Organizations all have their own compliance requirements, so IT shops looking to deploy cloud-hosted virtual desktops...
need to figure out which DaaS platform offers the configuration options they need.
Compliance with common standards may be easier to achieve on a cloud service than on-premises VDI. The cloud service needs only to achieve certification on its infrastructure once, instead of certifying every tenant. And IT can distribute the cost of certification compliance across multiple tenants.
In addition, some desktop as a service (DaaS) providers offer desktops that are compliant with special industry requirements. One example of a specialized cloud is that of the New York Stock Exchange. It offers services to financial trading companies and is dedicated to one industry. It is built and operated in compliance with that industry's specific requirements.
Desktop as a service compliance challenges
Compliance is a variable challenge. Many compliance requirements address data handling, but compliance can mean anything -- from meeting simple reporting requirements to adhering to best practices for implementation, or even satisfying the Secure Technical Implementation Guides (STIGs) to certify military infrastructure.
In general, every layer of the desktop delivery method businesses choose must be compliant. As with security, the split between what is provider-controlled and what is tenant-controlled is crucial to determining whether companies can make DaaS compliant. And desktop as a service also adds a layer of complexity: the Internet transit that is not required with on-premises VDI.
One example of a compliance requirement is the Payment Card Industry Data Security Standard, or PCI DSS, which regulates how businesses store credit card numbers. If a shop cannot find a PCI DSS-compliant DaaS provider, it can exclude desktops that must be compliant from DaaS and host only the desktops that don't need to comply. That same shop may also choose to use one DaaS provider for some desktops, but a different DaaS provider for the ones that require PCI DSS compliance, because PCI DSS-compliant DaaS might be more expensive.
For a company to be PCI DSS-compliant, it must show that every place it stores or transports credit card numbers meets compliance requirements. The hypervisor and network are both subject to rules, but with DaaS, the customer has no visibility into or control over these elements. DaaS customers need the provider to gain audited compliance with DSS before they can build their own compliant desktops.
But it is not sufficient for the base layers to be compliant. The customer must also make sure its desktop images and applications are PCI DSS-compliant. The DaaS provider may even need to provide guidance to the tenant on how to achieve compliance on its DaaS platform.
With the Defense Information Systems Agency's STIGs, it is possible to use measures at one level of infrastructure to address issues in another. For example, take a company where network traffic must be encrypted with specific cypher sets when it travels between data centers. In traditional IT shops, there are a number of places where the encryption can occur. Companies can encrypt routers at the edge of the data center, or the virtual network, or desktop virtual machines could do the encryption. With DaaS, there are fewer options available to customers.
Some compliance requirements are nontechnical. In fact, many are legislative. For example, companies in Germany cannot store German financial or customer data outside Germany's borders. This prevents these companies from using a DaaS provider that does not have data centers in Germany. Even if the provider has data centers in Germany, they must prove no backups or disaster recovery copies leave the country. Data sovereignty could limit the available DaaS options and make on-premises VDI more appealing.
Why DaaS still hasn't caught on
How DaaS and VDI management differ
Use DaaS for virtual desktop disaster recovery