Encryption software is very useful when laptops get stolen; but, do they have a place if a computer is being used as a thin client? That's the question that got prompted when I read about the Chorley Council in the UK. According to the Chorley Guardian, "Officials at Chorley Council have been left red-faced after forking out £14,000 on new laptops to improve security--only for the whole lot to get stolen." The computers were brand new, so there was no information on them. However, the words "to improve security" caught my attention. How were the new computers supposed to improve security? Did they come with built-in disk encryption or what? The product that's supposed to provide the security is not actually mentioned, but I did get a hint: ...the laptops only work if they are logged on to the council's own Citrix mainframe computer system and [Council Chief executive Donna Hall] added: "Anyone who gets one under their Christmas tree will be disappointed." I've done some research on-line, and as far as I can tell, it seems that the security was supplied by using the laptops as dumb terminals: they connect to a council server that doles out the information as necessary via a window to a working environment on the server itself (in other words, virtualization, something Citrix excels at). This is an excellent way of providing data security. The idea is, if nothing is saved on the laptop itself, then losing it doesn't compromise any sensitive data. However, it does revolve around the observation "if nothing is saved."
Encryption software is very useful when laptops get stolen; but, do they have a place if a computer is being used as a thin client? That's the question that got prompted when I read about the Chorley Council in the UK.
According to the Chorley Guardian, "Officials at Chorley Council have been left red-faced after forking out £14,000 on new laptops to improve security--only for the whole lot to get stolen." The computers were brand new, so there was no information on them. However, the words "to improve security" caught my attention. How were the new computers supposed to improve security? Did they come with built-in disk encryption or what?
The product that's supposed to provide the security is not actually mentioned, but I did get a hint:
...the laptops only work if they are logged on to the council's own Citrix mainframe computer system and [Council Chief executive Donna Hall] added: "Anyone who gets one under their Christmas tree will be disappointed."
I've done some research on-line, and as far as I can tell, it seems that the security was supplied by using the laptops as dumb terminals: they connect to a council server that doles out the information as necessary via a window to a working environment on the server itself (in other words, virtualization, something Citrix excels at).
This is an excellent way of providing data security. The idea is, if nothing is saved on the laptop itself, then losing it doesn't compromise any sensitive data. However, it does revolve around the observation "if nothing is saved."
A person may or may not have legitimate reasons for downloading information locally. The Citrix software probably has controls in place to disallow such actions, but there are ways to get around it. For example, if I take a screenshot of my screen and save that file locally, and the computer gets stolen, that's a breach. Since there's nothing preventing access to the computer--such as a password-prompt for accessing a device with endpoint encryption--any thieves would be able to get into the computer and open that file (and in this day and age, they will do that). We're assuming, of course, that worthwhile data such as personal information was the reason behind taking the screenshot. Now, why would anyone in their right mind take a screenshot of sensitive data? Well, since this laptop acts as dumb terminal (if you prefer, a thin client), it requires some kind of connection to the servers for information to be available. What if the person is going to a place where there isn't any such connectivity, and knows it? He can ditch the laptop and grab a notepad, or he can take the laptop and have the necessary information locally, on his laptop. There are ways to turn off built-in functions like screen grabbing. But free software that does the same is available as well, and the user could install it. One could prevent the installation of such software, but then it could be run off a USB memory stick. One could prevent the use of memory sticks...and so on and so forth. Me, being pragmatic, I would just use encryption to protect the disk and call it a day. Of course, that doesn't mean I'm going to retire my antivirus software or not pay attention to what I'm doing, such as leaving my laptop unprotected. All I'm saying is, there are several ways of skinning a cat, and I tend to opt for what's the simplest yet effective.
A person may or may not have legitimate reasons for downloading information locally. The Citrix software probably has controls in place to disallow such actions, but there are ways to get around it.
For example, if I take a screenshot of my screen and save that file locally, and the computer gets stolen, that's a breach. Since there's nothing preventing access to the computer--such as a password-prompt for accessing a device with endpoint encryption--any thieves would be able to get into the computer and open that file (and in this day and age, they will do that). We're assuming, of course, that worthwhile data such as personal information was the reason behind taking the screenshot.
Now, why would anyone in their right mind take a screenshot of sensitive data? Well, since this laptop acts as dumb terminal (if you prefer, a thin client), it requires some kind of connection to the servers for information to be available. What if the person is going to a place where there isn't any such connectivity, and knows it? He can ditch the laptop and grab a notepad, or he can take the laptop and have the necessary information locally, on his laptop.
There are ways to turn off built-in functions like screen grabbing. But free software that does the same is available as well, and the user could install it. One could prevent the installation of such software, but then it could be run off a USB memory stick. One could prevent the use of memory sticks...and so on and so forth.
Me, being pragmatic, I would just use encryption to protect the disk and call it a day. Of course, that doesn't mean I'm going to retire my antivirus software or not pay attention to what I'm doing, such as leaving my laptop unprotected. All I'm saying is, there are several ways of skinning a cat, and I tend to opt for what's the simplest yet effective.
Related Articles and Sites:http://www.chorley-guardian.co.uk/chorley/Thieves-steal-31-laptops-in.5792715.jphttp://www.chorleycitizen.co.uk/news/4717329.31_computers_stolen_from_Chorley_council_offices/