There is no doubt about it, security is on the minds of everyone today. This includes not just Information Technology professionals but also top-level management of organizations. This is due to the critical nature of securing data from data leak and data breach. Organizations do not want to make headlines in a negative way. All too often high-profile data breaches were due to easy access to data resources or improperly executed security measures that lead to critical holes in security. When it comes to an organizations VDI infrastructure, gaining access to a client device with the credentials of the user assigned access means gaining the rights and permissions that are assumed by that user. Why is securing end user devices important for VDI security? How can organizations bolster basic end user client access as well as provide better efficiency, management, and ease of login? We will take a look at Praim Smart Identity and how this provides basic security and bolsters login efficiency using Identification Devices in the VDI environment.
VDI End User Device Security
While there are inherent security benefits with utilizing VDI for end user access to organization resources, securing access to the devices accessing the VDI environment is as important as it is with a typical client/server environment. The end user client device that is accessing the VDI environment assumes the rights/permissions of the user who is logged into the device. Additionally, username and password security can be easily compromised or credentials can be phished from an unsuspecting end user. When using only password and passphrase authentication, an attacker has only one set of information to steal before gaining access to resources.
Organizations that fall under compliance regulations such as PCI-DSS are required to use two out of three authentication methods:
- Password and passphrase
- Token device or smart card
- Biometric device
So, in addition to something you know such as a password and passphrase, using a secondary form of authentication to form the complete identity profile that allows logging into systems provides enhanced security. Even if an attacker steals the PIN or passphrase, not having possession of the smart card device prevents accessing business critical systems.
Praim ThinMan Smart Identity – Effective User Device Security
Implementing effective VDI end user client access security and creating a more efficient login process can be difficult to implement correctly. However, Praim ThinMan Smart Identity makes implementing a fast access, secure, and simplified management platform for VDI environments extremely easy.
Praim Smart Identity is a ThinMan feature that allows using a contact or contactless smart card with NFC technology for login access. There are two ways the authentication mechanism can be implemented:
- Smart Identity as an authentication device,
- Smart Identity as an identification device with two factor authentication.
When using Praim ThinMan Smart Identity as an authentication device, the user makes use of the smart card or other physical device as a complete authentication mechanism. There is no other need for additional information to be passed on for authentication purposes.
- Praim ThinMan Smart Identity validates whether the smart card is active
- User Access is granted to the device and its resources
- Device or user profiles are applied from ThinMan server
- When the user is finished, tapping the card or removing it from the reader will lock or log the session out from the device.
When using Praim ThinMan Smart Identity as an identification device, the smart card is used to identify the user, then a second-factor authentication mechanism such as a PIN or domain password is used to authenticate the user to the device.
- User presents the identification device,
- Praim ThinMan server checks to see if the smart card is active and recognized,
- If recognized, a second-factor authentication mechanism is prompted,
- If the PIN or domain password is validated, the user session is granted access to the device and its resources,
- ThinMan device and user profiles are applied.
Requirements and configuration steps
- ThinMan Platinum License,
- An LDAP/Active Directory server must be configured,
- To configure this in Praim ThinMan server (Tools -> General Options -> LDAP tab; see Options – LDAP Server Configuration). The AD server is used to enable the users to the login and to check the credentials.
- Smart Identity license must be installed on ThinMan.
- Smart identity has to be activated and configured.
- ThinOX/ThinOX4PC or Agile/Agile4PC devices with an Identification Device reader attached and some Identification Devices (smart card, etc.) (see Hardware list for Smart Identity)
- Device Policy must be configured to enable the Smart Identity on the devices (see Smart Identity – Device Policy Configuration)
- ThinMan minimum version is 7.8.0 and, if necessary, ThinMan Repeater minimum vers. 1.1.5
- ThinOX/ThinOX4PC minimum version 10.3.0
- Agile/Agile4PC minimum version 2.4.0.
Enrolling Smart Cards and Devices in Smart Identity
Smart card devices that are used with Smart Identity must be enrolled in ThinMan Server. This can be done by the administrator enabling either one device or all the devices for the enrollment procedure. Depending on the process chosen to enroll, the user completes the activation of the identification device either by inserting a password and creating a PIN or by also inserting the username followed by any other requested information such as a PIN or password.
For a device to be enabled with Smart Identity, the Device Policy has to be set to enable the behavior.
Bolstering security on all end user devices including client devices used to access VDI environments is crucial! The common username and password authentication mechanism provides weak security at best. Organizations today must consider additional means to secure end user devices such as smart cards and other physical tokens that provide a second piece of information that the user must be in possession of before being authenticated to resources.
Additionally, contact or contactless NFC enabled devices can provide a extremely efficient mechanism for end users to access thin client devices. Adding this capability to login processes allow for a much faster, efficient and manageable authentication solution for administrators.
Praim ThinMan Smart Identity is a great way for organizations to bolster client security and provide a robust mechanism for validating user identity. It is easily implemented and allows organizations to manage and maintain user, device, and authentication policy all within the single pane of glass administration that Praim ThinMan server provides.