By Karthik Iyer, Cloud Solutions Architect, Cloud and M365 practice, Sirius Star Enterprise Technologies.
The CFO asked which was cheaper, buying everyone laptops or moving them to the cloud. That is not actually the question. I said so in the meeting, because nobody likes being told their brief is wrong.
The firm runs back-office processing for a few overseas clients out of Hinjewadi, Pune. About 200 people. Roughly 120 are permanent and touch regulated client records every day. The other 80 are contract seats that swell at quarter-end and thin out after. Two managers, the CFO, and their IT lead were in the room. The trigger was simple. A contractor had lost a laptop on the Pune-Mumbai expressway, and that laptop had client data cached on it.
Nobody got breached. The drive was encrypted and the laptop was wiped remotely the next morning. But the client sent a security questionnaire two days later, and one line kept the CFO awake. “Confirm that no client personal data is stored on end-user devices.” Right then, they could not confirm it.
The question behind the question
Here is the reframe I gave them. Laptops or cloud is a cost argument. Where the data sits is a risk argument. You can answer the cost argument three different ways and still fail the risk one. So we start with the data.
On the laptop model, the data goes home every evening. It rides the expressway. Every device is a small copy of your risk, multiplied by 200. We have seen exactly this scenario turn a lost-and-found story into a regulator notification, and the deciding factor was never the encryption. It was whether the data belonged on the device at all.
That is the entire case for moving the desktop off the endpoint. If the desktop runs somewhere central and the laptop only shows a picture of it, a stolen laptop is a stolen picture frame. Annoying. Not a breach.
What virtual desktop infrastructure actually changes
Let me keep this plain. Virtual desktop infrastructure means the Windows desktop your staff use does not run on their laptop. It runs on a server in a datacentre. The laptop, or a thin client, or a tablet at home, connects in and sees the screen. Keystrokes go up, pixels come down. The files, the apps, the client records, all of it stays in the datacentre.
On the Citrix stack, the pieces have names. Citrix Virtual Apps and Desktops hosts the sessions. NetScaler sits at the edge as the secure gateway, so nobody touches a desktop without passing identity and posture checks first. You can record sessions, block the clipboard, switch off local printing and USB for the regulated teams, and leave it on for the rest. The control is per-group, not all-or-nothing.
The CFO’s first instinct was that this sounds expensive and complicated. Achha, fair. It can be. But the thing it removes is also expensive, and it does not show up on a single invoice. It shows up as 200 laptops to refresh, 200 attack surfaces to patch, and one questionnaire line you cannot answer. The trade is real. It is just not the trade he thought he was making.
Book a free VDI scoping call
200+ Indian businesses. Written quote within 8 working hours.
On-premise VDI or DaaS: the capex and opex fork
Once you accept that the desktop moves off the device, there are two ways to host it, and they pull in opposite directions on the balance sheet.
Option one is on-premise VDI. You buy the servers, the storage, the hypervisor, and the VDI licensing, and you run it in your own datacentre. You own the residency completely, which a few clients and regulators genuinely like. The catch is capex. You size for your busiest day and pay for that capacity all year. For a stable headcount, the math is reasonable. For a headcount that breathes in and out, you pay for empty seats.
Option two is Citrix DaaS, the same Citrix desktop delivered from Citrix Cloud, with compute in a cloud region you choose. Matlab, the desktop runs in somebody else’s datacentre and you rent it monthly. That is the whole thing. No big upfront buy. You scale seats on a monthly bill. The trade is that an opex line never ends, and at scale a per-user subscription can cross what owned hardware costs over three years.
I came into this engagement leaning on-premise. Control is a real asset for a firm holding other people’s client data, and I trust owned residency more than a marketing slide about it. Then I looked at their actual seat pattern, and bas, my plan fell apart.
The contractor seats broke my first plan
The 120 permanent staff are a flat line. Easy to size, easy to own, a clean fit for a controlled VDI footprint. The 80 contract seats are a wave. They spike for six to eight weeks around quarter close and drop to almost nothing after. If I size on-premise VDI for the peak, that hardware sits dark for most of the year. If I size for the average, the firm has no capacity when the client needs the work done.
