Managed DaaS
Service Description
This document containsa description of Dizzion’s “Managed DaaS” service offering, includingdetails of the service, features, limitations, administrative access, sizing, ordering, and invoicing.
Please contact your Dizzion CSM for additional information.
Table of Contents
1 Introduction
Dizzion’s end user computing services provide cloud delivered virtual desktops and applications to end users on any supported device. The service level discussed in this document is referred to as “Managed DaaS” and consists of a virtual desktop and application platform provided as a managed service in the cloud. Managed DaaS does not require customers to purchase, operate, or maintain the underlying infrastructure.
Dizzion customers choose Managed DaaS because it allows them the flexibility to rapidly onboard new customers, meet strict turnaround times, deliver on short term or unexpected opportunities, and generally act quickly in response to changing demand from customers, employees, and contractors. As a fully managed service,Managed DaaS is intended to take the complexity out of designing and delivering a cloud-based desktop platform, as well as eliminating the need for customers to hire skilled cloud and desktop delivery engineers. Dizzion works with you to design a dedicated service, and then acts as your 24/7engineering and operations team, ensuring your desktop platformi s designed, implemented, and operated according to your specific business needs.
Additionally, many customers take advantage of the ability of Managed DaaS to help them meet various compliance requirements. With CompliantServices added to Managed DaaS subscription, Dizzion can take much of the burden of achieving PCI, HIPAA, SOC 2, and GDPR compliance off of your plate.
1.1 Definitions and Terms
For purposes of this Service Description, the following terms have the following meanings:
“High Availability” means the ability to restart a provisioned work load on a different server in the
cluster, if the workload’s current server fails to function properly, to allow users to continue to access their workloads in the event of a single server failure.
“Horizon Agent Software” is the agent software installed on virtual desktops and golden images and facilitates the virtual desktop or streaming application side of the connection to an end user’s computing device.
“HorizonClient Software” is the client software installed on end user devices which facilitates the client-side connection to a Dizzion virtual desktop.
“Image Template” refers to read-only Windows OS images that can be imported into a customer’s
Dizzion DaaS Service and are used as a basis to create GoldenImages.
“IOPS” (pronounced “eye-ops”) stands for Input/Output operations Per Second and is a performance measurement used to quantify the speed of computer storage devices like hard disk drives (HDD), solid state drives (SSD), and storage area networks (SAN).
“Non-PersistentDesktop”, sometimes referred to as a “Floating Desktop” is a desktop that is not assigned to a particular user but shared among multiple users and does not retain any application, software, or configuration changes from one user session to another. Non-persistent desktops are cloned from a golden image prior to each user session.
“PCVDC”, or Private Cloud Virtual Datacenter, is the infrastructure, networking, and virtual server components required to host virtual desktops and applications in a customer’s environment (tenant) within the Dizzion Service. Every Dizzion customer will have at least one PCVDC, which consists of a
private IP address space, dedicated virtual firewalls, dedicated VLAN(s), dedicated identity services (Active Directory), and a dedicated VDI stack. PCVDCs are single tenant.
“PersistentDesktop”, sometimes referred to as “Dedicated Desktop” or “Named Desktop”,is a desktop that retains, from one session to another, user entitlements to that desk top as well as any changes made to the files, configurations, applications and desktop operating environment by the user.
“Remote DesktopSession Host” or“RDSH” is an application server that can host applications and desktops for secure and streamlined remote access by end users.
“Third-Party” refers to an organization, vendor, person, or entity other than Dizzion and Dizzion’s customer that has a role in delivering software or other Information Technology services pursuant to a contract or agreement with Dizzion or Dizzion’s customer.
“vApplication Server” is a hosted Virtual Machine with a MicrosoftWindows server operating systems,
configured to provide Windows services to a customer’s Managed DaaS environment.
“VDI” (or Virtual Desktop Infrastructure) is the technology for providing and managing virtual desktops and applications.
“VirtualDesktop” is a hosted Virtual Machine with a Microsoft Windows desktop operating system such as, Windows 10, or Windows11 configured for remote access by an end user.
“Virtual Machine”or “VM” is a software container that can run its own operating system and execute
applications like a physical machine.
Terms of Service
Unless otherwise specified, hosted elements of the Service Offering are subject to the MasterServices Agreement, available on the Dizzion website (https://www.dizzion.com/legal).
Usage Data
The ServiceOffering collects data directly from connected devices, such as configuration, performance, and usage data. For purposes of improving Dizzion products, services, and users’ experience, all data is considered personal data. All data is treated under data protection laws as described in the Dizzion Privacy Notice, available on the Dizzion website https://www.dizzion.com.
2 Solution Detail
The following sections provide a description of the Managed DaaS Service Offering and provides a delineation of operation and management responsibilities between Dizzion and a Managed DaaS customer.
2.1 Service Offering
Dizzion Managed DaaS simplifies the delivery of Microsoft Windows virtual desktops and applications by providing them as a managed cloud service while maintaining enterprise requirements for security and control. End users benefit from a Windows workspace that they can remotely access from a variety of device types from almost any location. IT departments benefit from being able to consume virtual desktop technology as a fully managed service, without the need to hire additional staff or skilled cloud and desktop delivery engineers. Dizzion’s Managed DaaS service is ideal for organizations that want to benefit from the flexibility of virtual desktops but would prefer to consume them as a managed service rather than dedicate time, money, and resources to designing, implementing, operating, and maintaining this often complex technology.
As part of the Managed DaaS Service, Dizzion takes many aspects of virtual desktop and application server management off your plate, including system design, implementation, and the day-to-day operation of the service.
