1. IT@Intel White Paper
Intel Information Technology
Business Solutions
April 2010
Evaluating Thin-Client Security in a
Changing Threat Landscape
Executive Overview
Equivalent security controls Intel IT’s security team continually analyzes our computing model to determine
can be, and are, implemented how it needs to evolve in response to an ever-changing threat landscape. Recent
on PCs—without giving up the cyber-attacks on a number of high-profile targets provided added impetus to
re-evaluate the security offered by thin-client models and whether using thin
functionality that is sacrificed
clients could help defend against similar attacks.
with the thin-client model.
We identified five attributes that are often We also considered other restrictions and
perceived as security benefits in thin clients: costs of thin clients, including the inability to
prevention of physical data loss, removal support mobile computing, highly interactive
of administrative privileges, limitations on or compute-intensive applications, and
installed applications, client integrity, and rich media such as video. Thin clients also
ability to roll back to a known good state. require significant additional server capacity
and network bandwidth. Some thin-client
We determined that while these controls can
models can also increase the risk of business
contribute to a more secure environment,
disruption if an outage occurs within the
they would not have prevented the recent
central network resources upon which the thin
cyber-attacks from being successful.
Toby Kohlenberg client depends.
Senior Information Security Specialist, Intel IT Furthermore, we also observed that these
Based on our analysis, we see thin clients
controls are not unique to thin clients:
as suitable for some niche uses. However,
Omer Ben-Shalom Equivalent controls can be, and are,
Intel’s environment is 80 percent mobile, and
Principal Engineer, Intel IT implemented on PCs—without giving up the
most of Intel’s users require the functionality
functionality that is sacrificed with the thin-
and flexibility of mobile business PCs.
John Dunlop client model. Where such controls have not been
Mobile business PCs also position us to take
Enterprise Architect, Intel IT implemented holistically on either thin clients
advantage of emerging technology trends
or PCs, the reason is often because they place
and service delivery models.
Jerzy Rub unacceptable restrictions on user productivity,
Information Risk and Security Manager, Intel IT not because of the client architecture.
2. IT@Intel White Paper Evaluating Thin-Client Security in a Changing Threat Landscape
Contents BACKGROUND CLIENT SECURITY
Executive Overview............................. 1 Intel IT supports a very large enterprise ANALYSIS
environment, with about 83,500 We analyzed security controls
Background ............................................ 2
employees spread across 61 countries. commonly associated with thin clients
Client Security Analysis...................... 2 Intel depends on its employees for along with their value in the evolving
Security Controls Typically business innovation that enables threat landscape. We assessed
Associated with Thin Clients .......... 2 the company to grow and continue whether they would have prevented
Mitigation Value of to create a competitive advantage. To or mitigated targeted zero-day attacks
These Controls................................... 3 foster this innovation, Intel IT provides such as the recent exploits at other
Availability of Security about 80 percent of employees with high-profile Web sites. We then
Controls on PCs ................................. 4 mobile business PCs. analyzed whether similar controls can
Thin-Client Security Concerns ....... 4
be applied to PCs.
The cyber threat landscape has been rapidly
Security In An Evolving
evolving, with an increasing shift towards
Threat Landscape ................................ 4
zero-day attacks, which target previously Security Controls Typically
Meeting Intel’s Enterprise Needs .... 5 unknown vulnerabilities within hours of Associated with Thin Clients
discovery. Some recent attacks on other high- We identified five main attributes that are
Future Positioning ............................... 6
profile Web sites have exploited previously commonly perceived as security advantages
Dynamic Virtual Client ...................... 6
unknown vulnerabilities in common client in thin clients:
Conclusion .............................................. 7 software such as Web browsers. • Physical data loss prevention. With thin-
For More Information .......................... 7 Intel IT’s security team continuously monitors client models, storage is restricted to the
this threat landscape and regularly analyzes data center, reducing the risk of physical
Acronyms ................................................ 7 data leaks. In addition, thin clients often
how our business and compute models match
up against it. Recent cyber-attacks on some lack ports for attaching external media or
high-profile targets caused us to re-evaluate USB memory sticks, further reducing the
the security offered by the thin-client model. ability to copy data directly from the client.
