Drawing on my twenty plus years of working within end user computing, I can safely say that the weakest link in any end user computing environment when we talk about security, are the end users and the devices which they use. We talk a lot about securing the edge of the network, and for me, the edge of the network, when it comes to end user computing, stops squarely with the end users.
by David Coombes - ThinScale Technical Director
The rise of shadow IT
In today’s more consumer-focused world, users are far more aware, or “savvy” about different apps, and different way of doing things that suit their own personal way of working. They will have their own devices on which they can easily access different apps and data. But when it comes to working within the corporate environment they will often try and replicate this behavior and are likely to try and “do their own thing” with company-owned apps and data, using a corporately owned device. Or they may introduce non-standard apps or use their own device. This end user behavior is now so prevalent that it’s even been given its own name – “shadow IT”.
We’ve all done it. Tried to install our own apps, opened a malicious email link or website which has breached security, accidentally or deliberately, copied sensitive data to a USB stick, or emailed it to our own personal email accounts to work on at home later. We justify this by thinking we are doing the company a favor by working outside office hours, when in fact we could be doing more harm than good by exposing private and sensitive data.
On that note, the protection of private data is now becoming the subject of much tighter legislation. For example, in the EU a new law for the protection of data came into force in May 2018. GDPR, or General Data Protection Regulation aims to protect the privacy of an individual’s data. It’s so serious that should a company breach this law then the fine can cost them up to 20 million Euros or 4 percent of their annual global turnover, whichever of both is highest. If that not enough to get the security people focused, then I don’t know what is. Further, policies that enforce measure compliance for financial information (PCI DSS) or private medical information (HIPAA) are necessities now in their respective workplaces.
The question is, what can an organization do to secure their data, without impacting productivity, and embracing some of this consumer-type behavior?
Are virtual desktops and apps the answer?
In part, yes. These problems typically go away or are greatly reduced by deploying some form of centralized desktop and app delivery solution. The key reason being that the data is now secured behind the data center firewall, and under the control and management of the IT teams. However, you still need to give end users access to these apps and data, and therefore you have only solved part of the security conundrum. How does an organization ensure security is maintained at the end user? We are back to that whole edge of the network point again. This is where thin clients can add an additional layer of protection.
What are the security benefits of using thin client devices?
Thin client devices are deployed within an organization to support connectivity to virtual and hosted desktops or published apps, providing an extra layer of protection from user-initiated security risks. They do this by preventing end users from having direct access to the endpoint operating system and the ability to install their own apps, or introduce malicious files or data using the end point device. Of course, you still need to have in place the tools to prevent them doing this within the virtual session itself, but at least now you have secured the end point device. But the question is, in deploying thin clients have you now made it too restrictive for the end user? Have you taken away some of the benefits of why you deployed remote desktops and apps in the first place all in the pursuit of security?
This is where the conversion software, ThinKiosk comes into its own, taking the thin client computing story to a whole new level, by delivering advanced security, an enhanced end user experience, flexible working, and at the same time reducing the costs.
Hardware-based thin client computing
What is a thin client? When we think about thin clients, we usually have a picture in our heads of a small, physical device, that looks a bit like a miniature or cut-down PC, that will only work when connected to the corporate network and runs its own unique version of an OS, a thin client operating system. That, in itself, stops end users from being able to do anything bad, thus rendering the device secure by default, but it can also potentially be counterproductive when it comes to workforce productivity. Maybe the device becomes too locked down or restrictive, and being too cut down to the point that it doesn’t support the environments you want to use it in. Finally, being a physical PC-type device means it’s also static and tied to an end users’ desk. Now don’t get me wrong, I think thin clients are great, but I do think there is a better way to deliver all these features that thin clients deliver, yet can support more flexible working models.
Redefining thin client computing with software-defined thin clients
ThinKiosk redefines this ‘picture’ of what a thin client looks like and delivers it as a software-defined thin client solution, rather than a physical piece of tin, as you would come to expect in the cloud-era with software-defined storage, or software-defined networking for example.
What exactly does “software-defined thin client” mean, and what are the benefits? Basically, it means it’s a software solution that creates a thin client environment that runs on any Windows capable hardware, and delivers all that a hardware thin client delivers, and more.
Software-defined means greater flexibility and the ability to better control the device and end users. But first and foremost, it allows you to repurpose existing devices, and therefore reduce costs. On top of that it adds an enhanced user experience that is familiar to the end users as it is based on the Windows OS, plus of course a centralized management platform for IT to easily onboard users and devices ensuring they are patched and updated. And then there is the security considerations.
Delivering secure thin client environments
As this blog is around the security aspects of thin client computing, let’s get back to that discussion. There is no point going down the software-defined route if security goes out of the window.
ThinKiosk creates a secure thin client environment on any Windows-based x64/86 device, all without assistance from GPO's or other ancillary pieces of software. ThinKiosk provides a secure shell which locks users out of the underlying device OS. In its place they are presented with an intuitive, Windows-like workspace interface with standard Windows functionality such as keystrokes (CTRL+ALT+DEL & Win+L) being passed through to their virtual resources and hardware settings accessible within the secure UI, maintaining user familiarity and a degree of autonomy within the ThinKiosk environment. This secure UI displays all the links to their virtual environments, and even locally installed apps if they are permitted to do so. This is all managed centrally by the IT admins and adds some advanced security features. For example, Application Execution Prevention, or AEP, prevents end users trying to launch or install their own apps, even if they set a delayed launch time. Or the USB blocking feature that prevents writeable media devices from being used. ThinKiosk provides a secure thin client experience for on-prem devices, it also can provide a mobile thin client experience for corporate provided laptops with battery and wifi control and status indicators supported by the UI and can be displayed within a dedicated virtual desktop.
For both IT and the organization, they are safe in the knowledge that end users cannot introduce anything that could be deemed as malicious, and for the end users they now have a familiar workspace that allows them as much autonomy as your IT department wants to allow.
To quickly recap and summarize, we started this conversation talking about the end users and devices being the weakest link in the virtual desktop and app chain. The typical solution to ensure security is to deploy hardware-based thin clients to ensure end users were locked down and secure. But taking that approach could also be counterproductive as for the end user it may be a step too far. Not only that it could affect an organization too, especially when it comes to the productivity of the office environment.
ThinKiosk strikes that perfect balance between security and flexibility. It provides that locked-down and secure environment, yet then throws flexibility into the mix, allowing end users to work in a user friendly environment that can be deployed on any corporate device and provided with whatever experience your team wants to allow.