news / tech talk

A common concern of many businesses is maintaining the integrity of their network while permitting remote access to their employees while traveling or from home. This is of particular concern when a business must maintain stringent protection of sensitive data like medical information, personal identifier information, and credit card numbers or face significant financial and reputation repercussions. Many businesses mandate use of company assets for remote access through a VPN to control what types of systems are permitted to connect into the internal network. This is fine for “road warrior” employees who are equipped with laptops but many businesses typically provide workstations for employees yet need to allow occasional remote access.

One solution that provides secure remote access is “thin client” technology. There are many types and forms of “thin client” solutions but in general they operate by re-displaying the computer window of a system at the office onto a remote user’s computer. This provides the user with the display of a computer at work but doesn’t really allow the remote computer onto the network with all ports and protocols available. From a security perspective, this provides many advantages. An employee typically has exactly the access they need but they are not really introducing a risky computer (for example, a family computer) onto the internal network. Further, the office system that permits this type of remote access can be configured to log actions taken when used remotely. Finally, most thin client communication technologies have an encryption option that ensures the remote access is protected for privacy.

As usual with security, thin client technologies are not a panacea. The business owner must consider what to allow and take steps to carefully ensure privacy (encryption), authentication (identification and authentication via login/password, token/pin, etc.), and authorization are implemented within a thin client solution. For example, permitting employees to connect to internal workstations via Microsoft’s Remote Desktop Protocol (RDP) with a login/password authentication is still a risky proposition since the remote computer may have a key logger program that would then allow an external attacker to login remotely too.

Nevertheless, thin client can provide a more protected alternative to remote VPN access if implemented correctly. For example, a business might allow accounting employees to remotely connect to a VNC server with a one-time password solution and auditing enabled. The VNC server is restricted to only the accounting network and has auditing enabled to log whenever a user logs in and what actions they take. Using a commercial product like Citrix permits even more granular security controls and access to applications on a per-user basis. Another benefit of these types of technologies is that when an expensive application is loaded on a system at work, it can be shared through re-display even if the application is not itself enabled for network use.

Many businesses use thin client technology to allow a 3rd party partner to have very limited access to specified information without having to supply the partner with real access into their network. As always, carefully consider the business requirements, risks, and benefits before investing in any technology but keep the thin client option in mind for a secure and maintainable way to provide remote access to employees and partners.

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business