Securing Virtual Workspaces with Praim ThinOX
No longer are the majority of workers driving into the office. The remote workforce has taken shape and is a trend that will undoubtedly continue. As a result, businesses have had to shift their infrastructure to support a largely remote workforce. With the new hybrid workforce, security is now front and center as companies have settled into the “new normal” for the long haul.
After initially quick and “temporary” configurations, organizations have had to revisit their remote workforce cybersecurity posture and ensure it is adequate to withstand the attacks that cybercriminals are increasingly mounting against organizations. Now, end-users access virtual workspaces from their local, private (and less protected) device and network instead of physical office workstations on the secured and continuously controlled corporate infrastructure.
Let’s see how organizations can secure their virtual workspaces with Praim ThinOX4PC and enable businesses to provide secure thin clients VDI for remote workers.
Virtual Desktop Infrastructure (VDI) secure access
Many organizations use virtual desktop infrastructure (VDI) environments to provide a virtual workspace for end-users. Businesses are using a variety of VDI solutions, including VMware Horizon, Microsoft Remote Desktop Services, Citrix, and many others. While VDI can be built out with security in mind, another piece of the puzzle is the thin client or end-user device used to connect to the VDI environment.
Providing secure end-user devices that are used to access the environment helps to prevent attackers from providing secure end-user devices that are used to access the centralized environment helps to prevent attackers from compromising the client device. For example, many businesses may issue Windows laptops or desktops as a client platform connecting to the VDI environment. Other companies may decide to allow “bring your own devices” (BYOD), which brings its own set of security challenges and risks.
Providing users with a secure thin client enables users to access remote virtual workspaces, including VDI environments, without the security concerns with Windows devices issued to users. Additionally, providing a corporate managed Windows client simply to access a VDI environment is enormously expensive. In this case, businesses have taken into account higher hardware costs (to support the minimum performance requirements of Windows) and also the specific software license costs of using Windows clients for access.
Praim ThinOX – secure remote access
What is Praim ThinOX4PC? It is a thin client operating system built with security in mind. In addition, it is a centrally manageable, and performant platform built on x64 CPU architecture especially thought for VDI support. So, it provides businesses with fast, secure access for remote users. Indeed, Praim ThinMan Server delivers the missing link to manage your Praim ThinOX devices from a centralized management console.
ThinOX has been built from the ground up with security in mind. Built using a hardened Linux operating system,
ThinOX has been built from the ground up with security in mind. Built using a hardened Linux operating system, ThinOX instantiates itself as an immutable environment without privileged network access to the corporate environment. It only loads a core set of drivers and components needed for ThinOX to operate, making it difficult for an attacker to compromise it. In addition, the system image is continuously checked for integrity using an MD5 checksum. Using ThinOX, end-users can access the VDI environments assigned from the secure environment provided by ThinOX.
Due to the hardened Linux environment preventing users from installing software eliminates the need to install antivirus software on end-user clients. As a result, the ThinOX Linux is far less susceptible to malware such as ransomware, trojans, and potentially unwanted programs (PUPs). Again, Praim has purpose-built the Linux distribution to combat the normal threats associated with end-users using Windows clients to access business-critical environments.
One of the significant benefits of ThinOX is the read-only file system instantiated at system boot. Any changes are written only to RAM with no changes written to disk. The ThinOX write filter explicitly prevents users from tampering with, changing, or writing files to the ThinOX system disk, so that the system remains clean and consistent at every reboot. ThinOX is hardened from a network perspective, and IT admins can turn SSH or other features (such as WiFi connection) on or off, depending on their configuration to support end-user needs.
Praim ThinMan Server management
Even with impressive security features and performance, admins need to manage the solution seamlessly. Keeping all the devices updated and uniformly aligned with the corporate infrastructure policies is the first step. Praim ThinMan Server allows organizations to manage all their ThinOX devices from a centralized console connection. Using ThinMan Server, businesses can perform the following:
- Remote access and assistance
- Define and automatically assign user and device policies
- Upgrading firmware and send packages or commands
- Backup and replicate configurations
- Schedule activities and control power management
- Define authentication policies
Praim has engineered the ThinMan Server connection for diverse, hybrid workforce connectivity. The only port required for ThinMan communication with ThinOX devices is the standard TCP port 443. The simplified network requirements allow organizations to support and manage remote thin client devices without worrying about connectivity concerns. Moreover, thanks to its Remote Console, also the IT admin staff can access ThinMan functionalities from the Cloud and remotely perform control activities.
IT admins can see all managed Praim ThinOX devices listed in the Devices dashboard. In addition, it allows efficiently managing, configuring, and assisting users across the entire estate of remote devices.
Flexibility for BYOD
In addition to providing a secure and performant environment for end-users, Praim ThinOX is a flexible platform that can be used to provide its capabilities both on the Praim’s thin client or used to turn end-user hardware (other party thin clients, PC or laptops) into a secure Linux workstation without overwriting the contents of the user hardware. How does this work?
IT departments can provide end-users with a ThinOX4PC Live USB key (instead of a full device). The user can boot the ThinOX4PC system directly from the USB disk on any hardware, including their own personal devices (like in the BYOD approach). The Live USB key environment includes everything needed to connect securely to the sanctioned virtual workspace, including VDI connections back to the corporate office.
In the example below, the ThinOX environment has a preconfigured connection for VMware Horizon that allows the user booting into the ThinOX secure environment to have connectivity back to the corporate office. ThinOX can be configured to directly run the virtual session on startup as well, redirecting the user to its remote desktop.
ThinOX4PC can also be permanently installed on the device disk. For organizations who wish to use a dedicated thin client device for end-users (such as all-in-one devices or simple laptops), ThinOX can also be used as the thin client operating system.
ThinOX with ThinMan Server – All-inclusive solution for securing virtual workspaces
As mentioned, ThinOX combined with ThinMan Server is a “one-two punch” for securing virtual workspaces. To recap, the advantages provided by using Praim ThinOX and Praim ThinMan Server together for secure remote access include:
- ThinOX integrated with ThinMan Server provides efficient scalability, allowing the management and automation of hundreds or even thousands of remote clients
- Organizations can adopt a “zero-config” configuration with remote ThinOX devices where the ThinOX device at start-up pulls down a configuration from ThinMan and configures the device according to the specific requirements/needs of each (group of) user(s)
- ThinMan management also offers the ability to:
- define, modify and distribute in an instant the virtual resources on which the workstations will work
- configure the device directly from ThinMan and replicate (apply) the new configuration to the other devices
- customize the operating mode of the devices/users by creating groups to which different configurations can be applied
- obtain Remote Assistance from the company helpdesk.
Today, organizations are tasked with supporting remote workers, wherever they are located, and empowering them with the business productivity tools needed to carry out tasks. The new distributed, hybrid workforce has created new challenges in effectively securing business-critical data, broadening the boundaries of the corporate IT infrastructure, and requiring to loosen the security policy to include a connection from remote locations (on local private networks) and personal devices. Even with secure VDI platforms, using insecure remote clients to connect to the VDI environment opens a company up to the possibility of stolen credentials, leaked data, or having malicious software residing on the same computer accessing company resources.
The Praim ThinOX platform allows businesses to close the security loop by securing the endpoints used to access VDI environments and providing an effective way to manage, configure, and offer support for the entire landscape of remote clients.
To learn more about how you can use Praim in your company to provide secure, robust connectivity to your VDI environment, visit the Praim website here: Thin Client Solutions for Endpoint Management | Praim