Rethinking Thin Clients from a Security Perspective

Corporate data is floating around on PC’s and laptops, sitting on cloud file-sharing platforms and being transmitted over email.  Laptops and mobile devices are sitting in the trunks of cars at the mall, being left in hotel rooms or lost in the backs of taxis.    Data has become as good as gold.  Credit Card numbers, Social Security numbers, architectural diagrams, marketing plans and source code – each a target for a particular thief.  And just like fine art and jewelry, there is a huge black market of data buyers.  Don’t think your competition wouldn’t want to get their hands on your customer accounts, price lists or intellectual property if they could. There are too many cases in recent history of massive data loss to think that this problem is something that can be easily fixed without changing the way employees get access and use corporate data.

There is no single approach to security, it must be done in layers.  Protecting data files can be a very large undertaking in a world where hundreds or thousands of new documents are created daily and many outside your network on mobile devices.  One approach is to have a system for classifying or tagging these documents based on who created them and where they are stored on your network.  A properly classified piece of data should carry along with it permissions of who can view and edit it, or if it needs specialized protection such as being encrypted or where it can be stored.  Structured data, which are stored in databases, typically require client software to view the data while unstructured data are all those documents and spreadsheets that are stored on local hard drives and network shares. Auditing the behavior of your most critical files of who accessed, created or modified.  DLP on endpoints.

“Snowdenize” your administrators.  Network administrators for too long have been granted full access to the corporate data that resides on the systems they are managing.  If the role of the administrator is to maintain the platform, then there is little value or need for them to be able to delve into the data contents.  It’s time to start setting limits.  Using methods such as one-time passwords, a separate highly audited administrator account, and session recording will give your organization an early warning and forensic system for tracking malicious behavior by these users.

Snowdenize – the process of properly provisioning privileged access to system administrators to perform their required tasks while restricting their ability to access, modify or move corporate intellectual property.

The Snowden four laptop problem and a case for a secure desktop platform

The one fact of this case which has intrigued me so much is the fact that Edward Snowden managed to walk away with four laptops with US government intellectual property on them.  Having some insight on the process, I know that these devices were most likely provided by the department in the NSA that he worked for and not his own personal devices.  External devices are not typically permitted to access secured data, let alone be allowed to connect to the network. If you think for a minute that the Chinese and Russians have not gotten their hands on the data on those machines, think again.  It takes a thief minutes to clone a hard drive, and most done overseas are by hotel room maids or when the user connects over the hotel wireless network.  What if the only devices that Snowden was permitted to use were thin client devices, would our nation’s secrets be in such risk of being released?

The most well-known scene in the first Mission Impossible movie has Tom Cruise stealth fully breaking into a multi-faceted, bio-metrically protected room that held the valuable NOC list of CIA operatives.  The computer in that room was designed to be protected from any outside intrusion, unless of course you were Ethan Hunt.  You may not be holding that kind of top secret information on your network, but you should be thinking about how you can make your desktops secure portals into your data.

Thin client devices have always provided a high total cost of ownership (TCO) over traditional desktops by reducing the overall management of the end point devices.  Some feel the acquisition cost of the more feature rich thin clients is so close to a traditional desktop that acquisition costs does not make financial sense.  But if we take the approach that these devices are natively secure by not having local storage and require to be connected to the corporate network to get their configuration, the differential cost in risk swings in their favor.  Adversaries of thin clients use lack of portability and functionality as reasons not to use them, but this is becoming less of an issue with the evolution of thin client laptop devices from vendors such as Dell-Wyse and HP and with the increasing availability of wifi.

Edward Snowden has solidified the need for a more secure desktop platform, regardless if you are in the public or private sector.  We will watching the public sector organizations very closely to see how they respond to these events.  But we can predict that Federal, State and local governments will look for ways to remove the risk of desktops and laptops being a method of extracting data from their networks.  Employees with posts that go beyond our boarders especially will need to have a more secure solution.  Laptop cloning at airports and hotels, and the growing threats of attacks on our citizens and representatives could result in the loss of even more data.