, the number of applications they need to be able to run at the same time, and so forth. In other words, will the work scenarios be light usage, typical/average office usage, or heavy usage with resource-intensive applications. If the users only need to check email and do web searches, hardware requirements are minimal. If the users will be working with video editing or CAD programs or other “power user” type use cases, they will need more processor, memory and storage.
Amazon offers three different hardware configurations, which Amazon refers to as “bundles”:
- For light users, the Value package provides one virtual processor, 2 GB of memory and 10 GB of storage. This is similar to a low-end PC or a mid-range tablet, although most top tier smart phones today actually have more memory and storage than this. The price is $21 per user per month if you “BYOL” (bring your own license, discussed in more detail below) or $25/user/month if you don’t already have the requisite Windows 7 licenses for your users.
- For the average user, the Standard package will run you $10 per month per user. For that extra cost, you double the CPU to two virtual processors, double the RAM to 4 GB and increase the storage space five-fold to 50 GB. This should suffice for most office productivity programs and communications programs.
- If you have power users who need to do heavy lifting from their desktops, then you’ll want to check into the Performance package. It’s pricey at $56/user/month with your own license or $60 without, but it ups the memory to 7.5 GB and increases storage space to 100 GB, which is enough to get some serious work done. CPU stays the same at two virtual processors.
The pricing mentioned above is for customers in the U.S./North America. Pricing in Europe is different (slightly higher) and a bit higher still in Asia Pacific regions (Sydney, Tokyo, Singapore).
As mentioned above, you can install your own software. Another option is to purchase the “Plus” add-on to any of the three packages. For an extra $15 (in all regions), you get Microsoft Office Professional Trend Micro Security Services already installed.
You can also create custom images that you configure with the desired applications and settings and then deploy to your users. We’ll talk about how to do that later. Admins can create as many as five custom images for an AWS account (per region). You can install any software you want that is compatible with Windows 7, but of course you are responsible for having the proper licenses for the programs that you install.
The Bring Your Own License option is for those organizations that already have licenses for Windows 7 through a Microsoft Volume Licensing agreement with a software assurance contract. Doing this saves you money (about $4 per user per month) but it also makes getting started with WorkSpaces a little more complicated. In practice, you’ll probably need to work with your company’s Microsoft volume licensing representative (to verify that your licenses are eligible for BYOL) and with the AWS account manager for the particulars on uploading your Windows 7 images and making an AMI (Amazon Machine Image). All of this typically takes a week or two so you might not be able to get started immediately as you can without BYOL.
Windows 7 Professional or Enterprise edition can be used to create your AMI. After you import the image, you’ll need to build a custom bundle that includes that image. You’ll need to activate the OS, which can be done with Microsoft activation servers within your virtual private cloud (VPC) or that can be accessed from your VPC. We’ll go into deeper detail about how to do all this in a later section.
Note that unlike the non-volume licensed WorkSpaces, there is a minimum number of WorkSpaces that you have to launch per month in order to use the BYOL option. At the time of this writing, that number is 200. For this reason, as well as the VL agreement requirement, BYOL is only feasible for large organizations, not for small businesses.
The cloud security dilemma
Security is always a consideration when facing the “to the cloud or not to the cloud” choice. Data breaches have become so commonplace that they’re almost not even “news” anymore, but they continue to dominate the headlines; a study from the Ponemon Institute found that more than 40% of companies experienced some type of breach in 2014, and this included big names such as Morgan Chase, Home Depot and of course the infamous Target case.
Organizations are terrified of being the next victim (and the loss of customers that can result from the bad publicity). Data leaks can occur in many different ways and employees who access sensitive data on their desktops present one attack vector. While virtual desktops have security advantages, they can bring new challenges. This is where the DaaS provider you choose can make a difference.
In search of a secure Work Space
In looking at the security of a DaaS solution, the questions that you want to ask and the features that you want to look for are similar to those you must consider with any cloud service. A secure DaaS implementation hinges on a number of factors:
- Secure logon to the service: user authentication must be strong in order to prevent unauthorized users from accessing desktops where they can access sensitive information.
- Reliable identity services: regardless of the strength of the authentication protocols, authentication is built on the foundation of identity, so the identity database itself must be secure.
- Encryption: when the entire desktop is being delivered to the user over the Internet, it should be encrypted to prevent interception by unauthorized persons.
- Effective key management: the keys used to encrypt the virtual drives on which the desktop “lives” must be protected.
- Physical security: the servers in the provider’s datacenter where the applications actually run have to be secured from access by unauthorized or malicious persons, both internal and external.
AWS Work Spaces security
With AWS WorkSpaces, Amazon implements a number of different security mechanisms in an effort to address the above issues.
WorkSpaces admins can choose from a few different ways to allow their users to log onto the WorkSpaces desktops. The simplest is to have users create credentials (user name and password) of their choice after you provision their desktops. Most medium to large (and many small) organizations will already have an Active Directory deployment and you can integrate WorkSpaces with your Active Directory domain to make it easy for users – they sign in with their familiar AD credentials.
