Thin Client Security in a virtualised world
Thin client technology was developed over ten years ago to work in a closed corporate environment but the trend towards cloud computing means that a high proportion of information is now accessible via the public Internet. By Marc Hocking
This approach has reduced capital expenditure but begs the question: at what cost security?
More organisations than ever before rely on virtualisation and thin client technology to deliver cloud services at the desktop and across corporate-wide applications. This is good news for CIOs faced with budget squeezes. Fewer IT assets save money - simple. Some even argue that the virtual world offers additional security precisely because there are fewer assets to manage and all data is stored in one, centrally managed place.
However, the rise of flexible working throws a spanner into the works. With pressures on IT departments to reduce costs and staff often reluctant to take company equipment home with them, there is a compelling case for employees to use their own computers, tablets, laptops and even smart phones to access the corporate network remotely. The financial hurdle may be overcome but another, in the shape of security, emerges. However well protected information held centrally might be, securing the end point, and there are now a lot more of them, is every bit as important as it has always been.
Unmanaged home computers are subject to all sorts of malware such as viruses and worms, and anyone who accesses the network via a browser can put the entire corporate network at risk. These computers need to have additional security, and crypto tokens or two-factor authentication on their own are not sufficient.
The situation is no better for thin client technologies (such as Virtual Desktops or Published Applications). While the thin client session does not store data, data can still be lost or stolen from it. The removal of administration privileges means that users can’t tamper with the configuration or install additional software, but it also means they often can’t tell if the device has been subject to an attack. Thin client sessions are just as likely to be subject to the same attacks from key loggers and screen scrapers, viruses, trojans, worms, rootkits, botnets, spyware and dishonest adware as a desktop computer.
Technology to the rescue
All this might sound like a major headache for today’s IT department but ‘necessity is the mother of invention’ as they say and technology is certainly a shining example of this old adage. IT directors should embrace the wealth of sophisticated technology that exists to counteract the top security risks associated with thin client and remote working - cross contamination of malware, hacker intervention and data leakage.
Securing the end point in a cost efficient way is a tricky problem but one that can be addressed in a relatively straightforward way. Using the latest remote-working solutions based on encryption, some of which have been approved by the UK Government for use with sensitive data, can give additional layers of security to platforms such as VMware and Citrix ensuring that data remains safe, even despite a compromised end point.
Using technology called a ‘trusted client’, an unmanaged PC or thin client can be turned into a secure network access point. Typically the ‘trusted client’ has a very small footprint so can be loaded onto USB stick, DVD, or directly on to a laptop/thin client. By rebooting the device using the ‘trusted client’ a secure isolated environment is created where users can safely access the corporate network, data and applications. Only the host machine’s memory, processor and keyboard are used so the network is protected from malware and data accessed is encrypted.
Such devices are completely encrypted, including the ‘hardened’ operating system. At shut down the volatile memory is cleared leaving absolutely no trace of the session on the host machine. As well as being used for remote access, home working and occasional off-site working, this technology can also be used in business continuity scenarios, either as a secure remote access device, or as a standalone secure environment, should the corporate network fail.
Beware the enemy within
There is a great deal of publicity about intruders and external threats to systems, but surveys show that for most organisations the actual loss from insiders is much greater. Take data leakage as an example. Examples of lost and stolen data in the news almost every day. A careless or disgruntled employee can cause huge damage to an organisation by loosing or stealing sensitive data like confidential product information and customer names, which have been saved on insecure hard disks or CDs/DVDs/USB devices.
The only way around this is to retain complete control of the configuration of the thin client or desktop computer. In this way, data can’t be saved or even accessed without the appropriate security approvals and any time that data is accessed or saved there is an audit trail logging the event.
Don’t be lulled into a false sense of security
Many companies fall victim to a false sense of security. Simply installing a set of security processes and products doesn’t provide security ad infinitum. Systems must be constantly assessed for suitability of purpose and it is critical that systems should be set up to automatically check for malware whenever any new data is introduced, and the connection of any external device to the network or an individual PC should also generate an automatic virus scan of the device.
Combining the latest technology with knowledge of who has access to your data will offer the best protection in today’s virtualised world.
Marc Hocking is Chief Technology Officer at Becrypt
Becrypt Ltd is exhibiting at Infosecurity Europe 2011 on 19th – 21st April For more further information please visit www.infosec.co.uk