Components of the service that are managed by Dizzion include:
• Physical compute, storage, and networking
• Virtual server infrastructure
• Virtual networking
• Platform licensing
• Platform upgrades
• Operating system licensing
• Operating system updating and patching
• Security (antivirus and anti-malware)
• Data protection (backup and restore procedures)
• Configuration Management
• Identity and access management
• Desktop pool management
• Testing and performance tuning for optimal user experience
• Scalability planning and execution
• General operation and management of the service
As your organization grows, Dizzion provides ongoing architecture and engineering expertise so that your Dizzion service continues to scale to meet your business needs. Dizzion Managed DaaS customers don’t need to have cloud or virtual desktop expertise for the service to continue to be valuable into the future.
2.1.1 Service Architecture
Each Dizzion customer environment exists independently of other Dizzion customers within a unique dedicated Private Cloud Virtual Data Center (PCVDC). This is the case whether the organization is consuming virtual desktops, virtual applications, disaster recovery or another service from Dizzion. The PCVDC provides each customer with a dedicated private IP address space, dedicated virtual firewalls, dedicated VLAN(s),dedicated identity services (ActiveDirectory), authentication trusts, and a dedicated virtual desktop and application delivery stack (Gateway Servers, Connection Servers, Load Balancers and Network Integrations). In addition, the PCVDC provides the networking components required to transfer traffic within the environment itself.
Providing a unique PCVDC to each customer ensures that no customer can “see” any other customer’s data, activity, or intellectual property. Custom security policies can also be applied to an individual PCVDC to protect each customer uniquely.
Each customer’s PCVDC is deployed in a Highly Available (HA) configuration. This means for each PCVDC, there are two of each critical component, deployed in a failover configuration. Because of this, Dizzion provides a 99.99% SLA for availability of all redundant components.
2.1.2 End User Access
Managed DaaS users can connect to desktops and applications from a mobile device, tablet, thin client, iOS, Android,Chrome OS, or traditional Mac or PC computing device, as well as from an HTML5 compatible web browser. Users launch the VMware HorizonClient and authenticate to the service through a standard internet connection. After authenticating, the user is presented with a list of authorized applications and desktops. When a resource is selected, the user is securely connected using either Blast Extreme or PCoIP display protocols.
For devices that are unable to use a VMware Horizon client, where the installation of the Horizon client is not possible, or for quick access to applications and desktops, a user can also connect to the Dizzion service using a standard HTML5 web browser. However, service functionality, performance, and feature availability may be limited when using this method of access.
2.2 Operation and Management Responsibilities
The following sections detail management, operation, security, and other responsibilities for each party
(Dizzion and Dizzion’s Customer)within the Dizzion Managed DaaS ServiceOffering.
2.2.1 Dizzion Responsibilities
Dizzion is responsible for the operation and management of the following services within the Managed DaaS Service Offering:
Infrastructure Services
• Implementation of service components needed to support contracted resource pools, such as
o Physical servers
o Physical storage
o Physical network devices
• Provisioning of capacity for virtual desktops and servers (i.e. vCPU allocation (400Mhz), memory(RAM), storage and networking)
• Provisioning of a customers’ Private Cloud Virtual Data Center (PCVDC). The PCVDC includes
authentication and authorization policies for customers to log-in to the service
• Implementation of add-on services and upgrades
Dizzion-side Networking
• Provisioning and management of network resources including public IP addresses, VLANs and private IP spaces.
• Implementation of secure point-to-point network interconnects, through VPN or other dedicated connections, between the customer’s Dizzion service to the customer’s corporate network. (Customers can purchase dedicated connectivity to the Dizzion cloud. Examples include MPLS circuits, Equinix Fabric Exchange, datacenter cross-connects, etc... Customers must coordinate with Dizzion to implement any dedicated network connection).
Identity and Access Management
• Setup andManagement of Active Directory Domain Trust on Dizzion managed domain controllers.
• Setup, management, and guidance for user and computer group policy objects (GPOs).
Virtual Machine Provisioning
• Installation of vApplication Server VMs in Customer’s Dizzion Managed DaaS service.
Golden Image Management
• Management of Golden Image OperatingSystems, including Windows updates and patches.
• Setup, management and updates to VMware Horizon Agent Software as required.
• Image provisioning and management
• Desktop pool provisioning and management
• Major Operating System Upgrades (requires coordination with customer)
Virtual Desktop and vApplication Server Management
• Setup and management of Operating System licenses (unless provided by Customer) for both virtual desktops and vApplication Servers.
• Antivirus and anti-malware software for virtual desktops and vApplication Servers.
• Operating System patching for virtual desktops and vApplication Servers.
• User profile management/persistent data configuration (optional service).
• Data protection (backup and restore procedures).
Service Initiation, Validation, and Testing
• Validation of PCVDC setup, testing and performance tuning with end users.
• Creation of initial administrative user accounts.
• Creation of initial golden image operating system template for administrators to install 3rd party applications.
• Creation of initial desktop pools from Golden Images
Service Portal Training
• Providing up to two hours of Dizzion C3 portal, Insights Monitoring and Admin Console walkthrough/training
2.2.2 Customer Responsibilities
Dizzion Managed DaaS customers are responsible for the operation and management of the following services within their customerPCVDC:
Customer-side Networking
• Setup and Management of networking integrations on customer managed firewalls (if applicable).
• Provide resource assistance for establishing network connectivity between Dizzion and Customer datacenter or resources.
Identity and Access Management
• Setup andManagement of Active Directory Domain Trust on customer managed domain controllers(if applicable).
• Setup and management of user group policy objects (GPOs).
Golden Image Management
• Installation, Management, patching and updating of third-party applications (MS Office is considered third-party).
