Back in the early days of computing, desktop PC’s where the only way to go for employees to get work done. With those desktop PC’s came ports, floppy drives, and eventually CD/DVD drives. As USB became the standard and desktop PC’s started having USB ports in the front along with the CD/DVD drive, it became easier to insert malware and other types of viruses into the PC and behind the firewall.
Whether by accident or on purpose, the PC is now becoming an attack vector. Employees can bring USB drives from home – that are infected without their knowledge – and infect their office machines as well as the network. Malicious individuals can do the same.
Other problems with PC’s are that they have to be maintained. The more PC’s in your office, the more man hours it takes to maintain them including patch management and hardware replacement. Depending on the type of machines, you may have to keep spare parts handy, which translates into purchasing inventory that you are not currently using or may never use.
Let’s not forget how easily documents can be stolen. An employee can move confidential documents from the desktop or network if they have the clearance, and put them onto an easily-hidden USB thumb drive. This is exactly what an infamous NSA analyst did earlier this year.
These days, for all of these reasons, thin clients make much more sense. According to Wikipedia, a think client is “a computer that depends on its server to fulfill its computational roles. This is different from the traditional fat client (desktop PC), which is a computer designed to take on these roles by itself. Thin clients occur as components of a broader computer infrastructure, where many clients share their computations with the same server. Thin-client computing is also a way of easily maintaining computational services at a reduced total cost of ownership. The most common type of modern thin client is a low-end computer terminal which only provides a graphical user interface to the end user. The remaining functionality, in particular the operating system, is provided by the server.”
It’s important to reiterate for all cost-conscious IT department budgets that thin clients cost less than the average desktop PC. Also, patch management for each PC is no longer an issue. And hardware replacement happens rarely. There is no hard drive, so it cannot crash and lose all of the data that was residing on it. Thin clients have very little in the way of internal hardware, so malfunctions are practically unheard of. (Yes they still malfunction, but anything electronic can break.) Since thin clients have no hard drive, software is updated at the server. This means that IT employees no longer need to schedule time to visit each and every computer in the company to perform updates. Another benefit of thin clients is that you can easily run multiple operating systems within a virtual network.
However, probably the best reason for changing over to a thin client environment is SECURITY. Although thin clients have USB ports, their use can be modified by the administrator to not allow booting, uploading, or downloading. Because thin clients run using a virtual machine (VM), they are “sandboxed,” which means that they cannot infect the rest of the network. And by using a Virtual Local Area Network (VLAN), there is added protection if you group different sets of employees into the same network, such as, accounting, engineering, marketing, etc.
Since attacks that come through your regular network can still attack your virtual network, the requirements for securing virtual machines are the same as those for physical machines. To mitigate attacks, patch any security updates that your VM software provider releases. Use separate physical network adapters to separate your VM network from your physical network, use a firewall on both your VM and physical networks, and be sure to use virus/malware protection on the server holding your VM network.
Thin clients need a server to work, since the thin client relies on the server for everything. Since servers are much faster and capable these days, they can handle many VM’s at once. There are several different vendors that make VM software. For some vendors, each user must have a license. For other vendors, the software is available for free. I suggest experimenting with a few thin clients and software vendors before making long-term commitments.
Using a thin client is not an end-all for securing your network against a breach, but at least you will be removing one potential attack vector from your network.
Image Credit: Thinvent.in.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.