We also wanted to investigate whether thin • Non-privileged users. User administrative
clients could help defend against similar privileges are removed, reducing the
attacks in the future. ability of exploits to change system files
After analyzing these thin-client attributes, and settings.
we examined whether similar controls can • Restrictions on user-installed
be applied to PCs. Then we considered applications. Users are not able to install
our findings from the perspective of the additional applications that would enlarge
IT@INTEL overall Intel IT client strategy, taking into the attack surface of the client machine or
IT@Intel is a resource that enables IT account enterprise user needs and emerging infect the system with malware.
professionals, managers, and executives
technology trends.
to engage with peers in the Intel IT
organization—and with thousands of
other industry IT leaders—so you can
gain insights into the tools, methods,
strategies, and best practices that are
proving most successful in addressing
today’s tough IT challenges. Visit us
today at www.intel.com/IT or contact
your local Intel representative if you’d
like to learn more.
2 www.intel.com/IT
3. Evaluating Thin-Client Security in a Changing Threat Landscape IT@Intel White Paper
• Client integrity. All clients are maintained of users’ remaining privileges to gain • Client integrity. Applying consistent,
in a consistent state, based on a known access to other systems and any data to up-to-date patches is generally easier
configuration baseline. New patches can be which the user has access. Furthermore, with a centralized image, as used in the
rapidly and consistently applied by patching removing users’ administrative rights has thin-client model. However, it would not
server-based images. no protective effect if the exploited service have prevented the attacks, because
• Ability to roll back to a known good is running as a system process rather than zero-day attacks target previously
state. With thin clients, this can often be as a user process. unknown vulnerabilities.
achieved by rebooting or reloading previous • Restrictions on user-installed • Ability to roll back to a known good
versions of a single virtual container file. applications. These restrictions can help if state. Rolling back the client system using
they prevent installation of non-essential a server-based client image would not
Mitigation Value of applications that could be targeted. However, have helped in recent attacks. The initial
These Controls recent exploits have targeted ubiquitous, compromise provided access to Web-based
We found that while these controls can essential applications such as Web browsers. services and accounts, and rolling back
contribute to a more secure environment, they Furthermore, it is much more difficult to the system after the compromise would
would not have provided significant overall restrict users’ access to malicious Web sites not have removed this access. In addition,
protection in the recent zero-day attacks. or prevent them from running undesirable since the attack exploited an unknown
• Centralized data storage. Traditionally, Web services than it is to prevent them from vulnerability, the system could have been
data theft involved using a device to copy installing software on a business PC. just as easily recompromised.
data physically stored on the system.
However, today’s thefts typically take
place over networks, as shown in Figure 1.
The restrictions imposed by thin clients do Modern Thief
Using thin clients does not prevent
nothing to prevent this. All thin clients have theft of data over networks.
Internet Browser
fast network connections and most have
Internet connections. Attackers can use
Data Server
these fast networks to rapidly transmit data
from the server through the firewall.
• Non-privileged users. Removing users’
administrative rights may reduce the Traditional Thief
Physical intellectual property
impact of an infection and make it more theft can be prevented in some
cases by using thin clients.
difficult for malware to spread to new
Terminal
systems. However, it cannot always Data Transfer
prevent the initial compromise, and unless Network
extreme restrictions are imposed, attackers
may still be able to avail themselves Figure 1. Thin clients can help prevent physical theft of data from clients; however they do not
prevent theft over networks.
www.intel.com/IT 3
4. IT@Intel White Paper Evaluating Thin-Client Security in a Changing Threat Landscape
Availability of Security business PCs. Intel maintains standard, evidence is mandated in some cases. Rolling
Controls on PCs centrally managed system and application a thin-client system back to a known good
We determined that we could, and indeed do, images. These are updated regularly and build, by rebooting from a server-based image,
provide equivalent controls on PCs—without used whenever rollback is necessary. may actually have the negative effect of
giving up the functionality lost with the destroying this vital evidence on the client.
Intel IT currently is able to quickly deploy
thin-client model. We have not implemented patches to maintain client integrity, and the
these controls holistically, but we have used most time-consuming aspect of the process
individual controls where appropriate. is testing and validation of a new patch, not
SECURITY IN AN EVOLVING
To prevent physical data theft, Intel uses actually deploying it; the time required to test THREAT LANDSCAPE
full disk encryption and enterprise rights and approve would not change in a thin-client As the threat landscape mutates
management tools. These methods can be environment. With PCs, patches can be rolled toward targeted zero-day attacks, we
supplemented with global domain policies or out in waves to increasing numbers of users need to adapt by taking a different
physical system modifications to lock down, to mitigate potential problems introduced approach to security. In this landscape,
encrypt, or restrict the use of USB memory with the patches; updating all clients at once IT security professionals need to
and other external storage devices. In addition, can itself be a risk. assume that clients are vulnerable—
folder redirection can be used to store data whether they are PCs or thin clients.
in the data center, either exclusively or as a
Thin-Client Security Concerns
There are also security concerns related Frequently, attackers use custom malware;
mirror of the data on the client. The latter
to the thin-client model. Centralizing this is unlikely to be detected or prevented
approach supports mobile computing.
applications and data also centralizes the using traditional methods. Attacks typically
The decision about whether to assign focus on ubiquitous components that
threat: A network of thin clients provides
administrative rights to users is not specific exist on both PCs and thin clients, such as
many access points to servers storing shared
to thin-client models. Many tools are available essential business applications, the OS, or
data and applications, with the associated
to remove the administrative privileges of parts of cloud-based services.
risk that compromise can affect the entire IT
mobile business PC users. If requirements
infrastructure. Some thin-client models can Detection requires more sophisticated
dictate that PC users receive administrative
also increase the risk of business disruption if behavioral analysis for user access and rights
rights, third-party software packages can be
an outage occurs within the central network utilization, including a more balanced mix of
used to manage these rights and to restrict
resources upon which the thin client depends. detective and corrective controls.
users from installing applications or carrying
out other activities unless each action is Centralizing all data, including personal data, Both types of controls may actually be
specifically permitted by IT administrators. introduces new privacy concerns, with an easier to implement using new platform
Intel uses multiple methods to restrict increased risk of infringing government technologies—such as Intel® Virtualization
administrative access and users’ rights. regulations in some countries. Thin- Technology (Intel® VT-x), Intel® Virtualization
client models can also have unintended Technology for Directed I/O (Intel® VT-d),
Centralized management of a common OS
consequences for data leakage; for example, and Intel® Trusted Execution Technology
or application image is not unique to thin-
we have found that users of thin clients (Intel® TXT)—or separate physical hardware
client computing. For example, streaming
are more likely to print paper copies of rather than a shared virtualized server-based
allows centrally managed OS and application
information that can then be disclosed to environment, which is what the thin-client
images to be shared by multiple desktop PCs,
unauthorized parties. model essentially uses.
and anticipated future capabilities include
centrally managed virtualized clients that To respond to a security breach, security For example, an attack originating within
are downloaded to users’ PCs. In addition, professionals need to know which systems one virtual machine (VM) running on a
technologies from several companies can were compromised and when the compromise server may target another VM on that same
be used to implement system rollback on first occurred. In fact, preservation of such server in what is known as a VM escape.
4 www.intel.com/IT
5. Evaluating Thin-Client Security in a Changing Threat Landscape IT@Intel White Paper
Reliable preventative and detective controls, future enterprise needs. This analysis some personal applications (Intel, like many
analogous to network or host-based intrusion was based on business requirements other companies, permits reasonable use of
prevention systems (NIPS or HIPS), do not and technology trends as well as corporate resources in this way).
yet exist in the VM management layer to security concerns.
Another important advantage of mobile
help protect against this sort of attack. By
business PCs is that they support all service
distributing the execution of the VMs to We found that mobile business PCs
delivery models. Our strategy includes a
separate client devices, or using technologies support the widest range of uses and
growing number of services delivered from
on the platform to provide the hardware therefore meet the requirements of most
internal and external clouds, and we are
isolation, the risk of this sort of attack is Intel employees.
exploring new delivery models such as
greatly diminished. Locally installed applications, combined application streaming. Equipping users with
with local processing power, provide users mobile business PCs means they can run any
with increased flexibility to work anywhere, mix of these models while continuing to use
MEETING INTEL’S including locations without network access. conventional locally installed applications, as
ENTERPRISE NEEDS This also means users retain some computing shown in Figure 2.
capabilities in the event of a disaster. Mobile
After determining that thin clients In contrast, thin clients have significant
PCs support compute-intensive applications
would not have prevented the recent limitations. Often, there is limited support for
and rich media for communication, including
zero-day industry attacks—and mobile computing or working offline, and users
video and Voice over IP (VoIP), collaboration,
that similar security controls can be cannot effectively run bandwidth-, graphics-,
training, and research. Users can run a
implemented with PCs—we analyzed or compute-intensive applications.
