Suncorp shifts all staff to virtual desktops

Banking and insurance group Suncorp intends to have all staff working on virtual desktops by the end of next year to secure access to enterprise applications.

The company has tempered the ‘BYO Device’ strategy announced last year, offering three levels of client access to its corporate IT environment: the provision of virtual desktops, provision of corporate-issued mobile devices to select staff and conditional access to enterprise resources from devices staff bring into the organisation.

While the group will phase out traditional fat-client desktops, it has not opted to stop provisioning devices altogether.

The bank is replacing PCs on failure and repurposing existing PCs with thin-client technology running Windows Thin PC– a customisable, thin, locked-down version of Windows 7.

Application delivery is virtualised using Citrix tools via a virtual desktop.

Some one-third of Suncorp staff – the majority in its Brisbane Business Services office and another division in Sydney - are already using the virtual desktop solution, and the company expects the remainder in its Sydney and Melbourne offices to be provisioned during 2013.

Suncorp chief technology architect Ross Windsor told the iTnews Executive Summit in Sydney that organisations need to first set out a device access strategy and invest in robust IT infrastructure before turning client computing on its head.

BYOD

Suncorp’s IT team has adopted a tiered approach to securing mobile access.

The company is using  mobile device management tools to control configuration on mobile devices connecting to its network – enabling administrators to push out authorisation for Wi-Fi network access, push out digital certificate renewal for authentication and set policy around emails and document sharing, among other smarts.

There are two tiers of access aside from virtual desktops.

Staff connecting from corporate-owned mobile devices are offered a ‘standard’ corporate package with native email built-in. Suncorp runs an application blacklist on these devices to ensure that applications like Dropbox, a personal cloud storage application hosted in the United States, cannot put corporate data at risk.

Those staff working in collaborative workspaces that wish to bring their own device are offered a locked down or “sand-boxed” package. To gain access to corporate systems from these devices, staff must download a custom sandbox application that offers secure email plus a suite of additional security tools. This level of access limits users to a secure email service (akin to Blackberry Enterprise Server), secure file sharing service (akin to DropBox) and integration with Sharepoint – the data from which resides in Suncorp’s data centre rather than on the device.

The BYOD client package has been configured for Windows and Apple devices. Windsor notes that Suncorp’s staff use nearly 2500 iOS devices (iPhones and iPads). The bank is still working on a secure Android client.

Suncorp opted against giving out stipends (cash allowances) to staff to bring their own device into the network.

“What happens if they don’t have maintenance on it?” Windsor asked the audience. “If it was the only form of device they had access to in the organisation and it was lost, stolen or damaged, then they would no longer be productive. Are we going to have a store of devices in the cupboard that we can give them?

“There are all these kinds of management aspects to why [stipends] are not a good idea. Our strategy is we will provide you a device. You are welcome to bring your own device but that is not a replacement for the corporate device.”

The magic under the covers

Windsor told the iTnews Executive Summit that there was a “long journey” required in terms of IT infrastructure before Suncorp could proceed with either of its virtual desktop or BYOD programs.

“You can’t do BYO without first getting a handle on virtualisation,” he said.

Suncorp’s expertise in virtualisation began when it took over the Promina group in 2007 and found itself with six major data centres spread across country.

This was “a management issue and cost burden we didn’t need,” Windsor said. “The easiest and most effective method to consolidate that was to virtualise down to a single [production] data centre [plus DR facility], which we achieved in little over ten months.

“In doing so we understood the strength and weaknesses of virtualisation in the server space before considering desktop devices.”

The company has developed its own private cloud and service catalogue using open source technologies. Everything in this stack was built in-house – the orchestration layers, scripting, and the web services interface to provision servers.

Whilst it wasn’t a trivial task, Suncorp’s team built the private cloud in under nine months. “The other option might be to spend the same time configuring an off-the-shelf product.  We had looked at all the tools in the market, but none of them were true cross-platform,” Windsor told iTnews.

“What we built was completely flexible and generic – we could provision an Oracle database on a midrange AIX server, a SQL database on virtualised Windows instance, it didn’t matter.”

Provisioning of new servers and applications went from weeks to days, aiding Suncorp’s stated commitment to Agile software development.

But more significantly, the private cloud became the platform from which Suncorp could manage application delivery and mobile access.

“The private cloud is the orchestration engine and services bus,” Windsor told iTnews. “We can use that to automate virtually anything that we want to do in the organisation and provide a self-service interface for that automation. That’s what we’ve bolted on the front of the mobile device management, which in turn allows you to control what applications can be loaded on a mobile device.

“You also have to build your own internal equivalent of an iTunes application store for both apps and also for clients – if, for example if I needed a client on my new device to connect to my virtual desktop. What we’re creating is an automated self-service environment. The user simply clicks a URL, and it automatically pulls the sandbox application down onto the device.”

Read on for a look at the IT infrastructure that underpins Suncorp's strategy...

Supporting virtual desktops

The virtual desktop and BYOD programs also relied on upgrades to Suncorp’s network and storage infrastructure.

Again, some good decisions made during the Promina integration and data centre consolidation projects came into play.

The bank opted for network attached storage over a fibre channel storage solution. Windsor argues that this cheaper technology was robust enough for the bank’s largest databases. It presents a far cheaper, ‘scale-out’ storage option, Windsor said.

“It would have cost an arm and a leg on fibre channel”.

Suncorp’s data centre consolidation activities led it to upgrade to an MPLS-based network cloud, which connects using 10GB switching inside the data centres, plus lower latency between the production and recovery data centres (sub-one millisecond response times over a distance of 50km.)

Rolling out the virtual desktop to Suncorp’s network of branches, on the other hand, relies on an investment in WAN acceleration tools.

“Virtual desktops mean more traffic on the branch WAN – as everything is going back to the data centre, including print data.

“We have had to do a lot of capacity planning around latency. If we’re providing a virtual desktop in the Brisbane Data Centre to somebody in Perth, that’s very different to having someone connecting in Brisbane from the point of view of network latency.

"So adopting WAN optimisation technology across your network is absolutely key to adopting virtual desktops.”

Windsor said Suncorp’s experience should dispel concerns that virtual desktops have a negative impact on system performance. It doesn’t have to, if the underlying architecture is right.

“Performance and user experience on things like browsing and email is significantly faster – as you are not pulling information across a metropolitan link,” he said. “The 10GB switching in the data centre is extremely fast – there was a marked performance increase.”

But video performance on virtual desktops is still not ideal, he said, and has required custom development from the IT team.

“We have to do a lot of fine-tuning to make video offloading work well on the local client.”