Thin New Line: Data Security and Thin Client Computing

Thin New Line:
Data Security and
Thin Client Computing
Thin New Line:
Data Security
and Thin Client
Computing
Server-based computing has long been recognized for its ease of application management.
But now a fast-growing number of organizations are turning to thin clients, finding that
they can dramatically improve data security
at the desktop with lower costs.
What do the following three incidents have in common?
• January 2004: MyDoom becomes the fastest-spreading
computer worm in history, affecting as many as 1 million systems.
• March 2006: a leading mutual fund company reports
the loss of a laptop computer containing personal data
on 196,000 customers.
TOP 6 MOST COSTLY
DATA SECURITY BREACHES
• May 2006: the records of 26.5 million U.S. veterans are
stolen from the home of a Department of Veterans Affairs
worker, who had downloaded them from his office PC.
In all these data security cases, the potential ramifications—
including loss of revenue, costs for remediation, and damage to
reputation—were immeasurable. And in every one, the primary
means or point of failure was a personal computer.
In fact, experts agree that the ubiquitous PC is perhaps the
weakest plate in the security armor. “Viruses, worms, and Trojan
horses have become more nefarious,” says Bob O’Donnell, vice
president of clients and displays for research firm IDC. “There’s a
whole bunch of nasty stuff that can get brought into the network
environment from PCs and notebooks.”
It’s no surprise, then, that as organizations look for a solution,
they’re increasingly turning away from PCs and toward thin
clients. Thin client computing—running applications on centralized servers while providing access to data and services from a
diskless desktop device—is increasingly recognized as being more
cost-effective and easier to manage than traditional PCs. Most
important, enterprises are increasingly turning to thin clients
because they offer inherently greater security.
THE GATHERING STORM
There’s no question that data security remains top of mind for
CIOs, IT managers, and business managers alike. Viruses and
worms are considered the greatest threat, followed by spyware,
according to Forrester Research’s February 23, 2006, study, titled
“Fear Factor: Information Assets and Viruses and Worms Top IT
Security Threat List.” To mitigate these risks, more than half of
companies will purchase client antivirus and antispyware software
this year, and nearly half will invest in advanced firewalls.
In “Desktop Virtualization is Future of the Corporate PC,” published January 5, 2006, Forrester noted that “traditional PCs are
prone to viruses and worms, need constant security patching, and
expose critical data and applications to malicious behavior from
internal and external sources. As firms move more users from
desktops to laptops, the security risks increase.”
However, while two-thirds of companies have installed tools for
automated patch assessment and deployment on desktops and
laptops, less than half are using vulnerability assessment tools to
monitor their PCs. And only 40 percent have deployed security
configuration management on the desktop. Without these tools,
it is impossible to determine whether protection is functional,
adequate, and effective.
Source: Computer Security Institute, 2005
Among the Top 6 most costly data security breaches are viruses,
unauthorized access, and data theft. Organizations reported
losing $130 million to security incidents in 2005.
2
And as many observers have noted, the data security threat is
growing, in part because there are now more mobile devices and,
as a result, more and more data is being stored outside the com-
THIN NEW LINE: DATA SECURITY AND THIN CLIENT COMPUTING
pany. Compounding this is the fact that there are seldom procedures or protocols in place to protect that data from loss or theft.
KEEPING THE DATA IN
To address these security risks, a growing number of organizations have turned to using thin clients and server-based computing. Server-based computing with thin clients is the architectural
opposite of traditional PC environments. In a PC environment,
personal productivity software such as Microsoft Office runs on
the desktop. A large amount of corporate data is stored on the
desktop, as well.
With server-based computing utilizing thin clients on the desktop,
employees can have access to the same applications, with the same
look and feel, as with PCs. But all applications and data reside on
centralized servers, where they can be closely and more easily
managed by IT staff. And all external connections—through
email and the Internet, for example—occur at a centrally
controlled and managed location.
In many environments, thin clients offer distinct advantages over
PCs. For starters, IT management is far easier and more efficient.
Cost of ownership for both desktop and overall IT infrastructure
is significantly lower. Thin clients are highly reliable, with a mean
time between failure an order of magnitude better than that of
PCs, since there are no moving parts. By leveraging the back-end
server environment, thin client computing offers superior availability and scalability.
