I used to volunteer at a hospital reception desk, where walk-in patients were received.
Staff had ID cards, which would both open access-controlled doors, would log into IT systems via smart card reader. Removing your card would immediately log you out.
Clearly, some designer thought they could prevent users from accidentally leaving their computer logged in, as you couldn't move around the building without your ID card, forcing you to unplug it and hence log yourself out - right?
But the receptionists' computers had the most basic specs, and were loaded with corporate bloatware and sluggish roaming profiles. And of course the software they had to use added another layer of underperforming enterprise bloatware. It would take a good 5 minutes from inserting your smartcard to actually being able to work.
Quelle surprise, the staff never unplugged their smartcards, and instead borrowed someone else's card when they needed to move around the building.
I was also in a govt / enterprise EHR type project. Similar story, but you had a double layer of VPN that only worked with outdate explorer / java etc (AT TIME OF DEPLOYMENT - the software was "new" to the govt agency and the poor health staff).
To skip all the sillyness - you basically had to password share, keep systems logged in etc etc to get anything done. Yes, security is important, but if it's 30 minutes to do anything, and then they did something like 30 day double password resets (on both layers of VPN) it's just chaos. Every password had to be written down, because when a patient showed up an clinician couldn't login it was a disaster. The millions they spent without every talking to anyone using this crap was mind blowing. We had in the end separate computers with locked down ancient IE and java to do some stuff on this system (auto or user updates to Java - which would pop up scary warnings given how old things were - would blow the fragile system up).
Then the one person who could create new accounts through a ridiculous process would go on some kind of 2 month union break at a time, and....
While working in a hospital as a radiographer I met an IT contractor socially who was excited to be implementing a system which sounded like the one you describe ‘to help me work more efficiently’.
It takes a special kind of person to confidently explain how a job they have never seen done is being done wrong.
The people who came up with that stuff probably never thought to weigh how much more it obstructs attackers than real workers... or even more scarily, thought treating them the same would be more secure somehow.
As the saying goes, a perfectly secure computer is one that no one can use
Ironically, this system resulted in lots of insecurity.
Password resets were so common the govt agency OUTSOURCED them - and you just had to provide your username to get it reset. Literally, you called and said I need a password reset for account X, and they gave you a temp password over the phone.
I never complained about how easy this was because this was a CRITICAL feature. Sometimes we didn't even know why a password wasn't working - so after you got done with whatever client came in you called the number and got a new one.
So it's really security theatre + the security provided by the massive annoyance of setting up old internet explorer to login and all the other silliness (which really was security, we were not alone in struggles, they kept on having to do paper backup systems when stuff went down).
I often thought that a hacker could probably make all our lives easier by figuring out a way around the double VPN.
This was a long time ago though (10+ years) and I have to believe better now.
The thing about VDI is that you can't underprovision the client, but you can underprovision the server to a resonable extent. I've seen deployments who decide that it's a great idea to give Windows 10 VMs 2GB of RAM and 1vCPU, which turns the instance into a swapping mess. However if you give the users suitably sized VMs (e.g. 8G/4vCPU) then they will have the burst capacity for faster application loads and such while the server can remain overcommitted (it's rare that all users will need to use up all their vCPUs and memory at a given time).
However for doctors there may be another option aside from VDI, which is RDS or similar where a single Windows Server instance handles multiple remote desktops. Sort of like multiple users using SSH to connect into a shared Linux server. Unlike devs they can rely on a fixed image and don't need to make global changes, making a shared instance viable. This would allow the users to make better use of the compute resources on the server.
> So long as Citrix isn't under-provisioned, which is all too common.
A common selling point of Citrix and similar solutions to the CEO is that by centralizing and sharing resources (CPU, RAM, etc.), we can save money on redundant, unused capacity - on most user workstations, the process which clocks the most CPU time is 'Idle', after all!
Nah. VDI is in many environments the biggest compute system in the datacenter. Peoples work patterns are very consistent so there typically isn’t much slack.
The top issues with VDI are memory availability and profile management. As CPU improvements stopped, apps are memory hogs. With a modern Microsoft stack, even basic users run Outlook, Teams and Chrome. Outlook is usually caching too much, so your virtual desktop with OST stored on a shitty NAS somewhere is essentially a really really awful single user Exchange server.
What is that in response to? You're saying VDI isn't slow and underresourced for many people? Perhaps that's not your experience, but does that mean it's not the experience of others? Are you saying that VDIs aren't sold that way to CEOs? I've seen it and the underresourced results multiple times.
Nah, they make you log out of your vm as well as the thin client, or cause your vm to auto log out when you're not connected for a couple of minutes. It still takes 10 - 15m to get logged back in.
As a bonus, you get to interact with a slow, remote desktop all day.
Or the real kicker - the hardware gets over provisioned because the incentive is to cut costs. You try to log in, get on a bum vm, then have to log out and try again and hope to get a good vm.
Staff had ID cards, which would both open access-controlled doors, would log into IT systems via smart card reader. Removing your card would immediately log you out.
Clearly, some designer thought they could prevent users from accidentally leaving their computer logged in, as you couldn't move around the building without your ID card, forcing you to unplug it and hence log yourself out - right?
But the receptionists' computers had the most basic specs, and were loaded with corporate bloatware and sluggish roaming profiles. And of course the software they had to use added another layer of underperforming enterprise bloatware. It would take a good 5 minutes from inserting your smartcard to actually being able to work.
Quelle surprise, the staff never unplugged their smartcards, and instead borrowed someone else's card when they needed to move around the building.