Drawing on my twenty plus years of working within end user computing, I can safely say that the weakest link in any end user computing environment, when we talk about security, are the end users and the devices which they use. We talk a lot about securing the edge of the network, and for me the edge of the network, when it comes to end user computing, stops squarely with the end users.
by David Coombes - ThinScale Technical Director
The rise of shadow IT
In today’s more consumer-focused world, users are far more aware, or “savvy” about different apps, and different way of doing things that suit their own personal way of working. They will have their own devices on which they can easily access different apps and data. But when it comes to working within the corporate environment they will often try and replicate this behavior and are likely to try and “do their own thing” with company owned apps and data, using a corporately owned device. Or they may introduce non-standard apps or use their own device. This end user behavior is now so prevalent that it’s even been given its own name – “shadow IT”.
We’ve all done it. Tried to install our own apps, opened a malicious email link or website which has breached security, accidentally or deliberately, copied sensitive data to a USB stick, or emailed it to our own personal email accounts to work on at home later. We justify this by thinking we are doing the company a favor by working outside office hours, when in fact we could be doing more harm than good by exposing private and sensitive data.
On that note, the protection of private data is now becoming the subject of much tighter legislation. For example, in the EU a new law for the protection of data came into force in May 2018. GDPR, or General Data Protection Regulation aims to protect the privacy of an individual’s data. It’s so serious that should a company breach this law then the fine can cost them up to 20 million Euros or 4 percent of their annual global turnover, whichever of both is highest. If that not enough to get the security people focused, then I don’t know what is.
The question is, what can an organization do to secure their data, without impacting productivity, and embracing some of this consumer-type behavior?
Are virtual desktops and apps the answer?
In part, yes. These problems typically go away or are greatly reduced by deploying some form of centralized desktop and app delivery solution. The key reason being that the data is now secured behind the data center firewall, and under the control and management of the IT teams. However, you still need to give end users access to these apps and data, and therefore you have only solved part of the security conundrum. How does an organization ensure security is maintained at the end user? We are back to that whole edge of the network point again. This is where thin clients can add an additional layer of protection.
What are the security benefits of using thin client devices?
Thin client devices are deployed within an organization to support connectivity to virtual and hosted desktops or published apps, providing an extra layer of protection from user-initiated security risks. They do this by preventing end users from having direct access to the endpoint operating system and the ability to install their own apps, or introduce malicious files or data using the end point device. Of course, you still need to have in place the tools to prevent them doing this within the virtual session itself, but at least now you have secured the end point device. But the question is, in deploying thin clients have you now made it too restrictive for the end user? Have you taken away some of the benefits of why you deployed remote desktops and apps in the first place all in the pursuit of security?
This is where ThinKiosk comes into its own, taking the thin client computing story to a whole new level, by delivering advanced security, an enhanced end user experience, flexible working, and at the same time reducing the costs.
Hardware-based thin client computing
When we think about thin clients, we usually have a picture in our heads of a small, physical device, that looks a bit like a miniature or cut-down PC, that will only work when connected to the corporate network and runs its own unique version of an operating system. That, in itself, stops end users from being able to do anything bad, thus rendering the device secure by default, but it can also potentially be counterproductive when it comes to workforce productivity. Maybe the device becomes too locked down or restrictive, and being too cut down to the point that it doesn’t support the environments you want to use it in. Finally, being a physical PC-type device means it’s also static and tied to an end users’ desk. Now don’t get me wrong, I think thin clients are great, but I do think there is a better way to deliver all these features that thin clients deliver, yet can support more flexible working models.
Redefining thin client computing with software-defined thin clients
ThinKiosk redefines this ‘picture’ of what a thin client looks like and delivers it as a software-defined thin client solution, rather than a physical piece of tin, as you would come to expect in the cloud-era with software-defined storage, or software-defined networking for example.
What exactly does “software-defined thin client” mean, and what are the benefits? Basically, it means it’s a software solution that creates a thin client environment that runs on any Windows capable hardware, and delivers all that a hardware thin client delivers, and more.
Software defined means greater flexibility and the ability to better control the device and end users. But first and foremost, it allows you to repurpose existing devices, and therefore reduce costs. On top of that it adds an enhanced user experience that is familiar to the end users as it is based on the Windows OS, plus of course a centralized management platform for IT to easily onboard users and devices ensuring they are patched and updated. And then there is the security considerations.
Delivering flexible working with secure thin client environments
As this blog is around the security aspects of thin client computing, let’s get back to that discussion and how flexible working and security can co-exist. There is no point going down the software-defined route if security goes out of the window.
One unique feature that ThinKiosk provides, is the ability to create a secure thin client environment on an end user’s personal device, all without rebooting, or installing MDM tools. This feature is called Secure Remote Worker. An end user simply switches Secure Remote Worker on, and it locks them out of the underlying device OS. In its place they are presented with an intuitive, Windows-like workspace interface which displays all the links to their virtual environments, and even locally installed apps if they are permitted to do so. This secure environment is managed centrally by the IT admins and adds some advanced security features. For example, Application Execution Prevention, or AEP, prevents end users trying to launch or install their own apps, even if they set a delayed launch time. Or the USB blocking feature that prevents writeable media devices from being used. When the end user has finished, they simply switch off Secure Remote Worker and carry on using their device as it was before.
For both IT and the organization, they are safe in the knowledge that end users cannot introduce anything that could be deemed as malicious, and for the end users they now have the flexibility of working remotely, from home, or use their personally owned devices.
To quickly recap and summarize, we started this conversation talking about the end users and devices being the weakest link in the virtual desktop and app chain. The typical solution to ensure security being to deploy hardware-based thin clients to ensure end users were locked down and secure. But taking that approach could also be counterproductive as for the end user it may be a step too far. Not only that it could affect an organization too, especially when it comes to productivity outside of the office environment.
ThinKiosk strikes that perfect balance between security and flexibility. It provides that locked-down and secure environment, yet then throws flexibility into the mix, allowing end users to work both remotely and using their own devices. Perfect for addressing that consumer style way in which end users want to work.
It’s like having a portable, secure thin client.