Although these are strong value propositions for thin clients,
greater security is the major reason that sales of thin clients are
growing at a rapid pace around the world. IDC’s O’Donnell
expects a compound annual growth in double digits, a rate about
twice that of PCs.
In fact, thin clients offer such a broad range of security benefits
that organizations both large and small are deploying them
specifically for their security advantages.
REMAINING UNDER LOCK AND KEY
Because thin client computing is server-based, with all applications running on servers and all data residing on centralized disk
drives, the result is better desktop security.
“Email, Web browsers, and other productivity applications all
have the ability to download, save, and execute malicious code,”
says Ed Parks, vice president of engineering for Neoware, a
global provider of thin client devices and supporting software
and services. If those applications are running on desktop PCs,
then each PC has to be secure enough to catch the malicious
code before it causes damage. And security experts agree that
the odds of securing every employee’s desktop are slim. “When
DESKTOP SECURITY: 10 KEY QUESTIONS
Not sure whether thin client computing can improve
your security profile?
Ask yourself these 10 questions:
1
Am I investing more resources in patch management, security, and maintenance measures?
2
Is my desktop support infrastructure growing—
and costing more?
3
Is my organization vulnerable to viruses, worms,
Trojans, and other Internet or email-based
threats?
4
Do my users require access to corporate data
and applications from remote locations?
5
Am I worried that users aren’t backing up
critical data?
6
Do I suspect that users aren’t adhering to company policy for email and Internet use?
7
Do I have doubts about whether users are maintaining proper security configurations and settings on
their PCs?
8
Am I concerned that users could lose or misuse
sensitive company information on their notebooks?
9
Can users download customer data onto USB
keys, CDs/DVDS, disks, or other portable
media?
10
Do I have concerns that my organization’s
security profile might not be in compliance with
regulations such as Sarbanes-Oxley and HIPAA?
If you answered "yes" to even one of these
questions, then thin clients can effectively
enhance security in your enterprise.
applications run on servers in the data center and not on the
desktop,” Parks continues, “they’re much easier to protect.”
In fact, O’Donnell adds, “because applications and data are
tightly managed at the server, thin clients inherently enforce
IT best practices. The security that thin clients deliver, experts
note, is evident in a number of key areas:
Data storage—Thin clients have no hard drive or disk drive.
Instead, they use a small, solid-state flash memory, eliminating
THIN NEW LINE: DATA SECURITY AND THIN CLIENT COMPUTING
3
local data storage. Thin clients can also be configured without
flash to operate in a truly stateless mode. There is no locally
stored data that can be corrupted, lost, or stolen. Data remains in
the data center, where customer information and trade secrets are
kept under lock and key.
And with the appropriate software, thin clients can be configured
to function with a virtual operating system that resides on the
server. Security of that operating system can be managed in the
data center, instead of on every desktop and in remote locations.
Viruses—Thin clients are largely immune to viruses, worms, and
Trojan horses. “Two-thirds of thin clients sold are based on Linux
or Microsoft Windows CE,” Parks points out. “To our knowledge, no thin client with either of these operating systems has
been infected with a virus.” Even if such an infection were to take
place, because the device is “locked down,” a simple reboot
would remove any malware.
Most of the other thin clients run Microsoft Windows XP
Embedded (Windows XPe). Because Windows XPe is based on
the widely used Windows XP operating system—
a popular target of virus creators—those thin clients are more
vulnerable than Linux or Windows CE clients. But they’re still
far less at risk than traditional Windows PCs.
One reason is that PCs locally run and store email—the source of
95 percent of viruses. Even if thin clients are running Windows
XPe, software technology protects against any updates to the flash
memory. “Should a virus somehow get onto the desktop, it
would exist only in memory,” Neoware’s Parks says. “As soon as
you turn off the device, the virus disappears. Turn it back on
again, and your virus problem is over.” Some thin client
providers, such as Neoware, offer security software to further pro-
tect Windows XPe devices with enhanced firewall and open
antivirus solutions.
Theft—One of the greatest threats to data security is theft of PCs
and laptop computers. Thin clients have a far lower risk of theft
because they contain no data and are no longer usable when disconnected from the network. And configured properly, they can’t
be used to copy data to media or devices that can be lost or stolen.
Remote access—Thin clients provide a more secure environment for workers operating remotely. Employees can use a thin
client to work from home or another remote location over an
encrypted connection. Applications and data never leave the data
center in a form that can be misused.
For highly mobile workers, one leading thin client provider has
begun offering thin client laptops. Thin laptops can be used
remotely if they’re in a location with Internet access and they
contain a virtual private network (VPN) client that can access the
enterprise network. As with thin desktops, all application data
remains in the data center.
In fact, some observers suggest, users who want the benefits of a
roaming portable desktop will get the best security, performance,
support, and recovery when they choose a centrally managed
server-based computing model. Pairing a mobile thin client laptop with a cellular data card, VPN, and secure token can provide
network connectivity at all times, allowing greater mobility and
security, eliminating the possibility of local data theft.
Email and Internet usage—Two of the most common productivity applications, Microsoft Internet Explorer and Microsoft
Outlook, which are the targets of most malware, are more secure
when server-based. Centralized management of Internet access
THIN SECURITY: SOFTWARE THAT MAKES A DIFFERENCE
4
Two important tools in the traditional
PC security manager’s toolbox are firewalls and antivirus software. But until
recently, thin client computing could not
take full advantage of these security
mechanisms.
Likewise, the Windows XPe thin clients
may be bundled with a simple anti-virus
software, with limited features. If your
organization had a preferred anti-virus
solution, chances are, you wouldn’t be
able to deploy it on your thin clients.
Let’s say you wanted to implement server-based computing in a mixed thin
client and PC environment. Your
Windows XPe thin clients would likely
come with no built-in firewall, or with
one that restricted only inbound traffic.
As a result, it may allow an infected
client to propagate the infection to
other clients on the network.
A significantly enhanced
firewall prevents
unauthorized access to
servers and desktops.
And even if you could, you wouldn’t be
able to update that software in an automated fashion along with your PCs.
Today, leading thin client providers are
responding with improved firewalls and
antivirus software. Neoware Security
Center, for example, provides a significantly enhanced firewall that prevents
unauthorized access to servers and desktops by filtering both inbound and outbound traffic. It also allows you to
deploy the same industry-standard
antivirus software on both your thin
clients and your PCs, making administration easier and more cost-effective.
THIN NEW LINE: DATA SECURITY AND THIN CLIENT COMPUTING
DATA SECURITY: PCs vs. THIN CLIENTS
SECURITY ISSUE
PCs
THIN CLIENTS
Risk of viruses to corporate
network
Transfer of viruses through LAN or VPN
connections is a serious problem.
Transfer of viruses through remote displays is
rare and difficult to do.
Risk to local data
Extensive local data. Enterprise usually has no
data inventory.
Minimal, consisting of temporary cache on client.
File uploads and downloads can be prohibited.
Risk to local applications
Programs, settings, and permission are at risk.
Minimal, as the client is a remote display interface.
Risk of keystroke logging
A full-client personal firewall should be used.
An on-demand personal firewall for nonmanaged
systems or a full-client personal firewall on managed systems should be used.
Patch management
Client updates are frequent and critical.
Client updates are minimal.
Backup and synchronization
of critical data
Backup and audit consistency is difficult to enforce
and requires a large investment in storage.
Can be done automatically at central site.
Roaming portable desktop
Internet-based remote-control tools fail to avoid
maintenance problems of individual workstations and create vulnerability of penetration
through firewalls.
User enjoys the performance, support,
backup, and security advantages of a centrally
managed system.
Session monitoring
User will notice differences in application
behavior and network performance.
Transparent to the user.
Based on research by Gartner
Thin clients offer security advantages over traditional PCs in key areas such as patch management, data integrity, data backup,
and virus protection.
allows a company to better monitor and control usage, leading to
better compliance with corporate policies and helping to circumvent phishing fraud.
Data backup and restore—Because thin clients don’t store data
locally, no data needs to be backed up or restored on the desktop.
All data that employees access, create, and modify is stored on a
server and is managed as part of the enterprise backup process.
What’s more, recovery from a disaster is much more efficient. If
a thin client is damaged or fails, the user simply plugs in a new
one, and it configures itself within minutes, without IT support.
Individual and group profiles/user settings exist on the server,
not on the device, so there’s no need to restore a user environment locally.
As a result, it becomes much easier to set up a new IT operation
at a temporary site to respond to a natural disaster or other business interruption. Since all the data and applications run on a
server, there are no individual desktop images and data to build.
Also, companies can better prepare for pandemic strategies
because a server-based architecture enables an easy transition to
work-at-home options.
Configuration—Thin clients can be locked down much
more thoroughly than PCs, and they don’t allow for nonstandard
configurations on the desktop—a common source of security
breaches.
“The ideal in any IT organization is to be able to centrally
control all user environments—for more efficient management,
easier troubleshooting, and more effective security,” Parks argues.
“That’s notoriously hard to do with PCs, because you have
different classes of users with different requirements and different
configurations.” As a result, users eventually figure out how to
modify their own devices. With thin client computing, users have
access to applications and services on the basis of a user profile,
and the desktop environment is managed centrally.
CENTRALIZED MONITORING AND
MANAGEMENT
According to Forrester’s January 5, 2006, report, “managing
access to sensitive applications and data is easier in a centralized
model like server-based computing.” In a server-based environment with thin clients, a company can centralize security monitoring and management, including key activities such as security
patch management, routine updates, and automation.
Traditional PC environments, in contrast, involve more complex
administration—especially the need to distribute security patches
to full-client desktops. And the greater the complexity, the greater
THIN NEW LINE: DATA SECURITY AND THIN CLIENT COMPUTING
5
IMPACT OF SARBANES-OXLEY ACT
ON DATA SECURITY
WEIGHING THE RISKS AGAINST THE COSTS
Of course, there’s no such thing as 100 percent security. Security is
fundamentally a matter of weighing the risks against the costs—
and striking the right balance based on your business needs. Cost
is another area where thin clients offer a security advantage. Thin
clients can enable a company to increase the level of security for
less cost.
Added to the security price tag are continuing increases in security costs for PCs. Organizations are investing heavily in administering patches to desktop operating systems, upgrading desktop
applications, and updating antivirus software. They require larger
and larger staffs for helpdesk and desktop support.
In fact, experts contend that organizations spend the largest portion of their IT budgets maintaining existing systems. By reducing the time and complexity involved in infrastructure maintenance, a company can redirect its IT budget toward activities that
will improve the business.
Source: Computer Security Institute, 2005
Organizations in a broad range of industries report that the
Sarbanes-Oxley Act has either raised their level of interest in
data security or changed their focus from technology to corporate
governance.
the chance that individual PCs will be overlooked and security
vulnerabilities will creep in. But when PC security is no longer an
issue, the IT organization can focus on securing the data center
and the network.
What’s more, thin client operating systems—Linux, Windows
CE, and Windows XPe—are recognized as being far more secure
than the Windows variants that run on traditional desktops.
Linux and Windows CE aren’t targets for perpetrators who create
viruses, and they require virtually no security patches or
upgrades. Windows XPe doesn’t contain many of the Windows
XP components that have been exploited by viruses. Although
Microsoft regularly releases security patches for Windows XP,
only about one-quarter to one-third of those patches apply to
Windows XPe. That makes XPe thin client patch management
less frequent, faster, and less complex.
Organizations can further secure the desktop through virtualization—hosting the desktop operating system in the data center
and streaming it to the desktop on demand (see sidebar, “Better
Security Through Desktop Virtualization”). Desktop virtualization can maximize the performance, extend the lifespan, and
improve the security of both PCs and thin clients.
6
Server-based computing centralizes and streamlines security
management, increasing the efficiency of IT staff. Likewise,
it can improve the productivity of all employees. Most organizations that use technologies such as Citrix or Terminal Server typically have enough server capacity built-in that they can
temporarily take a server offline, install a patch, and bring the
server back up without affecting performance. This allows
end-users to continue working. In a traditional client-server
architecture, desktop PCs need to be taken offline, patched,
and rebooted, decreasing business productivity. With thin
clients, patches can be applied without disturbing the workforce
or interrupting productivity.
COMPLIANCE: PROTECTING CORPORATE DATA
An increasingly important aspect of data security is regulatory
compliance. An ever-growing number of government regulations
and industry directives include provisions for the management
and protection of corporate data.