This is the wrong-sizing problem that shows up at the next budget review, when somebody asks why we bought capacity we use four months a year. So I changed the recommendation in the room, which I would rather do than defend a wrong answer later.
The split goes like this. Put the 120 permanent, regulated seats on a controlled VDI footprint where you own the residency and the controls are locked down hard. Put the 80 contract seats on Citrix DaaS, billed monthly, scaled to the actual quarter. NetScaler fronts both, so staff and contractors sign in the same way and the security posture is identical. The contractors never store a file locally, because there is no local file to store.
Get a split VDI and DaaS design for your seat pattern
200+ Indian businesses. Written quote within 8 working hours.
Where the data sits, and why DPDP cares
Under the DPDP Act, this firm is a Data Processor working for overseas Data Fiduciaries, and the contracts push the obligations down the chain. A line like “no personal data on end-user devices” lands in the data processing agreement and then in a client audit. With the desktop in the datacentre, you can answer the questionnaire line honestly, and you can show it. Session recording and access logs give you the evidence trail that CERT-In incident reporting and an ISO 27001 control review both expect, and the same trail a DPDP compliance program documents.
For the residency-strict reviewer, the on-premise core answers the hardest version of the question, because the regulated desktops never leave a datacentre the firm controls. For everything else, a chosen cloud region with logging in-region is usually enough.
What it costs over three years
Now the numbers, because Karthik does not get to hand-wave past the CFO. These are indicative figures, not a quote. The real number moves with the Citrix edition and region you pick. The point is the shape, not the decimal.
| Model | Where data lives | Scales down with headcount | Indicative 3-year cost shape (per seat) |
|---|---|---|---|
| Laptops plus VPN | On every device | No, hardware sits idle | approx Rs 90,000, front-loaded capex plus refresh |
| On-premise VDI | In your datacentre | No, you size for peak | approx Rs 80,000 at full use, heavy upfront capex |
| Citrix DaaS | In a region you choose | Yes, billed monthly | approx Rs 1,200 to 1,600 per user per month opex |
Read it the way the firm did. For the flat 120, the owned footprint wins on three-year cost and on residency. For the variable 80, DaaS wins because you stop paying the moment the quarter ends. The blended answer beat either pure option on their actual pattern, and that is why the split is the recommendation and not a compromise.
One thing to keep in your back pocket. Watch the per-user edition in the Citrix price book at renewal, and watch whether you are licensed concurrent or named-user. The difference between those two lines is where a tidy DaaS bill quietly grows, and it is easier to fix in the contract than in the invoice. The same caution holds if you compare against Microsoft 365 bundled options such as Windows 365 or Azure Virtual Desktop, which are real alternatives worth pricing in the same spreadsheet rather than dismissing.
FAQ
Is virtual desktop infrastructure only for large enterprises?
No. A 200-person firm is a common fit, especially when client contracts forbid data on local devices. The split between owned VDI and DaaS lets a mid-size firm match spend to its actual seat pattern instead of overbuying.
Does DaaS mean my data leaves India?
Not unless you let it. Citrix DaaS runs the compute in a cloud region you select, so you can keep the workloads and logs in an Indian region. For the strictest client requirements, an on-premise VDI footprint keeps regulated desktops in a datacentre you control.
What happens to a session if the internet drops?
The session stays alive on the server for a set window and reconnects when the link returns, so work is not lost. This is one reason a flaky branch link hurts less on VDI than on a synced local laptop.
How do we handle the contractor surge at quarter-end?
That is exactly what the DaaS side is for. You add seats for the busy weeks and remove them after, on a monthly bill, while the permanent core stays on the steady owned footprint.
Talk to our Citrix and VDI team
200+ Indian businesses. Written quote within 8 working hours.
P.S. This is Karthik. We ran almost this exact split for a services firm in Pune last quarter, and the line that sold it was not the cost table. It was the moment their CFO realised he could finally answer the client questionnaire with a yes instead of a maybe. If that line is in your inbox right now, that is usually where the project starts. Talk to our Cloud and M365 practice, and read how we approached Microsoft 365 governance and AI governance for a Bengaluru insurer when the same data questions came up.
���������������
