Todd Bruni, Director Identity and Configuration Management
Contents |
Details
- Manage all datacenter to desktop delivery, anything from virtual desktop, collaboration, core network services, identity mgmt, system mgmt, client device mgmt
- Catholic Healthcare provider
- >50 hospitals, facilities in 6 states, ~30k associates, ~9k affiliated physicians
- 45k users they interact with day to day
- 17k client devices
- 2600 servers, 60% virtualized
- 1200 apps, primary ISVs are Meditech, McKesson & GE
- 7000 concurrent users daily
3 years ago
- Traditional client infrastructure management
- Standard image management devices…locked down, imaged
- Everything inside network was trusted, everything outside was untrusted
Healthcare challenges
- By 2016 start getting penalized annually for not meeting all the EHR certification requirements
- Have to ensure physicians are adopting EHR electronic formats and systems are ready to support them
- One of every 7 primary care visits is effected by missing medical information
- Lack of immediate access to patient healthcare info accounts for 1/5th of medical errors
- Healthcare in future
- Explosion of client devices wanting to access clinical resources and data
- 6300 new devices in next 24 months…40% growth
- Doesn’t even include clinical personal devices
- Need to understand consumerization of IT
New Considerations
- Client device portfolio is changing, customers want to use whatever suits them…iPads, Android, Slate devices
- what type of access does a customer need?
- Is app hosted and data available only when connected?
- Does it require offline use?
- What devices need to be managed?
Solution
- Need to move layers of access and facilities out to the users, need to move hard data center protection layer out
- Networks weren’t going to be trusted and untrusted, needed more granular access tiers
- Need to marry identity, configuration and security management
- Not going to try and “manage” every client device…instead changed network access strategy and other tiers of service
- Heavy reliance on web services, server based computing, desktop services and cloud
Building blocks
- Application strategy
- In clinical environment almost all apps needed to work in connected mode
- Took critical apps and centralized them in data center, made these apps more portable
- Virtualize apps where possible
- Developed app assessment process
- User personalization strategy
- Microsoft profiles not enough, needed user setting to be able to roam seamlessly across all environments
- Operating System strategy
- 5 categories
- Physical
- Hosted shared desktop
- Hosted dedicated desktop
- Local streamed (thin desktop, repurposed hardware)
- Client hypervisors (offline use futures)
- 5 categories
- Network Infrastructure strategy
- Traditional NAC doesn’t work
- NAC strategy needs to be both identity and security based…still maturing here
- Network team needed to think about HA at different level than previous with move to virtual desktops
- Need to be able to fail services across data centers, global site load balancing and continuous availability
- Need to understand WAN acceleration ready in case they need it
- Identity Management
- Ensure seamless customer access across solutions
- Didn’t want to have to rework identity infrastructure as they moved to hosted application model and beyond
- 4 tiers of access in network
- Trusted device = know person and device, open ended access
- Semi-trusted known user = want network to know who person is and allow them access to key resources inside network w/o opening up entire network
- Semi-trusted known device = segregate devices logically
- Don’t know user or device = pushed thru Internet, used for all patients
Steps Taken
- User Personalization from AppSense
- Implemented in hosted apps and desktop scenarios
- Deploying to all managed endpoints to ensure complete coverage across all user personalization
- hypervisor & storage
- Hyper-V wasn’t mature enough
- Did heavy VMware vs XenServer evaluation…15-20% density increase using XenServer “and of course it was free”
- Shared storage vs DAS
- Terminal services scales horizontally, it was naturally resilient within itself, determined they didn’t need hypervisor HA
- Chose local storage and XenServer, deemed not to need greater level of HA
- Implemented OS streaming for image consistency
- Virtualized as many apps as possible
Next Steps
- Implementing HA hot failover in DR facility
- Continue to focus on hosted shared desktop
- Beginning next wave of apps not suited for terminal services
- Diagnostic PACs, medical records, ED Boards (VDI)
- Starting to eval OS streaming scenarios for bare metal
- Complete continuous availability infrastructure between primary and secondary
Lessons learned
- Start simple and extensive planning before moving to complex workloads
- What works for server virtualization doesn’t work for desktop virtualization
- Two completely different animals
- Server virtualization engineer don’t worry about graphics processing and user personalization settings
- Make sure you have right people at table that understand desktop complexities
- Provisioning services
- Study write back cache requirements
- This caused entire Citrix environment to freeze b/c didn’t study this well
- Citrix helping with more planning documentation here
- Clustering is overkill, image replication with local storage is resilient
- Unnecessary to use shared storage
- Replicate images across provisioning servers, allows for same resiliency as clustering
- Study write back cache requirements
- Storage
- Know your IOPS, study them, trend them
- Storage engineers 2 years ago didn’t have to plan for the level of IOPS seen in desktop virtualization
- Customer Experience
- Login times, app performance…”be ready to report and explain”
- Have to be able to articulate the impact of changes to login and performance
- Constantly take a step back and evaluate interdependencies
- Constantly re-shifting priorities and moving things around
Summary
- Traditional client management doesn’t suffice
- Security management doesn’t mean that every endpoint needs to be “managed”
- Layer management technologies to secure data center and the data
- Marry identity, configuration and security management practices