The Salvation Army is a global Christian ministry and charitable organisation with operations in 123 countries.
The UK division employs around 7,000 people, and one of its key activities is offering help and advice to single, homeless men from around 100 support centres, or ‘LifeHouses’, dotted around the country. Other charitable work supported by the organisation includes community services such as parent and toddler groups, over-60s clubs and, more recently, unemployment support services.
Around 2,500 of Salvation Army UK’s staff work at the LifeHouses, and as CIO Martyn Croft explains below,
the challenge of supporting the PC infrastructure around the country prompted it to adopt thin client devices.
Having made the leap to virtualised desktops, the organisation has moved into support home and remote workers through a secure VPN, and is now undertaking a virtual desktop infrastructure (VDI) project in London.
Croft, for whom security has been one of the key drivers in all of this, says that the move to desktop virtualisation has opened up a number of alternative IT strategies in future, including the possibility that it may no longer provide staff with corporate devices at all.
Information Age: Your first desktop virtualisation project was put in place to support staff at your ‘LifeHouses’. What was the motivation behind that project?
Martyn Croft: It was very expensive to support PCs in 100 different locations around the country. If there was a hardware problem, we’d have to send out an engineer. If there was a software problem, we’d need to use remote access, which used lots of bandwidth.
There was also a security component. We’re holding details of 6,000 vulnerable adults. If a homeless person’s data is stolen, they are very soft targets for identity theft. We have to take care of that data, and I didn’t want it to be left on PCs that could be stolen.
You chose to use thin client devices from Wyse and Microsoft’s Terminal Services. Why was that?
We had a look at Citrix’s desktop virtualisation software at the time, but it was a bit too rich for us, so we went with Terminal Services, and that was fine. Because the people working at the Lifehouses are spending most of their time with people, rather than on computers, we were able to design a simple, vanilla desktop that met their requirements.
And in the case of hardware support, we wanted our users to be able to unplug the device if there was an issue, stick it in a jiffy bag and send it back to us. With thin clients, it is as easy as that.
How was it received by the users?
It would be wrong to say that it was absolutely plain sailing. We’ve had some problems with latency and jitter over some of the more affordable data networks that we use.
What have you done to address those issues?
We’ve done some fairly innovative things with circuit bonding, which gives us more resilience and failover. In some of our larger LifeHouses, we’re running four ADSL circuits bonded together in a router.
Also, we have used a Packeteer device to get some insight into the volumes of traffic we were experiencing. So now we’ve got some very good benchmarks and we’re quite confident of the number of users that we can comfortably support. I would have liked to have seen some hard benchmarking data from our suppliers in advance, to be honest.
Have those measures resolved the issues?
Network performance is a constant battle. One of the biggest challenges that we’re having at the moment is accommodating rich media. We’re keen to promote e-learning but videos are very difficult to accommodate on the infrastructure platform we have.
The security case for thin clients was vindicated very recently. What exactly happened?
Just the other week, we had an incident reported to us by a member of staff in one of the LifeHouses. Someone had called her on the phone purporting to be from the IT department, and it was the usual scam – they said ‘there’s a problem with your PC, could you just go to this website and click on this link, and download this bit of software’. Because our thin client environment allows us to put security controls in place, she wasn’t able to do that.
Then the guy on the phone asked her to start up what we believe was a remote assistance request, which of course we disallow via our security policies. Apparently, he got extremely frustrated because he was getting absolutely nowhere. We were very pleased to hear he had been successfully thwarted.
Page 2 of 2
How has your use of that desktop infrastructure progressed since that project?
Once we had gained some experience with the thin client devices, Terminal Services, and the server farm at the back end, it occurred to us that we could use our SSL virtual private network (VPN) to present Terminal Services.
That allowed us to give people working remotely or from home access to the Terminal Services desktop with a good level of security wrapped around it. At that point, you’ve got a very secure path into your back-end infrastructure.
So, simply by thinking orthogonally about what we had and what we could do with it, we were able to support those occasional home workers without any more investment.
How has that been received?
That has proved so popular. Some of the users have actually said that accessing the system from home is faster than their desktop PC at work. But we’re only serving them a very tightly managed, vanilla desktop image. And we started thinking, what would it take to serve up a desktop that’s more geared to our more demanding users, and could support things like desktop publishing?
That’s what made us look into virtual desktop streaming, and we’re now heavily involved in a virtual desktop infrastructure [VDI] implementation.
What is that VDI project based on, and how far have you got with it?
We have a pilot going with approximately 60 users, based down at our training college in London. We’re using Xen Desktop from Citrix, and again thin client devices from Wyse.
One of the early adopters is my boss. His PC was having some issues, and he asked us whether he should replace it with a PC or laptop, and we mentioned that we are trialling virtual PCs. He said, ‘I’m prepared to give it a go’. He’s using one of Wyse’s Xenith thin client terminals, and he likes it very much. It’s quick and it can support multimedia.
What is the business case for extending the VDI infrastructure to more of your regular desktop users?
There’s a very long mean time between failures on these devices. Therefore, you don’t have to find the budget to replace your desktop PCs quite so often.
It means not suffering performance degradation of PCs and laptops, and it’s just easier to support. Also, we’re reducing power consumption compared with a standard desktop PC.
Where do you see desktop virtualisation taking you in future?
For me, the end game is getting staff to bring in their own computers, which I think is a fascination proposition for charities. If you’ve got the infrastructure in place, then why wouldn’t you stream a virtual desktop onto an employee-owned device?
Does that mean that you may require employees to have a working laptop in future?
It’s a little way off, but I think that’s where we might be heading. When you employ someone, they should come with the tools for the job.
Plus, it shifts responsibility for maintenance of the device onto the user – if you haven’t got a working laptop, then you aren’t going to work. There are a lot of HR and legal issues, but I think we can get there.