Thin clients from a security perspective

The mass transition to working from home clearly shows the best technologies for a secure and convenient remote environment.

The year 2020, with its pandemic and forced self-isolation, has raised a number of fundamentally new questions for businesses. One — has any company ever had to calculate depreciation for employees’ use of home chairs, monitors, and desks before? — has become quite relevant. The greatest burden has fallen on the IT and security departments. The former had little warning they’d have to provide staff with a remote workplace environment, and the latter needed urgently to develop new information security strategies for a world in which the security perimeter is everywhere.

Pessimists predicted the collapse of IT, but that did not happen; for the most part, companies were able to reorganize their operations fairly quickly. However, transitions have varied. Businesses whose employees mainly used laptops even before the pandemic have lucked out. Those that already had an active BYOD policy in place had a great advantage as well. As a result, some of the world’s leading companies have decided to make their employees across the board remote workers to reduce costs. Several global IT giants, including Oracle, Rimini Street, and Okta, said that their partial shedding of office space has had a positive impact on their bottom lines.

Ensuring security has proved more complicated. Many information security departments were not ready. First, people were suddenly working from their local home networks using their own networking equipment, which was not monitored, administered, or even updated by the company. Second, devices began seeing use by entire families for a variety of tasks, not all having to do with company business. For example, parents and children were using the same laptops during alternating sessions to work and study. Moreover, in some cases the same machine connected to the networks of two different companies, which neither security staff appreciated.

Do you know which companies have faced the fewest problems, in terms of both IT and security? It has been those that actively use virtualization technologies, or more specifically virtual desktop infrastructure (VDI).

What are virtual desktops?

By and large, desktop virtualization attempts to separate the employee’s workspace from the physical device they use to work. The company arranges a computing cluster using its infrastructure (or lease capacity), deploys a virtualization platform, and creates virtual machines for each employee. The virtual machine image contains all of the software that the employee needs.

Employees can connect to their virtual desktops (and the corporate resources they have permission to use) from any device, including desktop computers, thin clients, laptops, and tablets. Generally speaking, they can even use a phone — provided they can connect a keyboard, mouse, and monitor to it (some enthusiasts actually work using such a setup). And the practice is not restricted to telecommuting or working over the Internet. Some companies use virtual desktops in the office as well, because, in fact, the technology offers businesses quite a few benefits, including:

  • Ease of maintenance: The data storage system stores preconfigured images of virtual machines for each employee or for workgroups with similar responsibilities, and all of them are managed centrally, reducing the load on the IT department;
  • Scalability: If an employee suddenly needs more computing power or access to more RAM, the administrator can assign the required resources to them rather than having to upgrade their equipment;
  • Resilience: If a device that connects to the virtual machine fails, an employee can simply connect from another one without losing any data or wasting time;
  • Security: As you can imagine, Kaspersky views this as the most important advantage, and it is particularly strong for remote desktop technology that is used in conjunction with thin clients.

Virtual desktops, thin clients, and security

From a security point of view, virtual desktops are good if for no other reason than that they protect the software that employees use from meddling. Of course, users can change work files and interface settings, but those are stored separately from the virtual machine. Any changes made to software — and any malicious code downloaded to the virtual machine — disappear after a reboot. That does not mean virtual machines can go unprotected, but it greatly reduces the chances of an APT hiding on a work computer.

However, as we mentioned above, users receive the maximum security benefits by connecting to virtual desktops from thin clients. A thin client is a terminal-mode device. It often doesn’t even have any internal storage, being just a box that connects to a server and lets users connect a monitor and peripheral devices (configuration may vary depending on the specific model). The thin client does not process or store any work data.

Of course, a thin client requires a good communications channel. In recent years, however, that’s not much of a hurdle.

Communication between a thin client and a server is usually conducted over an encrypted protocol, solving the problem of the unreliable network environment. Of course, from the user’s point of view, it’s a much less versatile device than, say, a laptop. You cannot use it to play games, connect to third-party information systems, or do a variety of other things that may be forbidden in the workplace anyway. It is also worth noting this type of device solves one of the potential problems of hardware theft; with no data stored, none can leak.

Judging from the companies’ growing interest in ensuring the information security of remote work, we anticipate an ever-growing need for turnkey remote desktop infrastructure solutions. Most likely, the most workable plan will be to use public cloud services to avoid having to modify physical infrastructure significantly. So, it looks like we’re approaching a stage in which major companies transition to VDI. That is one of the reasons we are actively developing our expertise in this area and working on the solutions for thin clients based on our operating system, KasperskyOS.