Case study: Remote desktop connection security is virtualisation perk

Trailfinders Ltd., a travel firm, has found that virtual desktops simplify its security management processes.

London-based Trailfinders Ltd. has clocked up 40 years providing tailor-made holidays for its customers, but the company is about to embark on a new journey of its own: moving from a client-server IT architecture to a centrally managed virtual desktop model.

The aims of the transition are to make management of systems easier, to facilitate hot desking, and to tighten overall information security.

Trailfinders currently operates a local server at each of its offices around the country, said the company's IT Director, Matthew Raymond, each with a local network of fully featured Dell Inc. or Lenovo Group's desktop PCs running Windows XP.

The plan now is to move to thin-client terminals linked into a central server at its offices in Kensington, West London. "Eventually, we plan to have no local servers or PCs in the regional offices," Raymond said.

Each terminal will access a virtual desktop image, which means an employee can log in at any desk, using a username and password, to ensure remote desktop connection security and immediately be presented with his or her own desktop image.

Key to the new approach is a combination of VMware Inc.'s View Virtual Desktop Management Application and Dynamic Desktop Studio from RES Software Ltd., a privately owned company headquartered in Holland. The RES product helps Trailfinders manage individual users' profiles on the central server, and integrates with the company's Active Directory system to determine each user's access rights. All desktop images will reside on a central server in London, and will be accessible from any terminal where a user logs in.

Centrally managed security
From a security viewpoint, Raymond has no doubts that the virtualised desktop is a better way to go. He has no desktop antimalware to worry about, and no local operating systems to maintain. Although the terminals have USB ports, they will be disabled by central policy and only enabled "by special request."

User authentication is done with username and password. "We did look at fingerprint readers, but the technology is still flaky, especially where you may have different people using the terminal," he said.

The company already used a cloud-based service from Cisco Systems Inc.'s ScanSafe unit to regulate the websites that employees can visit, as well as to allow certain groups of users to visit certain categories of sites. However, the company does provide an Internet-connected PC in every office that employees can use during lunch breaks or after work that has no connection to the corporate network and is not subject to the same strict controls.

If the network connection breaks or goes down at any office, of course, the Wyse terminals would cease to operate and work would come to a halt. But, as Raymond said, even with the current PCs, staff can perform little work without an Internet connection anyway. "They might be able to write a letter in Word, but not much else," he said.

Also, in the event of downtime, the VoIP-based phone system would re-route incoming calls to other operational offices, Raymond said, so any business disruption could be kept to a minimum.

Cost savings?
Raymond said that taking the virtual desktop route is not expected to yield huge cost savings. The Wyse terminal costs only slightly less than a standard PC, he said, and once the cost of licensing software from VMware and RES is taken into account, overall systems costs will be roughly the same.

However, he does see huge savings coming from a reduction in the effort it takes to manage the company's remote offices. For instance, mending or maintaining remote PCs would normally require a site visit from an engineer, whereas now, "a terminal swap is just a 40-second job" that the users can do themselves, he said.

Read more on Hackers and cybercrime prevention