Fat or thin--makes no security difference

In response to the Perspectives column written by Philip Brittan, "Inherent insecurity":

Philip Brittan hits on several good points, but he seems to be arguing that complexity on the desktop is bad, whereas the same complexity in the server room is acceptable. His premise is that security in the server room is different than in the office environment. He also argues that clients are expensive to administer.

At many sites, these two points are valid. A firewall does nothing to protect against exploits from within. Real security requires "defense in depth"--not just at the perimeter. And it is certainly true that at many sites, desktop clients are administered in the most expensive way possible--by individual users.

But neither premise is axiomatic. Moving desktop problems into the server room doesn't solve them. And who believes that users should administer their own systems, anyway? What a site really needs is authentication and configuration management.

Authentication by means of signed certificates is a proven mechanism for identifying clients to servers. The client must present a certificate the server can verify. Clearly, the "thinness" of the client is not important to this model. Indeed, all systems, including servers, ought to authenticate each other.

Configuration management refers to building systems against a model. The network--not individual users--takes care of installing software, testing the new systems for compliance and so on. It makes no difference whether clients are fat or thin.

To summarize, don't look to thin clients to solve fundamental problems of security and complexity. You'll make more headway by facing the authentication and configuration management issues directly.

Dan Razzell
Vancouver, British Columbia