• Installing and configuring custom or third-party applications on image templates or deployed VMs.
vApplication Server Management
• Installation, management, configuration, patching and updating of third-party applications installed on vApplication Servers(MS Office is considered third-party).
End User Device Management
• Setup and management of end point devices and relevant peripherals including updating of VMware Horizon Client Software as required.
2.3 Networking
Many Managed DaaS customers choose to implement a private network connection (either physical or virtual) between their Dizzion PCVDC and their datacenter, or another cloud location managed by the customer. This enables secure/encrypted access from a customer’s Managed DaaS environment to authentication services, applications, or data that may reside on the customer’s network.
Dizzion offers a few methods to establish private network connections, discussed briefly here.
2.3.1 IPsec VPN
Dizzion offers private network connectivity via IPsec VPN for customers that wish to have a private network connection to their Managed DaaS service without establishing a dedicated connection. An IPsec VPN is typically the most cost-effective and least complex private connection to implement.
Customers can leverage a standard internet connection for this option, and Dizzion can support a standard (non-HA) or Highly Available(HA) configuration for the VPN. All HA configurations require that the customer owns hardware that can support and has knowledge of how to implement and manage BGP on the customer side of the network.
2.3.2 SD-WAN
Dizzion offers private network connectivity via SD-WAN for customers that wish to have more control over the connection to their Managed DaaS service than a VPN, but still do not wish to establish a dedicated connection. SD-WAN service requires coordination with Dizzion prior to ordering any services as virtual and/or physical appliances are required on both sides of the connection. Contact your Dizzion account representative to coordinate placing an order for SD-WAN connectivity services.
2.3.3 Additional Network Connectivity
Dizzion can also support MPLS connectivity, certain datacenter fabric interconnects, some public cloud direct connection services, and intra-datacenter cross-connects. All these services require coordination with Dizzion prior to placing an order for any circuits or services. Contact your Dizzion account representative to coordinate placing an order for all direct connectivity services.
2.4 Business Continuity and Disaster Recovery
Dizzion provides the following services with respect to business continuity and disaster recovery. Dizzion is responsible for the business continuity of the following items, which are solely owned, operated, and managed by Dizzion:
• Physical servers, storage, and networking components, virtual firewalls, VLAN(s), Dizzion-managed identity services (Active Directory), authentication trusts, gateway servers, connection servers, load balancers and Dizzion-side network configurations.
• Data backup and restoration of Dizzion-hosted service components and configurations within the customer’s PCVDC, including identity and access management configurations, desktop and application entitlements, virtual desktop security policy and configuration settings, Active Directory group policy, service portals and management interfaces.
• Nightly backups of virtual machines and data in customer’s Dizzion Managed DaaS environment. This includes all customer accessible golden images, persistent virtual desktops, vApplication servers, and add on storage volumes as well as any profile management data. Backups are kept and are accessible for a period of one week.
Dizzion Managed DaaS customers are responsible for any item related to business continuity and disaster recovery that is not listed as a responsibility of Dizzion. This includes, but is not limited to the following:
• Data protection, such as routine backups of any data stored on customer owned or managed virtual machines or storage devices that are not located within the customer’s Managed DaaS environment.
• Virtual appliances located within a customer’sPCVDC but not managed by Dizzion.
• Any other item not listed as a responsibility of Dizzion.
2.5 Monitoring
Dizzion monitors the availability of the Managed DaaS service, as well as the following components and services within a customer’s PCVDC:
• Dizzion-side network connectivity including physical and virtual firewalls
• Horizon GatewayServers and Connection Servers
• Load Balancers
• Active DirectoryServers (only those that are Dizzion-provided and solely managed by Dizzion)
• Dizzion-managed RDSH Servers
• Antivirus and anti-malware software
• Virtual desktops and vApplication Server resources and availability
Dizzion Managed DaaS customers are responsible for monitoring the following components and services:
• Third-party applications, including application vulnerabilities.
• End-user behavior
• Customer-side network connectivity
• Other assets deployed outside of the Dizzion DaaS service, whether hosted or on-premises.
2.6 Change Management
Dizzion is responsible for change management for Dizzion managed services related to the following items:
• Processes and procedures to maintain the health and availability of the Dizzion C3portal.
• Processes and procedures to release new code versions, hot-fixes, and service packs related to the Dizzion C3 portal.
• Processes and procedures to maintain the health and availability of the Dizzion managed infrastructure and services.
• Processes and procedures to release new versions, hot fixes, and service packs related to the Dizzion managed infrastructure and services.
• OperatingSystem updating/patching for golden images, virtual desktops and vApplication Servers.
• Dizzion provided security and monitoring tools installed on guest operating systems. Dizzion Managed DaaS customers are responsible for change management related to the following:
• Guest OperatingSystems or VMs not managed by Dizzion
• Custom or third-party applications
• Coordination with Dizzion when scheduled maintenance and non-standard or emergency maintenance is required.
2.7 Security
Dizzion and our customers share responsibility when it comes to security of the ServiceOffering. Dizzion provides security services for the aspects of the Service Offering within Dizzion’s sole administrative control. Customers are responsible for security of the aspects of the Service Offering within their administrative control.
2.7.1 Dizzion Security Responsibility
Dizzion uses commercially reasonable efforts to ensure:
Information Security: Dizzion protects the information systems used to deliver the Managed DaaS Service; Dizzion has sole administrative level control over the infrastructure of the Service, as well responsibility for the following components:
• Platform (VMware Horizon) management, antivirus/anti-malware, security updates and hardening
• Virtual Desktops and vApplication Servers (Windows patches/updates and Antivirus/anti-malware)
NetworkSecurity: Dizzion protects the network’s information systems unless the customer has some control, permission, or access to modify networks.
