Endpoint security is the securing of endpoint devices that act as gateways to corporate networks. Why secure endpoints? These endpoints can be vectors for attack by malicious code or potential points of data leakage, to maintain a compliant environment these devices must be secured.
Nowadays, with more advanced forms of malware and the embrace of BYOD attacks from malicious code and data leakage are big fears for IT security, meaning endpoint security has become a major focus for any IT department.
“Endpoint protection is the foundation, the simple first step that you should have in place regardless of what you do” – Antti Tuomi, F-Secure
Up-to-date security policies – in 2018 a whopping 93% of all breaches could have been avoided if basic cyber hygiene had been in place at the end-user level.
• End-user lockdown – One cannot underestimate the risks unsecured devices pose to end users themselves and the environment, of the above 93%, 11% were directly as a result of there being no way to stop users negligent or malicious activities on the endpoint.
• Resource control– Maintaining constant and complete control over end-user’s resources, ensuring they are not accessing programmes or sites that have not been vetted by the IT department.
• Endpoint Management – Central management of your endpoints allows you to monitor and control devices across your estate, it is also important to keep applications, antivirus, and your endpoint’s operating systems up to date.
In this section, you can find key information and links for different aspects and considerations for endpoint security:
Common questions we see related to security and thin clients, read the full blog here.
The purpose of a thin client is to provide a minimalist device, with lower CPU and memory resources with no local storage, that is used to connect to virtual desktops and apps running in the data centre. It is purely used to connect to these environments. They consume less power, are easier to manage, and provide a better level of security.
Thin client devices are deployed within an organization to support connectivity to virtual and hosted desktops or published apps, providing an extra layer of protection from user-initiated security risks. They do this by preventing end-users from having direct access to the endpoint operating system (if it even has one) and the ability for an end-user to install their own apps or introduce malicious files or data.
One of the ways a thin client makes this possible is by not having its own local storage. As you are accessing a remote session, no data is sent to the endpoint device. The thin client is purely a mechanism to display the screen of the remote session and send back the keyboard strokes and mouse movements. Devices can also be restricted to prevent end-users removing sensitive data as well.
Thin clients can lessen the chances of security breaches in conjunction with virtual desktop infrastructure and app publishing. By centralizing compute resource into the cloud or data centre ensure that they are behind an organisations firewall and network protection. Thin clients then provide a secure endpoint device that is used to access the remote environments.
The thin client device and its operating are isolated from the remote session and prevent users from removing data or introducing malicious files, malware, and other harmful files. As some devices have no operating system then they prevent less of an attack surface for potential hackers. End users are also prevented from plugging in external devices that could not only introduce harmful files but also secure private and confidential information from being removed.
Thin clients are now able to secure the endpoints. In a typical desktop PC environment, other than anti-virus protection, the desktops have a full operating system that end users typically have access to. This means they could install unauthorized applications or copy data to or from the PC potentially causing data breaches.
Thin clients change the security model in that there are no operating systems for an end-user to access and are completely locked down. Therefore, they cannot install rogue or unauthorized apps. It means IT has far greater control over the security of the endpoint than they do in traditional PC environments.
Yes, thin clients can integrate into existing security frameworks. Deployed thin client devices connect to the network and add endpoint protection to the existing network. Existing network policies are also applied to the thin client network, unchanged.
Each industry has its own specific needs when it comes to security, click below to get more information on what ThinKiosk and Secure Remote Worker can do within your industry
In healthcare, IT is required to keep sensitive data secure, while also allowing for quick access by staff. ThinScale’s solutions provide easily accessible endpoints that assist in achieving HIPAA compliance.
For BPOs, agent security is vital and companies who utilize their services expect customer data to be handled by compliant machines. ThinScale allows BPOs to provide cost-effective solutions for personal machines and corporate devices, securing endpoints at the agent level, helping to achieve PCI DSS compliance.
In education, the landscape is changing but budgetary restrictions remain, endpoints must be secured against user/student-initiated risk. ThinScale allows devices to be repurposed and secured, extending device life and ensuring complete endpoint security.
For corporate, enterprise and commercial organizations, productivity is key, users must be given easy access to their corporate resources while also maintaining total security from user-initiated risk and preventing data leakage of customer data. ThinScale provides solutions that support white labeling, providing total control over resources, and complete endpoint lockdown.
Security, reliability, and consistent support is vital for the government and public sector bodies budgetary considerations should also be considered. ThinScale provides cost-effective solutions that assist with GDPR compliance on the endpoint, simple and reliable client experience along with high standards of support from our skilled team.
For MSPs, reducing the time involved in deploying and managing secure endpoint solutions is key, along with ensuring the solutions used are flexible enough to fit multiple customers’ requirements. ThinScale’s solutions provide powerful management through the ThinScale Management Server, allowing multi-tenancy, central software deployment, and more alongside highly secure and flexible endpoint solutions.
BYOD (Bring Your Own Device) is the concept of end-users utilizing personal machines in the workplace. Generally, BYOD is the action of bringing devices into the workplace however BYOD can also be a term used for personal machines being utilized by remote workers. BYOD is on the increase due to the large-scale consumerization of IT and demand from employees. With tangible improvements in efficiency and productivity shown from BYOD initiatives, it is no surprise it is being phased into most companies.