By centralizing and enabling tighter control over information
assets, server-based computing can improve a company's compliance profile. “Compliance has been driving interest in [desktop]
lockdown because it is hard for organizations to certify compliance with certain regulations if they have no idea what's being
done on their PCs,” notes a 2005 Gartner report, “Consider
User Profiles in Implementing Desktop Lockdowns.”
This is particularly important in light of several recent regulations:
Sarbanes-Oxley Act—Sarbanes-Oxley addresses the governance
of electronic documents, communications, application data ,and
other key records. Provisions cover not only data storage but
also email, Internet access and the downloading of data and
THIN NEW LINE: DATA SECURITY AND THIN CLIENT COMPUTING
applications. If employees are managing their own documents
locally, they can store information that could legally expose their
organization. They can also lose or misuse data about trade
secrets or customers. And they can delete data that could be
required in an audit. By centralizing the management of applications, email and electronic documents, thin client computing
ensures that executive management always has control over the
company’s information assets.
Data Privacy Laws—Governmental bodies around the world—
including the European Union, Japan, and a growing number of
U.S. states—have passed laws that require the protection of personal information. These laws apply not only to customer data
but also to HR files. Managing data centrally can help ensure
that this information is never lost, stolen, or otherwise misused.
Health Insurance Portability and Accountability Act (HIPAA)
sets out stringent requirements for data security and patient privacy. “To be compliant, you need to be able to demonstrate that
your PCs don’t download and store data locally,” IDC’s
O’Donnell explains. “That can be difficult to do if you’re running applications locally on PCs. But thin clients can’t store data,
so they make it easy to demonstrate that you’re in compliance.”
WORLDWIDE GROWTH OF
THIN CLIENT SHIPMENTS
8
7
6
5
4
3
2
1
0
Source: IDC, 2006
IDC predicts that the number of thin clients shipped will more
than triple between 2005 and 2010.
UNC: BETTER SECURITY THROUGH DESKTOP VISUALIZATION
The computer labs were a clear security
problem, according to the University of
North Carolina (UNC) IT staff. PCs
would become infected with viruses,
and users would alter settings or download restricted programs such as peerto-peer multimedia file-sharing software. Something had to change.
UNC serves nearly 200,000 students
through programs and schools for liberal arts, engineering, medicine, law,
and other disciplines. So it’s no surprise
that the venerable institution’s computer labs get plenty of use—not all of it
necessarily welcome.
The solution was desktop virtualization, which streams a centrally managed and controlled software image of
the operating system, plus application
and hardware drivers, from a central
server to the desktop. Desktop devices
benefit from the performance and flexibility of traditional PCs while retain-
“Compared to PCs, we
can make the thin
clients more secure, so
they’re easier to support
and they last longer.”
ing the manageability and security of a
server-based environment.
UNC manages desktop virtualization
and streaming through Neoware Image
Manager. It creates a centrally managed, virtual Windows operating system drive that can’t be altered by
users—or by viruses. “When you have
diskless PCs booting off this centrally
managed system drive, there’s no way
for the operating system to be modified
or for data to be stored on the PC,”
says Ed Parks, vice president of engi-
neering for Neoware. Plus, patch management is centralized—and greatly
simplified.
UNC is deploying desktop streaming
and virtualization on thin clients and
PCs in computer labs and classrooms.
The thin clients and PCs coexist and
can be managed centrally, and only
one image is needed for all devices.
Desktops have consistent builds and
application compatibility. Virus outbreaks have been minimized, and
IT staff can focus on more strategic
activities.
“Using Image Manager and thin
clients, we’ve been able to lock down
the desktop so that users can’t install
malicious programs,” says Jeremiah
Joyner, supervisor of the UNC IT services classroom hotline. “Compared to
PCs, we can make the thin clients
more secure, so they’re easier to support and they last longer.”
THIN NEW LINE: DATA SECURITY AND THIN CLIENT COMPUTING
7
THIN CLIENT COMPUTING: DISPELLING THE MYTHS
While IT organizations often quickly
recognize the benefits of server-based
computing, their user populations may
put up resistance. Users are often concerned about whether they’ll be able
to access the same tools and information
to which they are accustomed. Here’s
a quick look at key misconceptions—
and why they shouldn’t stand in
your way:
Myth #1: I won’t be able to
access the tools I need to do
my job.
