Can thin clients be an antidote to the sprawling attack surface?

The thin client has a long history dating back to mainframe technologies developed by IBM and others in the 1960s, where a computer terminal would be connected to a server with very few independent tools, or much processing power. The client, in effect, was a window into the server. 

Today, software as a service (SaaS) and the cloud has transformed how businesses approach IT infrastructure. But desktop PCs are vulnerable, given they have an independent OS, applications, and data stored on local machines. 

We’ve seen Windows PCs in the NHS, for example, suffer when WannaCry hit. The thin client, in contrast, is a node that runs in the virtual segment of the cloud, offering little access to attackers.

Businesses have embraced virtualization and the flexibility the cloud can offer in recent years, especially during the pandemic when workforces retreated to their homes and employees needed to connect to servers remotely. 

In light of surging cyber attacks businesses experience, making remote PCs more secure has become a priority. Using a thin client could be one way to achieve this goal.

Why the public sector might lead the way

The WannaCry ransomware attack targeted Windows PCs, which left many NHS trusts open to attack. Today, organizations like the NHS are at the forefront of the resurgence of thin clients, as Simon Townsend, field CTO at IGEL explains. 

“NHS Trusts are already doing this and have been for some time. Clinicians and other health professionals are all benefiting from using thin clients and some form of Virtual Desktop Infrastructure (VDI),” says Townsend. “It is important to note that many applications used in the NHS are Windows-based – so a thin device alone is not enough. VDI will typically be required, although various web-based applications now allow certain authorized users to use a thin device for this purpose, too.”

All businesses and organizations are collapsing their tech stacks, which have sometimes become unwieldy as hardware and services were rapidly deployed to support workers during lockdown. Now, post-pandemic, enterprises are looking to reduce costs yet improve efficiency and digital security. The thin client and even the zero client that has no onboard OS, does not work offline, and uses just a VDI to connect to a server to access applications and data, are coming into focus as a potential solution for overly complex and insecure computing estates.

Are thin clients more secure than desktop PCs?

By its nature, a thin client is not loaded with applications that can be vulnerable to cyber attacks. As the client connects to a remote server, the thin client is far more efficient when IT needs to make an upgrade. Security is also better, beacuse IT can control access privileges centrally. Thin clients can remain productive as their applications are hosted, with updates applied by the vendor. Ultimately, the thin client reduces the attack surface.

“Remote work and mobility security with thin clients require secure remote access solutions, multi-factor authentication (MFA), and regular security updates and patches,” says Andrew Bartlam, VP of EMEA at Orca Security. “Successful thin client deployments have been observed in various industries, overcoming challenges through planning, training, and stakeholder involvement.”

The drive to make network access more secure directly results from the changes businesses have made because of hybrid work. This shift has made thin clients popular, as they have less complexity and can be easily deployed and updated.

“Take Dell Thin clients – they don’t exist anymore. Instead, exactly the same Dell Optimplex 3000 chassis is used for its thin client range as is its desktop PCs,” points out Townsend. “It’ the fan and the OS that changes, which is commonly a secure version of Linux installed on thin clients, PCs and laptops as people try to combine the benefits of a thin client and desktop PC or laptops.”

Separating the OS that a thin client runs, with the onboard applications, if any are installed, makes these devices inherently more secure. The ability to update the OS and applications separately – as we see with smartphones – reduces the attack surface and isolates applications from the underlying OS, often the point of entry.

Removing tech stack complexity

Even before COVID-19, the thin client was being posited as a technology businesses would use with powerful desktop PCs no longer needed in a world of smartphones and business tablets. 

“In addition to device proliferation, enterprise computing will trend toward lighter (by both physical and OS lightness) computing experiences for most use cases,” Forrester predicted in its report. “We posit that 80% of future computing experiences will be accomplished by light computing modes.”

High-speed broadband, meanwhile, has been pivotal in reintroducing thin clients into several organizations. SaaS is the bedfellow of thin clients delivering hosted applications to users with a seamless interface, usually delivered through a VDI. The practical upshot for businesses and organizations is that they benefit from fast deployment and efficient updates when needed. With thin clients, Patch Tuesday also becomes a thing of the past and any potential risks with it.

The thin client marketplace is on an upward trajectory. According to MarketsandMarkets, the global thin client market will reach $1.7 billion by 2028, seeing a 3% increase from today's $1.5 billion. As more businesses and organizations realize the benefit of thin client technology, expect more vendors to offer it as an alternative to standard desktop PCs. 

The driver is, of course, the need to combat cyber attacks, which are becoming more frequent and widespread. If the barbarians can be stopped at the door with thin clients, a technology that’s decades old could be an essential component in robust, flexible, and agile cyber security posture.