VDI is great in theory but doesn't price out right. Say we convert 25 desktops to VDI. That means we need 25 processors and 100 GB of memory (assuming each desktop has 4 GB). That figures out to be six servers, quadcore, with 18 GB of memory (assuming 1 GB for the OS). The servers would cost around $7K, so figure $42K plus licensing. Say $54K. That means I end up spending $2,160 per desktop (excluding the thin client) to have hardware that I could by at Dell for $1K.

But wait, I think, there are storage savings. Figure 100 GB per machine. A desktop hard drive runs about $50, or $2/GB. A server hard drive on the San runs $1,500 or $15/GB. The best case scenario would have  the provisioning gold-copy/stub model sharing one image across 25 machines. Desktop cost: $1,000. VDI cost: $1,500. Nope, storage is more expensive even assuming a best case.

The bottom line is I want to take a long, hard look at Citrix's ROI calculator. It does not make sense in terms of hardware. TCO is where the case will be made. Knowing our desktop demands would help us to know if we need 6 servers or could get away with fewer. I can enable perf counters and do a study on the desktops to determine typical utilization. It could be done with WMI, scripting, and a little elbow grease.

Citrix was in to present and discuss the technical merits of XenDesktop. I am considering VDI, which requires XenDesktop Enterprise and their provisioning server. Citrix's technology sounds impressive. Still, the question looming large in my mind is what XenDesktop + Provisioning brings to the table that Hyper-V + SCCM lacks. It is impressive yet the proof is in the pudding. I may do a pilot Q1 or Q2 2009.

Disaster recovery planning does not come easy for security professionals. It is often overlooked. In fact, some people are surprised when they learn ISC2 or ISACA considers business continuity as the domain of information security. Security staff may not fully engage in DR and, as a result, organizations are at increased security and financial risk. Accordingly, it is worthwhile to consider planning and designing a disaster recovery program.

Read more in this quarter's edition of the Security Journal.