Thin clients provide access to the same
Microsoft applications—such as all
Office applications, Outlook, Internet
Explorer, and Excel—with the same look
and feel as on traditional PCs. The only
difference is that the applications reside
on a centralized server—which most
users won’t even realize. Users even have
access to a variety of peripherals support.
Thin clients can browse the Web, access
a Citrix or Terminal Server environment,
and access legacy applications through a
Terminal Emulator.
Myth #2: I won’t be able to
access and use data the way
I want to.
Myth #4: I won’t have the
same level of performance and
convenience.
Users won’t be able to download and
store data to local media such as desktop
hard drives, CDs, and diskettes. But
users will have access to the same data,
with the same look and feel, as on their
old PCs—without the worry of losing
data to disk crashes. Data is stored centrally, where best practices backup and
security can be most effectively applied.
Except for highly specialized applications
such as computer-aided design (CAD),
thin clients deliver comparable performance to PC environments.
Myth #3: I won’t be able to work
if the network goes down.
Even in a traditional PC environment,
if the network goes down, users lose
access to corporate systems, email, and
the Internet. Plus, with thin clients,
availability is typically higher because
of reliability of both the desktop and
server environment. With thin clients,
users don’t have to wait to have their
PCs configured in the event of a disk
failure. And if a server becomes unavailable, the transition to another server
can be seamless.
THIN CLIENTS, FAT RETURNS
Thin clients don’t obviate the need for security best practices. A
company still needs to maintain firewalls, intrusion detection and
other enterprise security tools to protect its network and data center.
At the desktop, thin clients require the same user authentication mechanisms as traditional PCs. “By far the most common
method is a username and password prompt via a dialog box,
which is presented to the thin client by the application server,”
Neoware’s Parks says. The authentication itself takes place on
the server rather than on the thin client, so no username or
password is stored locally. Some organizations may opt for
strong authentication, such as smart cards or biometrics.
In many companies, thin clients are used in combination with
PCs. In this situation, the organization still has to protect those
PCs as it normally would, with patch management, antivirus
software, and data backup at the desktop. But fewer PCs means
fewer risks, so the thin clients can still deliver security advantages.
Still, companies may be reluctant or unable to make the switch
from PCs to thin client all at once. Moving to a server-based
environment can be achieved incrementally, with companies
Myth #5: I won’t be able to
use my computer on the road.
Thin clients can function when physically disconnected from the network.
However, they may not be appropriate
for highly mobile knowledge workers.
Notebook-style thin clients can be an
effective way to access corporate systems
not only from various offices and conference rooms but also from remote locations using a WiFi, WiMAX, or cellular
card. Front-line employees who want
access on the road typically require realtime data for fast decision making—
which can’t be done in offline mode anyway. Plus, thin client access is secure
because it occurs over an encrypted VPN
connection and all application data
remains protected in the data center.
transitioning from PCs to thin clients over time by using software
that makes PCs behave like thin clients. “The PCs could boot off
a centrally managed image, and that would go a long way toward
securing them,” Parks says. The company can then either remove
the hard drive from the PC or configure the operating system to
boot remotely, rendering the hard drive useless.
In the final analysis, securing traditional PCs by traditional
means is both expensive and time-consuming. Large organizations require an entire infrastructure just to manage their desktops. Moving security off the desktop and into the data center
can make security far more manageable.
What has stood in the way of broader adoption of thin client
computing? “Many organizations haven’t understood the potential benefits of thin clients, or they’ve had misconceptions about
performance or compatibility,” IDC’s O’Donnell concludes.
“But once they understand the issues, they find that thin clients
make a lot of sense. There may be an initial investment in the
clients or in server capacity. But if you avoid even one major
security incident, you could easily justify the investment. In the
long run, there’s almost inevitably a positive return on investment with thin clients.”
© 2006 Neoware, Inc. • 3200 Horizon Drive • King of Prussia, PA 19406 • Phone +1 610-277-8300 • Fax +1 610-771-4200
All rights reserved. Other trademarks are the property of their respective owners. www.neoware.com