X
Tech

Are thin clients the solution to all your security woes?

Our UNIX/Linux blogger Paul Murphy posted an interesting link to an article entitled: Information Security: 7 Data Leaks you can’t Ignore written by Matt Roedell.  Unfortunately, I think Paul missed the point of it by attributing the issue to "Wintel infrastructure" and claiming the solution is to go thin client with Sun Rays.
Written by George Ou, Contributor

Our UNIX/Linux blogger Paul Murphy posted an interesting link to an article entitled: Information Security: 7 Data Leaks you can’t Ignore written by Matt Roedell.  Unfortunately, I think Paul missed the point of it by attributing the issue to "Wintel infrastructure" and claiming the solution is to go thin client with Sun Rays.  Security unfortunately isn't so simple that it can be fix it with any single product and most of the risk vectors have nothing to do with whether you use Windows or Intel products.  The cure-all solution in the security industry is one of the most ubiquitous forms of snake oil and there simply is no such thing.  Let's take a look at these vectors for data leakage.

Data leakage via removable media: Under #1 and #2, Roedell listed USB mass storage devices and Optical drives.  I'm going to lump these two things together and add floppy drives to the list.  Roedell put a $0 price tag on Optical Drives because those can be disabled via Microsoft's Active Directory Group Policy but he put a $50K price tag on 300 licenses.  I'm going to set that to $0 because USB mass storage devices can also be disabled via group policy by importing this ADM file.  Floppy drives can also be disabled via Group Policy not to mention the fact that we don't have to put floppy drives and optical drives in to the computers in the first place.

Stolen laptops: Laptop security is a huge pain point, but it's something you're going to have to deal with when you have mobile workers.  It would certainly be a lot easier on IT if there were no laptops, but companies are not going back to the dumb terminal and mainframe days.  Until there is fast, inexpensive, reliable, and universal wireless connectivity, data will have to be stored on the laptop for offline access.  As long as data sits on the laptop, I don't care what operating system you use you're going to have to use reliable encryption software with reliable key management technology.  Government regulators will not care if you tell them you lost a MacBook or Linux-based laptop with sensitive data on it.

EFS folder-level encryption comes free with Windows XP but that only works if you don't give the user admin rights (a good idea if you can get management to sign off on it) and encrypt all the user folders with an automated policy.  Vista Enterprise Edition and Ultimate Edition comes with Bitlocker and EFS.  There are companies that sell add-on products both with software only or software/hardware solutions.  There are even hard drives from companies like Seagate that have encryption technology built in to the firmware.  Whether that's $200 per station or less, that is the cost of running laptops and it isn't IT's job to tell the business what they need and what they don't need.  The business tells IT what they need to do their job and it's IT's job to solve the problem.

Stolen data from backup media: I don't care what OS you use or computing model you use, you will have data one way or another and it will have to be backed up and stored off site for safe keeping.  Thin clients or Sun Ray clients won't change any of this.  Encrypting the tape media doesn't cost "$800 per server" if you're doing the encryption transparently on the backup server.

Leakage via Internet Web Access: I don't care what OS or computing model you use if you allow web access.  Unless you block all Internet access, you're going to have to deal with information leakage over the web.  There are no full proof solutions for this and the most you can do is due diligence by implementing the proper check points and user policies.  Scan everything only covers unencrypted traffic or traffic you can decrypt and policies are only good if people follow them.  We can take it a step further with rights management software such as Active Directory Rights Management Services which blocks users from performing actions that might compromise data.  User policies and software can help keep users from making honest mistakes but a determined leaker will find a way to leak data even if they have to use the analog hole and take photographs of the monitor.  The human aspect of security is the hardest challenge of all.

Layer 2 access switch port security: This is one of those aspects of security that most companies and organizations fail to implement even though many already have all the hardware and software in place.  They should look at my comprehensive guide on locking down Layer 2 security.

Security vulnerabilities: Again as with everything else, it doesn't matter what OS or computing model you use, you're going to have to deal with security vulnerabilities.  This affects every hardware and software vendor on the planet.  Most people only hear about Microsoft vulnerabilities but they're currently one of the better companies in the computer industry when it comes to auditing their own code.  Their vulnerabilities affect the most number of people because they're used by the most number of people but the statistical occurrence of software flaws is relatively low.

Are thin clients the solution? There certainly is some merit in the security implications of thin clients; but there's also a lot of merit in handing people electric type writers or VT100 terminal emulators from a security and maintenance point of view.  Now I am saying that a modern Sun Ray or thin client device to a type writer or text based computer terminal, just that people do associate thin clients in general with fewer features and a "demotion".  I've met a lot of people who think that thin clients are just wonderful until you want to take away their computer and give them a thin client.  Thin clients are generally associated with data entry tasks and not office productivity.  It's not that you can't do those tasks with modern thin clients, it's just that it doesn't work the way people have grown accustom to and the flexibility afforded to them by the modern personal computer.  Until businesses clamor for the days of the main frame and thin clients, it won't happen any time soon.

Editorial standards