This does pose security issues, data security especially. If BYOD is to be introduced, the IT department needs to find a way to introduce a level of control over BYOD users while not intruding on employee privacy.
Allows the IT team to manage multiple device types, enforce multifactor authentication, push policies & applications as well as providing the ability to remotely wipe the machine in loss/theft scenarios. MDM provides good levels of control, however, they do not do much to prevent against user-initiated risk.
Read more about MDM, what it can and can’t do here.
Resources and corporate network access are made available through a secure company portal. Communication between the portal and the user can be carried out via a VPN for extra security. However, this does nothing to the user’s actions outside of this portal and there could be potential leakage issues due to this.
Secure managed sessions
Allow users to work within specific sessions or instances that they will be locked into and controlled by the IT team when active. On its own this solution runs into similar issues as containerization. However, see how Secure Remote Worker solves these issues and can provide a fully controlled and compliant BYOD environment while maintaining employee privacy.
PCs in the workplace are still an asset and often the cost of disposing a fleet of thick clients and purchasing new thin clients is enough to get people to hold back on upgrading their endpoints. This, however, is a security risk, as users can simply install applications, download files to removable drives or simply access dangerous webpages.
The answer in this scenario is to repurpose your PC. By doing this you can provide your end-users with a secure environment completely managed by your IT team where they can only access the specific resources you want them to work with, nothing else.
Repurposing is seen as a good way of making your hardware resources work harder for you while maintaining security, even If the device OS is outdated.
You have two main options when looking at PC repurposing:
This will replace the underlying Windows OS of your existing PC with a new hardened OS. The OS itself is often Linux based so the security of the solution does depend on the provider. Feel free to check out our free white paper comparing Windows and Linux for a more detailed answer. However, the assumption that a solution is more secure due to a Linux based OS is false and can, in fact, open you up to risks. By the pure number of vulnerabilities, Windows is not even in the top 5, but Linux-based operating systems are 4 out of that 5.
Secure Shell provision
Often in the form of an application, this type of solution will sit on your Windows OS and provide its own user interface, corralling users into its own UI and blocking them from accessing any OS components outside of the application’s framework. This maintains compatibility with applications, hardware, existing antivirus and any security patching that is carried out on the Windows machines themselves.
The modern workplace is anything but static, and workers are no longer tied to the office in the same way they were a decade ago, in many cases employees can work from anywhere! Where natural disasters, pandemics or simply adverse weather conditions used to cause costly downtime for companies, now more and more are seeing the benefit in having contingencies for business continuity in place. However, allowing your employees access to their work resources remotely or at home takes more than simply providing them the URL to access their virtual environment. To maintain compliance and reduce the risk of data leakage or of compromising the corporate network, the end-users devices need to be secured.
With remote and home working for either business continuity or if remote agents are already implemented in your company, you have 2 main routes to take in providing secure endpoints, corporate-owned devices, and personal devices. Both routes require the same amount of scrutiny when it comes to security and compliance.
Corporately owned machines are easier to secure initially, as the company can load whatever software and settings they want before sending the devices out to the end-user. These devices are harder to update and manage, however, and are costly to distribute. Often these devices are only intended to be used as work devices and have policies and lockdowns in place that reflect this.
Personal devices can be used in remote and home working scenarios as well, saving on the logistical costs involved in device distribution. However, more work must be carried out in order to ensure these devices are up to specification and security standards, as well as providing the applications and settings needed to ensure this device can carry out the required work.
Using Secure Remote Worker and ThinKiosk can help you meet policy requirements at the endpoint level. When used as part of an overall plan involving people, content, and strategy you will be able to achieve PCI, HIPAA and GDPR compliance in your environment.
Payment Card Industry Data Security Standard (PCI DSS) is a set of compliance standards focused on security around payment card information. Any company that accepts, processes, stores or transmits credit card information must be compliant with PCI.
“ThinKiosk & Secure Remote Worker, when properly implemented following guidance from ThinScale, can be utilized to meet the technical portions of several PCI DSS requirements for a merchant/service provider”
The Health Insurance Portability and Accountability Act (HIPAA) are a set of standards for those in the healthcare industry who handle or store patient information. Anyone who has access to patient information provides support in treatment, payment or even operations must be compliant with HIPAA.
“The use of a solution such as either ThinKiosk or Secure Remote Worker can help streamline policies and procedures associated with HIPAA compliance by providing a multi-faceted technical solution.”
- Coalfire, leading independent cyber risk management advisors. Read more about HIPAA, and how ThinScale’s solutions help achieve this, here
The General Data Protection Regulation (GDPR) is a data privacy law under the European Union. GDPR governs any entity that collects and uses personal data for any purpose.
“ThinKiosk or Secure Remote Worker, when properly implemented following guidance from ThinScale, can contribute to comprehensive security and privacy program to meet the requirements of the GDPR for protecting personal data.”
- Coalfire, leading independent cyber risk management advisors. Read more about GDPR, and how ThinScale’s solutions help achieve this, here
In this video, ThinScale's Chief Technical Officer, David Coombes, discusses Secure Remote Worker, compliance standards, and business continuity with Andrew Barratt, UK MD and Managing Principal from Coalfire.
“We are installing Secure Remote Worker as our key security enforcement.”
Dev Mudaliar - Global CIO, Teleperformance