wider choice of software applications,
which clients best fit Intel’s current and
including business applications as well as
External Cloud Internal Cloud
Software as a Service (SaaS) Applications
Remote Access
• Staffing • Travel and Portal Services • Messaging and Collaboration • Productivity Applications
• Benefits • Stock Infrastructure • Security and Virtual Machine
• Expense • Other SaaS Applications • Enterprise Applications Policy Control
• Social Media/Web 2.0 • Hosted Web Applications • User Profile Management • Application Delivery and
• Hosted Web Applications Management
Service Delivery Models • Primary Data Storage • Workspace/Container
Installation Kit/Software Provisioning and Management
Provisioning, Streaming,
Native Web, Rich Internet,
Remote Execution
Profile and Data
Synchronization
Peer-to-Peer Networking
• Locally Installed Applications
(Office Productivity, Antivirus, and More)
• Offline Application Cache
Mobile Business PC • Encrypted Data Cache
Figure 2. Mobile business PCs can support all emerging service delivery models while continuing to run conventional locally installed applications
www.intel.com/IT 5
6. IT@Intel White Paper Evaluating Thin-Client Security in a Changing Threat Landscape
Our analysis has also shown that thin clients FUTURE POSITIONING client solutions that fit the needs of different
require significant additional server capacity, enterprise users.
Looking forward, our client strategy
as well as increased bandwidth across the
must continue to keep pace with Dynamic virtual client (DVC) is one option we
network supporting the connected users.
security requirements, enhance are considering. See “For More Information”
Because of these limitations, we have employee productivity, and reduce IT at the end of this paper for discussions of
determined that thin clients may be suitable costs. At the same time, we need to other solutions.
for only specialized use cases, such as manage added complexities such as an
call center terminals, shared kiosks, or increasing number of devices per user, Dynamic Virtual Client
manufacturing controllers. However, for these a diversification of form factors, and DVC—a virtualized PC environment delivered on
use cases, our analysis suggests that OS the adoption of consumer technologies demand to clients running native (Type 1) high-
streaming to PCs may be a better fit for us within the enterprise. security hypervisors—is a key element of our
than using thin clients. This is because PCs client strategy. This solution is shown in Figure 3.
execute their workloads locally, providing We plan to take advantage of new technologies,
We believe DVC will deliver several advantages,
greater responsiveness and a better user computing models, and service delivery
including device-independent mobility.
experience; also, less server and network methods to reconcile these seemingly
Users should be able to download and run
capacity is required. conflicting requirements. We are planning a
their virtual containers on a variety of client
segmented approach that includes a range of
hardware, with better separation of business
and personal workspaces on the same system.
Cloud Computing
• Virtual Machine Policy
Management Server
• Streaming Management
• Data Storage and Management
Virtualized Virtualized
Mini OS IT OS
Virtualized Service Applications IT Applications
Personal OS Voice over IP User Corporate Data
User Applications
User Personal Data Virtualized IT Client Service and Management OS
Client Native Hypervisor
BIOS/EFI supporting Intel® vPro™ Technology with Intel® Virtualization Technology
Platform Hardware
Figure 3. Intel IT is investigating a dynamic virtual client (DVC) solution.
6 www.intel.com/IT
7. For specialized niche uses where it is feasible Taking into account functionality and
to implement all the required controls, we performance as well as enterprise security, ACRONYMS
are considering OS streaming to provide we have found that mobile business PCs DMA direct memory access
high-availability, fully managed, and tightly support the widest range of uses and DVC dynamic virtual client
controlled desktop PCs. Streaming to PCs therefore meet the requirements of most
HIPS host-based intrusion
allows us to reap the benefits of centralized Intel employees. Because mobile business prevention system
management, with server-based OS images PCs support all emerging service delivery NIPS network intrusion
shared among many desktops, without the and computing models, they also position us prevention system
performance sacrifices associated with thin for the future. The limitations of thin clients SaaS software as a service
clients. With PCs, the workload executes make them suitable only for specialized niche
Intel® TXT Intel® Trusted Execution
locally, providing better performance; also, uses in our environment. Technology
less server and network capacity is required. Intel® VT-d Intel® Virtualization
Technology for Directed I/O
FOR MORE INFORMATION Intel® VT-x Intel® Virtualization
CONCLUSION Find additional IT@Intel white papers Technology
We determined that while the controls at www.intel.com/IT. VM virtual machine
often associated with thin clients VoIP Voice over IP
can contribute to a more secure • “Enabling Device-Independent Mobility
environment, they would not have with Dynamic Virtual Clients”
provided protection against recent • “Better Together: Rich Client PCs and
zero-day attacks. In addition, these Cloud Computing”
controls are not unique to thin clients: • “Developing an Enterprise Client
They can be, and are, implemented Virtualization Strategy”
on PCs using other methods, without
• “Improving Manageability with OS
giving up the functionality that would
Streaming in Training Rooms”
be sacrificed with the thin-client model.
For more straight talk on current topics from Intel’s IT leaders,
visit www.intel.com/it.