Identity and authentication
Users can log on with credentials stored in a directory that’s maintained and managed by Amazon on their servers, or with AD credentials, depending on how WorkSpaces has been configured. Active Directory is, of course, the standard identity repository on Windows-based networks and this is true as well for Amazon’s cloud-based services that are integrated with an organization that has integrated its on-premises AD with AWS.
You can integrate WorkSpaces with your RADIUS server if you have one. Amazon added this feature in August of 2014 and Microsoft RADIUS servers are supported, along with others. For redundancy and high availability, you can set it up to use multiple RADIUS servers, with or without a load balancer.
Admins configure the RADIUS integration through the WorkSpaces admin console (in the Directories section) and there’s no extra cost. You’ll need to configure the IP address(es) for your RADIUS server(s) or load balancer, the port your RADIUS server uses, a shared secret, and select the protocol you set up for your RADIUS endpoints. You can also configure server timeout in seconds and maximum number of retries to connect to the RADIUS server (up to 10).
To log in, users provide their AD user name and password and then enter a one-time passcode generated by a hardware or software token, giving the protection of multifactor authentication (MFA).
When using MFA, you can use either hardware or software tokens with Amazon’s MFA. Google Authenticator is a popular software based solution. If your RADIUS server is running on Linux, you can use a Pluggable Authentication Module (PAM) library to enable the use of Google Auth. MFA works for users who access WorkSpaces through client devices running Windows, Mac OS X, Chrome OS, iOS, Android or Kindle OS.
Controlling user access
You can limit the access that your users have to applications and other resources from their WorkSpaces.
It’s easy to keep a user from accessing his/her WorkSpace if the person leaves the company or for some other reason needs to be blocked permanently or temporarily; you simply disable the account in whichever directory is storing the user identities (your Active Directory if you’ve integrated AD with WorkSpaces or the Amazon directory service if you haven’t).
Note that Amazon Identity and Access Management (IAM) users are not given access to WorkSpaces resources by default. You probably already know that IAM is a means for allowing and denying permissions to resources via policies that can be attached to individual users, groups, or the resources themselves.
You would have to make a policy in IAM that grants the specific users permission to create and manage resources for WorkSpaces and EC2. Then you need to attach the policy to whichever users (or groups of users) you want to be able to access the WorkSpaces resources.
Amazon provides in their documentation a sample policy statement that can be used to grant permission to perform all WorkSpaces tasks for IAM users. You’ll find that sample script, along with more information on specifying WorkSpaces resources in IAM policies, on the AWS web site.
You can also control and limit access to network resources (including resources that reside on the Internet) from WorkSpaces by using VPC security groups. You might remember that VPC security groups behave sort of like virtual firewalls, because they control the inbound and outbound traffic to AWS virtual private clouds.
WorkSpaces will create a security group that’s assigned to all of the WorkSpaces you have provisioned to users in your directory. You can also create additional security groups, through the WorkSpaces console. If you’re going to want to allow Internet access from WorkSpaces, you need to assign a public IP address, and you need to set this up before you provision the WorkSpaces because it will only apply to those that are created after you enable this setting. If you already have WorkSpaces provisioned, it is possible to manually assign those WorkSpaces an Elastic IP address.Here are the instructions on how to do that.
As all IT professionals know, one of the most important aspects of computer and network security is the patching of vulnerabilities in the software as quickly as possible, before their existence becomes widely known and attackers seize the opportunity to exploit them. WorkSpaces desktops are running popular applications on a popular client operating system and so security updates are just as important for these virtual desktops as they are for any network client.
Amazon gives you, as the WorkSpaces admin, control over the installation of security patches on the users’ WorkSpaces. This can be done through the Windows Update service that’s built into all modern versions of Windows, and Windows Update is turned on by default on all new WorkSpaces. If you prefer, however, you can use a patch management solution of your own choice, both to update Windows and Microsoft applications and to update third party apps.
Another “must have” for best security is anti-virus/anti-malware and you can install your favorite AV/AM software on the users’ WorkSpaces just as you install them on Windows client computers on your premises. You get Trend Micro AV as part of the package if you purchase one of the WorkSpaces “Plus” bundles (Value Plus, Standard Plus or Performance Plus), along with the Microsoft Office applications.
AWS Workspaces finally gets VoIP integration
The signs that unified communications is moving to the cloud continue to come. Now, it’s Amazon Web Services that’s getting in on the game – not so much as a provider, but rather integrating its existing virtual desktop infrastructure offering, Workspaces, to more easily integrate with VoIP and UC.
Now, organizations can add VoIP and UC capabilities to their cloud-based virtual desktops. According to an article on The Register, the new feature works by taking audio from any client – say, Skype for Business or WebEx – and run it through Workspaces.
This could make the lives of engineers and administrators a little easier while also making the VDI service far more useful. AWS launched Workspaces back in 2013, and there are examples of attempts to install softphones on it almost from the beginning (at least from 2014). But Workspaces wasn’t equipped to connect to audio devices, making it less than ideal for organizations that not only wanted the benefits of VDI, but also VoIP or full-on UC suites.
Thanks And Regards