Guest Column | October 25, 2016

The Channel's Role In Delivering A Secure Thin Client Deployment

Jeff Kalberg, IGEL

By Jeff Kalberg, Chief Technology Evangelist, IGEL Technology North America

It’s a story becoming too familiar, but no less scary. The latest wrinkle from the Yahoo security breach is the fear of credential stuffing in which cybercriminals use leaked username and password combinations on websites to find matches. It sounds random, but software will make this further attack on at least 500 million credential combinations lightning fast, resulting in the potential to hack critical financial information associated with an untold number of accounts.

Unfortunately, since this historical breach was revealed two years after the fact, discussion about security precautions are moot. So what does this lesson provide for your customers today, living in fear of a major cyberattack? It means doing all we can to protect against the myriad of threats, and doing it now!

One area ripe for malware and other attacks is the multi-device environment in which employees and partners work today. Technology users often travel to varied locations and literally no one can guarantee the complete security of each device and the environment in which they are being used.

At the same time, our mobile loving employees aren’t giving up this a la carte approach to devices. With the capabilities of today’s virtualization platforms, mobile users expect their applications and personal desktop to be accessible and at the ready, regardless of where they may be working. The security solution to this multi-device, multi-location work environment is to develop an endpoint strategy around thin client technology which helps prevent users from unknowingly introducing malware into their desktops.

To be effective, thin client technology must evolve with the introduction of new threats to the enterprise, such as the constant scourge of malware. In helping your customers embrace desktop virtualization and make full use of thin client features, here are six concepts to consider in constructing a secure environment at the endpoint.

  1. Secure Remote Management: Enterprises should be able to employ certificate-based communication between management servers and thin clients to help thwart malware and man-in-the-middle attacks. They also need SSL-encrypted remote administration of their thin clients as another layer of security.
  2. Trusted Execution: When your customers’ employees boot up their device, how can they be sure the device’s operating system has not already been corrupted? Thin client technology can provide protection at the boot loader phase to ensure the system is protected from the very beginning of operation. Such technology promises the firmware has not been tampered in any way. It will help prevent random incidents of malware entering your customer’s network. Make sure their thin client solution includes this critical layer of security.
  3. Private Data Transmission: Thin clients do not exchange application data with the server, rather only control codes from the monitor, keyboard, mouse, etc. Despite this, keyboard input, such as passwords, has to be protected from being intercepted since ransomware thrives on knowing where your data resides and intercepting passwords can start the attack. A VPN connection that provides private transmission is one approach to prevent attackers tracking the location of data. This sets up a highly secure, encrypted VPN tunnel, which can be a strong deterrent against attackers.
  4. Controlling USB Devices: The dreaded USB device is a nightmare for all IT security pros! USB devices abound as employees love using them wherever they may be working. USB ports and devices range from storage media and web cameras to smart phones, and all are capable of transmitting data from an unsecured source, a perfect channel for introducing malware. Look for encryption capabilities that restrict unauthorized USB devices from being plugged into a thin client device, thus allowing only approved devices and further mitigating risk.
  5. User Authentication: Smartcard readers, USB tokens, and secure ID work to provide secure two-factor authentication for your customers. With a smartcard reader, an employee can login to their desktop via the thin client, essentially providing another identity check. Notably, it will prevent intercepted passwords and social hacking events that open the door to malware and ransomware. Advanced technology employs USB tokens such as Aladdin eToken, HID/Omnikey and Actividentity, which are an alternative to smartcards and smartcard readers.
  6. Single Sign-On: Enterprises want improved security at the endpoint via thin clients but they also want efficiency. You will need to encourage your customers to make use of single sign-on solutions to simplify application login and logout by automating the username and password entry for authenticated users. Leading solutions such as Imprivata enable secure authentication by means of an ID proximity badge, a smartcard or fingerprint.

These considerations are a good start when looking at what a secure thin client solution needs to have in this societal culture of ransomware and malware attacks. It’s also important to address the parallel need of users to be able to move freely between locations and devices, and always have their personal desktop at hand.

The use of smartcards, USB tokens and single sign-on as authentication tools are prime examples of how technology can enable secure controls while still giving users their desired flexibility. Another important aspect for user freedom is having a secure VPN connection. Customers in the retail sector, for example, need to securely exchange data between store locations. Users assume a certain level of security when transmitting data but we all know security breaches are now all too frequent. Looking at a secure thin client solution from both the aspect of transmission, and the perspective of the individual, will give your customers a more complete, secure virtual desktop environment.

Jeff Kalberg is Chief Technology Evangelist at IGEL Technology with over 30 years of industry experience covering more technology than he cares to remember. An IT consultant for most of his career, Jeff has advised organizations of all sizes on a variety of technologies. He has counseled some of the world’s largest and most respected companies. Working within all levels of an organization from marketing and sales to operations and finance to information technology, Jeff has developed a unique perspective that he leverages to the benefit of his client customers today.