Bugwatch: Server-based safety

This week Peter Bolton, vice president EMEA for Neoware Systems, questions the claims of thin client vendors that server-based computing is the saviour of IT security.

Virus and hacker attacks strike fear into the heart of most organisations.

Security breaches have increased and become more damaging over the past few years, and corporate systems and the data within them remain prime targets for the criminals of the virtual world.

In response, companies continue to invest significant portions of their budget in the latest and greatest methods of protection.

But wouldn't it be great if they didn't have to buy any software at all? If all the protection they needed came as standard with the network they already had?

Does that sound too good to be true? It probably is.

But thin client vendors have long claimed that the server-based computing model provides the best protection from virus and hacker attacks that businesses can get.

So do their boasts carry any weight, or is this just another attempt to lay claim to the holy grail of IT security?

It is certainly true that thin clients can help to combat virus infection in a variety of ways.

The hard drive, operating systems and applications that PCs run are very well understood by virus writers and hackers, which makes them such an easy target.

Using antivirus software and locking down the hard drive can help, but the complexity of the PC means that most users are unaware of all the things they can do to prevent an attack.

The architecture of the thin client makes it a difficult target for a virus writer - all of the software applications reside on a few servers that serve many machines.

This also means that antivirus efforts are focused on a few servers rather than hundreds or thousands of individual PCs. Viruses can therefore be stopped at the server and never make it onto desktop machines.

Most viruses - around 97 per cent - are transmitted via email, and only execute once they reach the PC.

If antivirus efforts are concentrated on the server, any malicious code is less likely to penetrate and can be eliminated.

Users are unable to make unauthorised downloads or software installations if they are using thin clients, which means that potentially damaging viruses, worms and back-door Trojans are not downloaded either.

Many viruses that are downloaded via the internet, or that are embedded into applications, are designed to attack the hard drives of PCs. They do this by going into the file application tables and erasing them.

One of the benefits of server-based computing is that all thin clients rely on hard drives located at the server and do not store anything locally.

But is the thin client the saviour of IT security? Simply put, no.

Server-based computing can help to reduce the risks, but it is not all the protection that companies need. Antivirus software, firewalls and intrusion detection/prevention systems cannot be replaced by using thin clients.

The thin client industry does have a point, however. And it extends way beyond the type of machine users sit behind.

The typical approach to IT security is to buy a selection of software, install it and, if a company is particularly clued-up on security, educate users about what is and what is not safe computing practice.

But this is far from adequate. Organisations need to think beyond current boundaries when it comes to defending corporate data.

Security is a much broader issue, and consideration should extend to the networks that are used, the way in which they are managed and run, the applications that are installed, user permissions - and the list goes on.

Security should be a key consideration in everything a company does with IT, from the machines on the desktop to making sure users don't write down their password on a Post-It note.

IT security is not going to go away, which is why it needs to be a common theme, not an isolated issue.

Server-based computing is just one way in which risks can be diminished. But it also demonstrates a desperate need for organisations to think beyond the latest and greatest security software product, and look into every single aspect of their IT environment.