Security Monitoring: Dizzion monitors security events involving the
• Underlying infrastructure servers
• Storage
• Networks
• Information systems used in the delivery of the Service Offering.
• Virtual desktops and vApplication servers
• Dizzion provided and managed operating systems
Patching and Vulnerability Management: Dizzion maintains the systems used to deliver the Service Offering, including critical patches for infrastructure, golden images, virtual desktops, and vApplication servers.
VulnerabilityScans: Dizzion performs vulnerability scans for each customer environment(PCVDC) prior to being promoted to a production environment. Any vulnerabilities are addressed prior to the service being promoted to production.
2.7.2 Customer Security Responsibility
Dizzion Managed DaaS customers are responsible for addressing the following:
Information Security: Ensuring adequate protection of customer provided or controlled:
• Information systems
• Data/Content
• Customer-deployed and third-party applications within the service- this includes, but is not limited to:
o Security patches and critical updates
o Data encryption
o Access controls
• Security training for end users and customer administrators.
• Roles and permissions granted to customer’s internal, external, or third-party users.
Network Security: Security of the networks in which the customer has administrative level control.This includes, but is not limited to
• Maintaining effective firewall rules (customer side only)
• Exposing communication ports that are only necessary to conduct business.
• Locking down promiscuous access.
SecurityMonitoring: Detection, classification, and remediation of security events within the Managed DaaS service that originate from or relate to:
• Customer provided / third-party applications
• Customer data
2.8 Incident and Problem Management
Dizzion provides incident and problem management services for components of the service where Dizzion has direct administrative and physical access and control.For example, severity classification, recording, escalation, and service availability pertaining to:
• PCVDC Infrastructure
• Dizzion C3 portal
• Infrastructure Servers
• Physical storage devices
• Network devices
• Software components that are solely managed by Dizzion
Customers are responsible for incident and problem management for any components that are not solely managed by Dizzion. For example, detection, severity classification, recording, escalation, and service availability pertaining to:
• End user and customer administrator accounts
• Customer-side networking components and configurations, including firewalls
• Customer or end-user owned endpoints
• Customer domain
• Customer provided or third-party applications, including Microsoft Office
• Horizon client software
• Third party appliances (physical or virtual) that are not directly supported by Dizzion
• Tier 1 technical support for end users
• Operating System licenses if not provided by Dizzion
• Other items not under the direct control and administration of Dizzion.
2.9 Technical Support
Dizzion provides24x7 tier 2 and tier 3 support for customer-reported service requests with components or services under Dizzion management as mentioned in this ServiceDescription or the ServiceAgreement. Support may be provided in any country in which Dizzion or its providers maintain facilities.Infrastructure and software components not under the management of Dizzion is not eligible for technical support. Dizzion’s technical support is available to customer employees or designated persons who have been identified as administrators of the Dizzion service and not intended for end users.Tier 1 support (providing technical support to end users)is a customer responsibility.
2.10 Usage Restrictions
Customers of the Dizzion Managed DaaS Service are restricted from the following.
2.10.1 Load Testing
Dizzion prohibits customers from unauthorized load testing such as automated or manual stress tests.Customers who intend to perform such tests must seek approval from Dizzion by submitting a support ticket and coordinating the planning of any tests with Dizzion.This ensures minimal interference with performance and user experience and avoids the possibility of emergency procedures being initiated by Dizzion.
2.10.2 SMTP Port 25
Dizzion will not allow port 25 egress out of the Dizzion provided internet connection. TCP Port 25 (usually used for SMTP) is subject to egress filtering and not allowed for usage, with no exceptions. A customer can use port 25 over a privateVPN or Direct Connection.
2.10.3 Network Management
Customers will not have access to an edge (router) appliance. Customers will not have any ability to configure or customize firewalls or network address translation rule sets managed by Dizzion.
Active/passive redundancy for a dedicated network connection into the Dizzion Managed DaaS Service (via BGP only) is supported, but the customer will have to specify which link is active and which link is the backup, and also will be responsible for configuration to accomplish auto-failover of link in case of an active link down.
The use of software-based VPNs (i.e. a VPN client installed on a virtual desktop or vApplication server) is not allowed due to the fact that this can block access to the service from end users.
2.11 Data Access
In order to continuously improve Dizzion products and services, ensure optimal performance, and provide recommendations for best practices, Dizzion collects anonymous data regarding usage patterns, user behavior and certain other metrics on a regular basis. A customer can request to disable this data gathering within their environment if desired, however, doing so may affect the ability of Dizzion to provide some reporting and monitoring services.
Throughout the course of regular system operation and maintenance, as well as in the event of customer issues that require investigation, select personnel from the Dizzion Managed DaaS Service Operations team will have the ability to remotely login to a customer’s PCVDC to review and gather logs or to perform remote management or emergency remediation.
With this access, Dizzion may be able to:
• Obtain log files and crash reports from the Dizzion Service, which may contain usernames, end user contact information (name, email), dates and times of user access, and other user data including IP addresses and host names of end user devices.
• Obtain other files, such as configuration files, from the deployed infrastructure within the DaaS service.
• Have real-time access to the current operational health status of the DaaS Service.
3 Administrative Access
For operations and management tasks that are the responsibility of aManaged DaaS customer, Dizzion provides ServicePortals in which access to administrative tasks are provided. This section describes the ServicePortals available, and other administrative responsibilities of a Managed DaaS customer.
3.1 Service Portals
Dizzion customers can administer, monitor, maintain, and operate the service via Dizzion provided Service Portals. The Dizzion Managed DaaS Service includes access to the following service portals.
