Virtual Desktop Interfaces like GoToMyPC can be more secure than VPNs for remote workers.

As workers become increasingly mobile, they’re demanding access to their computers–both at home and in the office–from whereever they can connect to the Internet. Cube rats want to access their home computers. Road warriors need to connect to their office desktops to maintain their productivity while traveling. Linking to headquarters is essential for telecommuters.

Over the last decade or so, the vehicle for establishing secure connections outside a company’s firewalls has been the Virtual Private Network, or VPN. It allows a remote computer to tap into a corporate network by creating a secure tunnel to it through the Internet. This method, though, can have security risks. That’s opened a market for alternatives to the hoary VPN.

Because VPNs originate with a company’s IT department, their operation is unquestioned by their users. After all, the reason users are told they need to use the VPN is so they can connect to headquarters securely. That creates a false sense of safety among users so they’re likely to transfer sensitive data through the VPN without using additional encryption and deploy protocols that transmit authentication credentials without any protection at all.

In addition, the VPN can serve to protect an intruder’s mischief rather than block it. In many networks, the Intrusion Detection System (IDS) is located outside the VPN server. Because traffic through the VPN is encrypted, the IDS can’t see it. So if a cracker gains contol of the VPN, he or she can attack the internal systems without being picked up by the IDS.

Here’s another problem with a VPN. When a VPN is established from a remote computer to a host computer, the remote computer essentially becomes part of the corporate network. Data moves between the two computers. If a document is opened up on the host computer, that data is sent to the remote computer. If changes are made to that document on the remote computer, the document is changed on the host computer.

“If the remote computer is already compromised by malware or viruses or anything like that, then the data that you exchange with your host computer could get infected,” Kishore V. Kalidindi, director of engineering at the The Tolly Group Companies in Boca Raton, Fla. explained to me.

“Another thing,” he continued, “if you have a Trojan or keylogger on your local PC and it connects to your corporate network, then the malware can start spreading on your corporate network.”

“That’s a risk that administrators have to protect against before granting access from someone through a VPN,” he added. “They have to decide, do we need to do Security Posture Evaluation before letting a remote computer connect to our corporate network? That poses additional challenges for the administrator.”

Some Virtual Desktop Interface solutions, though, like GoToMyPC from Citrix Online, offer an alternative way to connect to a corporate network without a remote computer becoming part of that network. They do that by delivering a screen image to the remote computer, not the actual data from the host. Whatever is displayed on the host computer’s screen is being digitized, encrypted, compressed and transmitted to the remote computer. The host computer sees keyboard and mouse actions at the remote as if they were being executed on a keyboard and mouse connected to the host. “It doesn’t make the remote computer physically part of the corporate network, so certain security risks are mitigated by solutions like those,” Kalidindi explained. “Actual file data doesn’t get transmitted from your local computer to the corporate network.”

“That is a more secure approach of doing things,” he added.

Managing remote users has always been challenging to system administrators, although it’s more challenging now than it was when the only network access available to out-of-office workers was a phone and modem. Access can be less challenging with Virtual Desktop Interfaces. They can make an administrator’s life simpler, not only because sensitive information need not leave the network and their bandwidth requirements are modest, but VDIs will often function in situations where VPNs won’t. Moreover, they remove the burden of the admin acting as Big Brother monitoring what mobile jocks can and can’t do with their laptops. In addition, should a user complain of unsavory happenings on his or her remote computer, the VDI can be used to quickly assess the situation. While VDIs may not be a viable substitute for a VPN in all cases, if they are viable, they can reduce the security concerns  of administrators opening up their networks to remote access by their company’s workforce.