Serverless Thin Client
- 1. Eugrid SecureClient and Mobile Option Thin Client that Utilizes Existing Computers without Modification 1. Present Situation Leakage of personal information continues to pose a problem in all ages. Just recently, a foreign engineer working as a permanent staff at a manufacturing company tried to take out a large amount of highly confidential technical information and take it back to his home country. The exposure of this incident appalled the manufacturing industry. As you can see from this incident, the risk of information leakage is increasing more than ever in every corner of the society. Although the thin client system, either server-based, blade or remote-boot, is one of the ideal solutions that protects intentional leakage of information, there are several defects such as: • The cost of installation including necessary hardware is highly expensive. • Existing computers become unnecessary. • Lacks flexibility as the security level is difficult to adjust according to the change of situation. 2. Problems and Objectives To prevent information leakage from a large number of PC already installed in a company is not an issue limited to special sectors such as financial institutes. It is a social issue that intimidates all types of companies. Therefore, the introduction of a security solution equivalent to the current thin client that can readily be installed in ordinary companies at lower cost has been aspired. Eugrid SecureClient was developed to provide high security to a wide range of sectors including ordinary companies and schools without a large amount of investment. Another objective of the development was to increase the security of mobile computers to the level equivalent to that of thin client, which was impossible with the conventional technology. 3. Difference with Conventional Technology The conventional thin-client solution is a highly expensive solution as it requires the installation of new hardware. It was therefore installed by only some companies where security is a primary issue, such as banks and financial institutions, which can invest a large amount of funds. E GRI e u e l n U DS c rCi t e Eugrid SecureClient utilizes ordinary No need Data & Environm ents ronm ents C enter D ata & Envi Functi i es onalti computers and file new Severs servers that are O S, A ppli on i on cati O S, A pplcati currently being used Data Softw ares Softw ares without having to make any C lent i C PU and Hardw are CPU and Hardw are Functi i es onalti modification. It Exi ng PC sti realizes a simulated Continue to use Displ & K eyboard Di ay & K eyboard splay 1
- 2. security level equivalent to that of the thin client by imposing software restrictions to enhance security of the existing hardware resources. The most important restriction feature that forms the basis of Eugrid SecureClient is the write-protect feature that nothing leaves traceable information of user data in the internal disk of the computer. This restriction will always be active when the computer is connected to the internal LAN, WAN or when using USB flash drives outside the company. Windows and all the other applications that have been used on the computer will remain installed on the internal hard disk, and can be started from the internal hard disk as before. “Information that does not exist cannot be leaked” – this principle of thin client is realized by preventing information from being saved under the control of the user. 1. Writing on to the internal hard disk of the computer is restricted. 2. While the use of Desktop and My Document area is authorized to the users and applications without restriction, the actual information is stored automatically in the center-controlled server. This virtualized redirection feature is activated dynamically when the user logs on, and deactivated at the logoff. No footprint including the information itself and the access path will remain on the computer. As a result, there is no information on the computer that can be leaked. As the result, Eugrid SecureCliet doesn’t need any server resources in the data center except storage devices. This can give great merit to the company. 2
- 3. Current thin client solution Eugrid SecureClient File Server File Server Full employ P ’s C U C P N need Servers o VPN VPN D t aa P 、 S、 pplications CU O A However, this feature alone will allow leakage if the data is opened using the application and stored in an external storage media. Following restriction features are mounted to prevent such leakage. It is also possible to place limitations such as restricting unnecessary modification of settings or prohibiting printing. 1. Restrict the use of external storage media such as USB flash drive, FD and DVD 2. Prohibit printing 3. Restrict the use of original Windows features that allow selection from the Start menu, etc. 4. Restrict startup of applications installed in the computer 5. Restrict network connection Synchroni ng w i O U of A D zi th Si plfi Secure m i ed& Usabii Effi ency lty& ci Cal Center O perators l Part ti e w orkers m R egal Em pl oyees 4 2 2 2 3 3 3 1 1 1 1.M em ory M edi a 2. Pri nter 3. Wid wsU no I 4. A pplcati i ons 3