3.1.1 Cosmos Control Center (C3)
Dizzion’s C3portal provides access to the Dizzion C3 management console to orchestrate and manage Dizzion managed workloads. Dizzion C3 is the primary interface for management of the Dizzion service. This includes the ability to:
• Request customer support, manage service tickets and communicate with Dizzion support
• View, manage, and approve upcoming maintenance windows
• Access virtual desktop Insights and Analytics
• Other support operations
3.1.2 VMware Horizon Client
The VMware Horizon Client is the preferred interface for end users accessing Dizzion desktops and published apps. The Horizon Client is supported on Windows, Mac, Linux, iOS,Android, Chrome OS, and through various third-party thin clients and zero clients. Users are not required to use the Horizon Client to access their desktops or apps, but instead can access desktops and apps through the VMware Horizon HTML AccessPortal. Service functionality, performance, and feature availability may be dependent on the version of the client software installed, and may be limited when using other methods to access the service (i.e. Horizon HTML access).
3.1.3 VMware Horizon HTML access
VMware HorizonHTML Access is an alternative option to the VMware Horizon Client, where endusers can access Dizzion desktops and published apps without having to install any software on a client system. This web interface provides browser-based access via HTML5. Some features and tuning capabilities are limited while using HTML5 protocol.
3.1.4 Horizon Admin Console
VMware HorizonConsole is the Web interface through which organization administrators can manage virtual desktops and published desktops and applications. This includes:
• Perform management tasks on user sessions such as disconnect, log-off, restart, and reset virtual desktops
• Perform management tasks on desktops such as assigning and un-assigning users
• Real time desktop performance monitoring
• Remote assistance
• Other support operations
3.2 Windows OS Licensing and Support
The Dizzion Managed DaaS ServiceOffering provided all Windows OS licensing required for the use of the service. Alternatively, customers may choose to use their own licenses purchased through a Microsoft authorized reseller. For customers bringing their own MicrosoftOS licenses, they are responsible for:
• Ensuring compliance with applicable Microsoft license agreements.
• ContactingMicrosoft or a preferred third-party for support on customer provided Microsoft products. Dizzion does not provide support for the Microsoft products provided by Customers.
Additional items to note:
• Virtual machines used for either virtual desktops, RemoteDesktop Session Host (RDSH) servers, utility servers or other purposes must use a Windows operating system unless specifically approved by Dizzion.
• All other Dizzion provided infrastructure components are licensed by Dizzion.
Contact Dizzion sales for complete details on the number of virtual machines that need to be covered with Microsoft licenses specific to your use case.
4 Virtual Machine Sizing and Options
This section details options available for virtual desktops and vApplication servers.
4.1 Image Templates and Golden Images
Customers must use image templates when provisioning workloads. In the Managed DaaS service, customers must use image templates provided by Dizzion. Dizzion is responsible for configuration and optimization of the images according to VirtualDesktop Infrastructure (VDI)best practices.
Before Dizzion provided image templates are made available in the Dizzion C3 administration console, Dizzion ensures that the image templates are:
• Tested for quality
• Checked for viruses
• Updated with the latest OS security patches
Throughout the life of the service, Dizzion remains responsible for:
• Maintaining compliance with applicable license terms of the OS (unless the customer has providedOS licenses).
• Ongoing security patching of golden images, virtual desktops, and vApplication servers.
• Ongoing management of antivirus and anti-malware protection for golden images, virtual desktops, and vApplication servers.
Customers are responsible for:
• Maintaining compliance with third-party software and application licenses
• Ongoing management of third-party applications (updates, patches)
To comply with legal obligations to third-party licensors, Dizzion does not permit the customer to:
• Export or download image templates
• Use Dizzion provided image templates outside the Dizzion Managed DaaS Service
4.2 Virtual Desktop Sizing
The following table shows the available base configurations for virtual desktops in the Managed DaaS service. Resources such as vCPU, RAM, and HDD space can be added to these base configurations, but customers must choose a base configuration as a starting point foreach virtual desktop workload.
|
Component |
Professional |
Premium |
|
vCPU ( 400Mhz per vCPU) |
2 |
2 |
|
RAM (GB) |
4 |
6 |
|
HDD (GB) |
80 |
80 |
|
Workload Type |
VDI |
VDI |
|
Windows 10 Client OS |
Yes |
Yes |
|
Windows Server OS |
Yes |
Yes |
vCPU, RAM, and HDD space can be added to these base configurations individually in increments of 2vCPU, 2GB RAM, and 500GB HDD space. HDD space is also available with multiple speed (IOPS) options. Refer to section 4.5, “Add-onStorage”, for more detail.
1vCPU = 400Mhz
4.3 Virtual Desktop types
Dizzion’s Managed DaaS service supports the creation of VMs usingInstant Clones and Full Clones.Each have their own benefits and potential drawbacks. Details on both types are provided here.
Instant Clones
An instant-clone desktop pool is a pool created from a GoldenImage. An instant clone is a copy of theGolden Image that shares the same virtual disks as the Golden Image. Instant clones can be used to deploy a non-persistent desktop environment, where all changes made to the virtual desktop are discarded following user logoff. Instant clones are re-provisioned from the Golden Image following each user logoff. Instant Clone VMs can be used for virtual desktops running Windows 10 or Windows ServerOperating Systems.
Instant clone VMs provision very quickly (in minutes) and have the following properties:
• All changes made to an instant clone desktop image are discarded after each user session.This means that any changes a user makes to the desktop, any downloaded files, data left on the virtual hard drive, configuration changes, and any other change does not remain on that desktop image following the user logging off the desktop.This can greatly reduce the risk of data leakage as no data persists between user sessions.
