Tech
Do thin clients make sense in your corporate security strategy?
When it comes to reliability and security, few people will argue that personal computing is at its peak. And it really doesn't matter what operating system or application software a PC runs; there will always be software flaws with the potential to cause problems.
When it comes to reliability and security, few people will argue that personal computing is at its peak. And it really doesn't matter what operating system or application software a PC runs; there will always be software flaws with the potential to cause problems.
Connect a few million PCs installed with buggy, unmaintained software to a network or the Internet, and you've got a much larger problem. Corporate networks protected by firewalls help, but even the best firewall can't stop problems from spreading inside networks.
For areas where high-security computer access is a necessity, a centralized approach to access control and authorization may be the solution.
Many will argue that the mainframe era, despite the relatively simple character-based user interface, was a better paradigm for secure and reliable computing. While centralized, session-based computing that uses character terminals is somewhat dated, it remains stubbornly reliable, particularly when security is a more important factor than usability.
However, thin client computing makes it possible to combine the best of the mainframe terminal approach with the graphical interface required by modern software. You can apply thin client concepts to regular computers running specific software that provides a remote graphical desktop on a centralized system. A number of different methods and protocols are available, and the thin client concept, which uses session-based graphical desktops, offers corporations both security and usability.
Because most wide-scale security incidents occur on Windows machines, Windows thin clients could play an important role in an organization's network. Originally developed to provide remote Windows access, thin clients' protocols and concepts can help companies greatly improve Windows security.
However, I'm not advocating the wholesale replacement of Windows PCs with thin clients. What I am suggesting is that thin clients can improve overall security for specific purposes, especially when it comes to desktop consistency.
Under Windows, thin clients access a central server for multiple user sessions, and they generally use Citrix MetaFrame or Windows Terminal Services. These products provide multiple Windows sessions from one central system, just like the mainframe paradigm.
The improvement in overall security comes from not having to constantly maintain a network of hundreds of Windows-based PCs. Instead, the security focus is now on the main Windows servers that provide the sessions.
Of course, there are significant drawbacks to session-based remote desktops, most notably speed. Even across a fast network, remote desktop access is orders of magnitude slower than a PC. Therefore, I would argue that thin clients only make sense in specific situations, particularly when security and access control are essential (and, of course, when someone needs to access a Windows desktop from a remote location).
However, remote Windows desktops also offer benefits in addition to boosting security. It's generally a good practice to have a standardized, reproducible desktop in a corporation, and overall costs of security are generally lower when there are fewer computers to maintain.
Of course, it's typically not practical to run an entire corporation on thin clients. Deciding where and how to implement thin clients is something that each organization must figure out, but security and access control should be the deciding factors.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.
Connect a few million PCs installed with buggy, unmaintained software to a network or the Internet, and you've got a much larger problem. Corporate networks protected by firewalls help, but even the best firewall can't stop problems from spreading inside networks.
For areas where high-security computer access is a necessity, a centralized approach to access control and authorization may be the solution.
Many will argue that the mainframe era, despite the relatively simple character-based user interface, was a better paradigm for secure and reliable computing. While centralized, session-based computing that uses character terminals is somewhat dated, it remains stubbornly reliable, particularly when security is a more important factor than usability.
However, thin client computing makes it possible to combine the best of the mainframe terminal approach with the graphical interface required by modern software. You can apply thin client concepts to regular computers running specific software that provides a remote graphical desktop on a centralized system. A number of different methods and protocols are available, and the thin client concept, which uses session-based graphical desktops, offers corporations both security and usability.
Because most wide-scale security incidents occur on Windows machines, Windows thin clients could play an important role in an organization's network. Originally developed to provide remote Windows access, thin clients' protocols and concepts can help companies greatly improve Windows security.
However, I'm not advocating the wholesale replacement of Windows PCs with thin clients. What I am suggesting is that thin clients can improve overall security for specific purposes, especially when it comes to desktop consistency.
Under Windows, thin clients access a central server for multiple user sessions, and they generally use Citrix MetaFrame or Windows Terminal Services. These products provide multiple Windows sessions from one central system, just like the mainframe paradigm.
The improvement in overall security comes from not having to constantly maintain a network of hundreds of Windows-based PCs. Instead, the security focus is now on the main Windows servers that provide the sessions.
Of course, there are significant drawbacks to session-based remote desktops, most notably speed. Even across a fast network, remote desktop access is orders of magnitude slower than a PC. Therefore, I would argue that thin clients only make sense in specific situations, particularly when security and access control are essential (and, of course, when someone needs to access a Windows desktop from a remote location).
However, remote Windows desktops also offer benefits in addition to boosting security. It's generally a good practice to have a standardized, reproducible desktop in a corporation, and overall costs of security are generally lower when there are fewer computers to maintain.
Of course, it's typically not practical to run an entire corporation on thin clients. Deciding where and how to implement thin clients is something that each organization must figure out, but security and access control should be the deciding factors.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.