- 4. These features operate with Microsoft’s Active Directory (referred to as AD hereafter), which is a tool that controls the users centrally and allows the above restriction conditions to be set according to each organization unit (OU). The above settings can be modified any time by the administrator according to the location, authorization level of the user and the information to be handled. Unlike the rigid structure of the conventional thin client, it is possible to optimize the security level while considering the convenience of the user. 4
- 5. 4. Advantages of User While the user can use the existing computer with the same convenience as before, all the information belonging to the user will be stored in the central server. Such information will be dynamically accessible from the computer when the user logs on and become completely detached from the computer when the user logs off. In other words, unlike conventional computers, the relationship between the computer and the user is detached and independent. The user will have the following advantages: 1. The same computer can be shared by multiple users thereby promoting the effective use of the computer and decreasing the number of necessary computers. 2. Shared computers placed in meeting rooms, etc., can be used under your own system environment. Users can use the computer placed anywhere as your own computer. 3. Even if the computer breaks down, you can replace it and immediately restore it to provide your own system environment without interrupting business. 4. There is no need to delete data when disposing computers thereby reducing administrative cost and lowering risk of leakage. 5. When converting the existing system environment into thin client, the information inside the computer is automatically transferred so that installation and conversion costs can be kept to minimum. 5. Data free working environment When using this solution, the control center administers all the data inside the all computers, therefore assuming the role of a powerful infrastructure that supports IT Governance and SOX compliance. C P environment IDC D free w ata orking space Centralized Data Manag ent em Offshore Home Headquarter All PC data VPN LAN/WAN Enterprise backup, User can use normal PC as is Monitoring and Control 5
- 6. 6. Mobile Option Laptop computer is an important tool for corporations to enhance customer service and to accelerate business speed. However, it entails high risk of information leakage and the consequence, if information is leaked from the computer, is enormous. Conventional thin-client solutions, regardless of the method, require network connection, and there is a large gap between the needs of the users that seek to use their computer anywhere they want. Eugrid SecureClient’s Mobile option allows safe use of computer outside the company even when network connection is unavailable. This is possible because the system environment of the user as well as necessary operation information of the user that are stored in the file server of the control center can be taken out as a unit using the USB flash device, and the device can be connected to the computer and used anywhere. The restriction conditions for outside usage set by the information administrator will be applied so that the data taken out is guaranteed to be handled under the environment intended by the information administrator. The aforementioned feature of Eugrid SecureClient that leaves no footprint in the computer also applies to the mobile option as all the information is stored in the USB flash device. Therefore, as long as you do not carry both the USB flash device and the laptop in the same bag, there will be no risk of information leakage even if the laptop is stolen or lost, as there is no information stored inside. Out side of Company Inside of Company Outside Policy Policy Inside I nternal R ul e Sw i tch External R ul e No footpri nt No Data The USB flash drive is encoded with 256 bit AES. In addition, our unique security provides an additional feature that forces the “reformat” dialog to appear on the display when the stolen or lost USB flash drive is connected to the computer of the finder. The USB flash drive, therefore cannot be used unless it is reformatted. Consequently, the information stored in the stolen or lost USB flash drive will be deleted before it can be accessed. 6
- 7. 7. Mobile Option Merits This mobile solution consists of a combination of the server located in a secure area within the company and the USB flash drive. This combination realizes unprecedented security in mobile usage. 1. There will be no risk of information leakage as no footprint will be left in the laptop computer used outside the company. 2. The USB flash device, which stores user data and system environment as a set, can be connected to any computer installed with Eugrid SecureClient client software. The user’s own system environment will be restored upon logon. 3. Severe policy, independent of the policy inside the company, can be applied for usage outside the company. 4. The data taken out in the USB flash device will always remain original data on the server inside the company, so that you can keep track of the exact content of the information in case the USB flash device is lost or stolen. 5. The log data of the client computer inside and outside the company will be compiled on the server. 6. Information stored in the USB flash device will be deleted before it can be accessed if it is used in an inappropriate way. 7