• Instant clone images can be shared among multiple users. When instant clone desktops are provisioned, they sit idle, waiting for a user connection. Because they are not assigned to one specific user, but rather a group of users, any authorized user within the group can connect to any available instant clone desktop. When a user logs off, the desktop to which they were connected is deleted, and in its place, another is created from the GoldenImage. The new desktop sits idle and awaits a new user connection. Customers only need as many instant clone desktops as there are users connected at the same time. In many cases, a customer can support more users than they have virtual desktops, if not all users need to be connected at the same time.
• A Golden Image used as an instant clone can only provision desktops within a single domain. If the customer has more than one domain, a unique GoldenImage is required for each, even if the contents of the Golden Images are identical.
• Windows 10 and Windows Server client operating systems are supported.
• Instant Clone desktops do not retain any changes to the image made by a user.
• To provide a personalized desktop experience, the customer may choose for Dizzion to provide profile management services. For more information, see section 5.3, “Profile Management”.
Full Clones
A full clone is an independent copy of a Golden Image that shares nothing with the Golden Image after the cloning operation. Full Clone VMs provision at a much slower rate than instant clones but provide a persistent desktop experience. That is, all data and changes that a user makes to a Full Clone virtual desktop are saved on that virtual desktop and assigned to that user. Full Clone VMs can be used for virtual desktops runningWindows 10 or Windows ServerOperating Systems.
Full Clone desktops provision slower than instant clones and have the following properties:
• Full clone desktops cannot be shared among multiple users.Each user must be assigned their own, unique full clone desktop, but this does allow each user to have an experience that feels more like their own desktop or laptop, with limited restrictions on their ability to save data and modify their desktop experience.
• Full clone desktops must be patched individually, rather than at the Golden Image (for instant clones).
• Full clone desktops must have their applications and configuration settings updated individually, rather than at the Golden Image (for instant clones).
• Major revisions to software installed on a Full Clone image may require longer maintenance windows and be more difficult to troubleshoot if issues arise.
• Zero Day and other security/vulnerability updates can take significantly longer to deploy which may increase the risk of exposure.
4.4 Virtual Application Servers
Dizzion offers the ability to deploy Windows Server Virtual Machines (called vApplicationServers) in the customers PCVDC to support services provided by WindowsServer that the customer may wish to add to their Dizzion Service Offering. The customer must use these vApplicationServers for services that are in direct support of the VDI and/or remote application service delivery service. Dizzion may allow an exception for customers who want to use a vApplication Server in a role such as:
• Domain Controller/Active Directory server
• File server
• Virtual Appliance
The following table shows the available base configurations for vApplication Servers in the Managed DaaS service. Resources such as vCPU, RAM, and HDD space can be added to these base configurations,
but customers must choose a base configuration as a starting point for each vApplication Server workload.
|
Component |
vApp Server (Small) |
vApp Server (Large) |
|
vCPU (400Mhz per vCPU) |
4 |
4 |
|
RAM (GB) |
16 |
32 |
|
HDD (GB) |
80 |
80 |
|
Windows 7, 8 Client OS |
No |
No |
|
Windows 10 Client OS |
No |
No |
|
Windows Server OS |
Yes |
Yes |
To continuously ensure the optimal performance of the Managed DaaS Service offering, Dizzion reserves the right to:
• Limit resources available to vApplication servers.
• Require customers to upgrade vApplication server resources (vCPU,RAM, HDD).
• Power-off or disable vApplication Servers within a customer’s PCVDC.
Additional things to note when it comes to vApplication servers in the Dizzion Managed DaaS environment:
• Customers must use image templates provided by Dizzion to deploy vApplication servers Dizzion does not allow customers to provide their own Windows image templates in the Managed DaaS service (exceptions can be made in the case of some virtual appliances).
• MaximumHDD size per vApplication server is subject to the limits stated in section 4.5, Add-onStorage.
• vApplication servers can only be administered by an authorized customer administrator accessing the VM via a remote protocol or via built-in web application running on the server.
• There is limited ability to customize the vApplication server’s deployment configuration relating to:
o Networking
o Load Balancing
o Auto-Scaling
o High Availability/Business Continuity
4.4.1 vApplication ServerLimitations
vApplication servers must only run services that are in direct support of a customer’s Managed DaaS service. They are not designed to support applications that require public internet access or advanced infrastructure configurations.
Customers must only use approved server functions. The use of un-approved applications is not supported, because this may interfere with service performance and user experience. vApplication servers must not intercept network communications between virtual desktops and platform components. Encrypted hard disks are not allowed within the customer’s VM environment. Customers
that need secure disk services should consider redirecting user data to their data center or may purchase third-party cloud services on which to deploy an encrypted file server as needed.
4.5 Add-on Storage
Additional (add-on)storage can be purchased in 500 GB increments. Add-on storage can be used to increase the size of a virtual hard drive on virtual desktops or vApplication servers, or to add an additional virtual hard drive to existing virtual desktops or vApplication servers. Add-on storage can be purchased as a single large quantity, and then allocated across multiple virtual desktops or vApplication servers. Storage is available in a variety of speeds (IOPS); contact your Dizzion account representative to coordinate placing an order for additional storage.
4.6 Profile Management
Dizzion provides a managed Profile Management service that can be used with the Managed DaaS Service Offering. This is available as an add-on service and is detailed more in section 5.3, “Profile Management”.
ProfileManagement requires additional storage and a file server (a vApplication server) to save profile data.
Add-on storage must be purchased for this purpose.
5 Add-On and Optional Services
This section provides information on some of the add-on and optional services available with Dizzion’s
Managed DaaS Service Offering.
5.1 Compliant Services
Managed DaaS customers who operate in industries that are subject to regulatory compliance, periodic security audits, or otherwise require additional security oversight in their Managed DaaS service can choose to subscribe to Dizzion’s Compliant Services. Compliant Services can relieve customers of the ever-changing burden of PCI DSS, HIPAA HITECH, SOC 2 Type II, and GDPR compliance. Customers that subscribe to Dizzion’s Compliant Services will have their PCVDC augmented with additional security systems, logging, monitoring, change control, audit reporting, and other processes and procedures that meet some of the most rigorous specifications of PCI, HIPAA HITECH, SOC 2, and GDPR.
In addition to these technologies and procedures, Compliant Services customers are also given access to Dizzion’s Attestation of Compliance (AOC) documentation (also referred to as a Report onCompliance, or ROC). This documentation is the result of Dizzion’s yearly third-party audits to ensure compliance with PCI DSS, HIPAA HITECH, SOC 2 Type II, and GDPR.
These documents can help a Dizzion customer prove to an auditor that the services being used at Dizzion meet applicable compliance standards.
Additional components that are Included in a compliant PCVDC include:
• Compliant DedicatedHA Firewalls
• Compliant DedicatedHA Security Servers
• Compliant Dedicated HA Connection Servers
• Compliant DedicatedHA Active DirectoryServers
• Compliant DedicatedHA Load Balancers
• Compliant Dedicated HA Security Incident and Event Management (SIEM) Instance
• Compliant DedicatedHA Log Management System (LMS)
• Compliant DedicatedHA File Integrity Monitoring (FIM)
• Compliant DedicatedHA Intrusion Detection/Protection Systems (IDS/IPS)
In addition to these components, Dizzion performs periodic external penetration testing and vulnerability scanning of the customers PCVDC (as required by applicable compliance standards) and employs more than 100 audited process and controls specific to desktop delivery, maintenance and end user desktop management. All CompliantServices customers also receive 24/7 security monitoring and alerting from ourSecurity Operations Center.
5.1.1 Additional Information Regarding PCI DSS
Dizzion offersPCI compliant services that conform to the Payment Card Industry Data SecurityStandard (PCI DSS). PCI DSS is a proprietary information security standard administered by the PCI Security Standards Council and applies to any business that processes creditor debit card transactions, or that stores, processes or transmits cardholder data. Dizzion is a PCI DSS 3.2 Level1 Service provider, the highest level of assessment available. Dizzion’s PCIAttestation of Compliance (AOC) satisfies the Tier 1 validation level and typically helps clients meet more than 65% of PCI requirements.
Dizzion’s Managed DaaS Service with Compliant Services have been verified by Coalfire, an independentQualified Security Assessor(QSA), as meetingPCI DSS compliance standards.
5.1.2 Additional Information Regarding HIPAA and HIPAA HITECH
The HealthInsurance Portability and Accountability Act of 1996 (HIPAA) is anon-prescriptive compliance framework created by the US Government designed to protect a patient’s electronic healthcare record. TheHITECH Act, enacted as a part of the American Recovery and ReinvestmentAct (ARRA) of 2009, builds uponHIPAA requirements, mandating the disclosure of data breaches of personal health records, including those by business associates, vendors and related entities.
Under these regulations, service providers such as Dizzion are considered business associates. The Business AssociateAddendum (BAA) is a contract required between service providers and healthcare organizations under HIPAA rules. As part of our service, Dizzion will enter into a BAA with our HIPAA compliant customers.
Dizzion’s Managed DaaS Service with Compliant Services have been verified by Coalfire, an independentQualified Security Assessor(QSA), as meetingHIPAA HITECH compliance standards.
5.1.3 Additional Information Regarding SOC 2 Type II
Dizzion’s Managed DaaS Service with Compliant Services has been verified by Coalfire, an independent Qualified Security Assessor(QSA), as meetingSOC 2 Type II compliance standards. This audit is performed each year. Dizzion’s SOC 2 report verifies to customers that subscribe to Dizzion’s Compliant Services that Dizzion is delivering these services in accordance with best practices in the following applicable trust services areas:
Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability or confidentiality of information or systems and affect the entity's ability to meet its objectives.
Availability: Information and systems are available for operation and use to meet the entity's objectives.
Confidentiality: Information designated as confidential is protected to meet the entity's objectives.
5.1.4 Additional Information RegardingGDPR
General Data ProtectionRegulation, or GDPR, is a comprehensive data privacy regulation adopted by the EuropeanParliament in 2016 that became enforceable in May 2018.Following the UK’s exit from theEU, the UK adopted the EU’s GDPR, with some minor adjustments. Both regulations apply to all organizations that collect, process, or store private information pertaining to residents of the EU or the UK, regardless of whether the organization is located in Europe or the UK. The GDPR codifies the basic rights of EU and UK residents(data subjects), which include:
1. The right to be informed about what data the organization is collecting and processing, and for what purposes.
2. The right to obtain confirmation that this data is being processed and to be provided access to
the data that the organization is processing on the data subject’s behalf.
3. The right to amend this data.
4. The right to request that this data be deleted.
5. The right to change the data subject’s elections regarding collection and processing of private data.
6. The right to port the data subject’s data to another competing organization.
GDPR defines additional responsibilities on the part of data processors and controllers regarding breach notification, security, and other activities.
Dizzion’s Managed DaaS Service with Compliant Services have been verified by Coalfire, an independent
Qualified Security Assessor (QSA), as meetingGDPR compliance standards.
5.2 Cloud Burst (Business Continuity)
Many Dizzion customers choose to leverage Dizzion services in a single cloud location (a single Dizzion site) because the guaranteed uptime SLA within each individual site is99.99%. Some Dizzion customers, however, need to ensure that their service can remain uninterrupted even in the unlikely event that a single Dizzion site becomes unavailable. These customers often leverage a Dizzion service called Cloud Burst to supportBusiness Continuity across multiple geographic locations.
Cloud Burst allows an organization to keep a pre-determined number of Dizzion virtual desktops on reserve and use them on an on-demand, temporary basis. Cloud Burst desktops are provisioned in a fraction of the time it takes to deploy standard steady-state desktops, allowing these resources to quickly be made available to end users. When the additional demand drops, or is no longer required,Cloud Burst desktops can be put back in to “standby”mode, until the next time they are needed.
Cloud Burst desktops can also be used to temporarily increase available capacity (i.e. the number of virtual desktops) available to end users in a single Dizzion datacenter. This can be beneficial to organizations who may have unexpected short-term needs for additional staffing.
There are several methods in which Business Continuity with Cloud Burst can been deployed for Dizzion customers. For details on these methods, contact your Dizzion account representative.
5.3 Profile Management
Many Managed DaaS customers choose to incorporate Profile Management into their Dizzion environment to improve the end user experience. This is because in a typical non-persistent desktop model, any changes that a user makes to a virtual desktop are discarded upon logout. Application preferences, Windows desktop configurations, and files or data saved to the desktop are by default, not saved or retained between desktop sessions with non-persistent desktops.
Profile management allows a user to be able to save certain desktop settings, preferences, files or data to their own“user profile”, which is then retained for that user between desktop sessions. In a virtual environment, user profiles are stored on a file server instead of the virtual desktop itself.That way, the user profile data follows the user between each desktop session, and they can enjoy the advantages of persistent desktops with lower management overhead of non-persistent desktops.
To learn more about Profile Management services available from Dizzion, contact your Dizzion account representative.
5.4 Web ContentFiltering
Web ContentFiltering is an optional Dizzion service that allows an organization to block access from Dizzion virtual desktops or applications to web content that may be deemed offensive, inappropriate, or other wise objectionable. This service can enable organizations to enforce acceptable use policies (AUPs) for users of Dizzion virtual desktops and applications.
Web ContentFiltering allows an organization to establish rules about the types of websites that may be visited by end users when using a Dizzion virtual desktop or application. Using keywords or other
commonalities between sites, content is grouped into categories - such as sports, gambling, adult, streaming, and so on - and those sites in undesirable categories can be blocked.
Dizzion’s Web Content Filtering service provides the following:
• URL filtering for 120+ categories, languages for 200+countries, and 99.9% of the active web
• Filtering includesYouTube categories, app categories, translation services, and safe search
• Custom web filtering categories, plus allow and deny lists (whitelist/blacklist)
• Custom Categories - Allows administrators to define custom categories, and URL include or exclude lists (whitelist/blacklist).
• Monitoring and Reporting- Allows administrators to view details about user activity, including policies that are triggered, the users who have triggered policies, the device(s) they were using, as well as information about the website to which access was attempted, and source and destination IP.
To learn more about Web Content Filtering services available from Dizzion, contact your Dizzion account representative.
6 Ordering andInvoicing
The following sections detail the processes, terms, and conditions for ordering Dizzion Managed DaaS Services including invoicing, service termination and renewal.
6.1 Ordering Capacity and Services
Customers can order components of the Dizzion DaaS Service direct from Dizzion or a Dizzion authorized reseller.All orders must be coordinated with Dizzion prior to being submitted. Contact your Dizzion account representative to coordinate placing an order for capacity and services.
6.1.1 Technical Deliverables Document
As part of the order process, Dizzion requires the customer to complete a “Technical Deliverables” document. This document details the technical requirements of the service being ordered.
As theManaged DaaS service often requires integration with an organization’s existing network(s), Active Directory services, and/or other components, it is imperative that Dizzion is aware of all necessary integration points and required configurations. Dizzion will provide this document via email to the customer contact.
Any order for service initiation, initial capacity, add-on capacity, or service modification cannot be completed until this document is completed by the customer and validated by Dizzion.
6.1.2 Subscription Model
Virtual desktops within Dizzion’s DaaS service are offered as a per-desktop subscription.Dizzion does not offer a per-user subscription model. A customer must subscribe to a fixed number of virtual desktops and are invoiced for the total number of desktops under contract, regardless of the actual number of users who have connected to the Service over any period of time, or whether the
Service Offering has been used or not. whether the desktops are instant clones or full clones,
and whether users are assigned their own desktops, or groups of users are sharing desktops.
Other components of the Dizzion DaaS service may be offered based on the quantity of service components purchased, or the quantity of users that have access to a given component.
The Dizzion DaaS Service is available in subscription periods of 1 month, 1 year, and 3 years. Customers can prepay for the entire committed subscription term or can choose to be invoiced monthly or annually.
6.1.3 Minimums
All initial orders must include a minimum capacity of 200 GB of RAM per data center deployment across all customer-facing service components (i.e. virtual desktops and vApplicationServers). Capacity can be allocated across any number of virtual desktops or vApplication servers.
6.1.4 Additional Capacity and Services
Customers can purchase additional virtual desktops, vApplication servers, storage, or other services at any time during the Subscription Term. As with initial orders, customers must consult a Dizzion sales representative or a Dizzion authorized reseller to coordinate any additional orders for capacity or services.
Additional terms and fees may apply to additional services. Additional orders will be subject to the existing SubscriptionTerm and terminate concurrently with the initial order.
6.1.5 Additional Information
For more details on ordering, invoicing, or terms of service, refer to your purchase agreement, contact
your Dizzion account representative, or refer to Dizzion’s Master Services Agreement(MSA).
Comments
0 comments
Please sign in to leave a comment.