“Since the advent of thin clients, our security incidents have dropped nearly 80 percent,” State’s Leon Galanos says.
May 05 2010

Ready to Serve

The State and Defense departments reap the benefits of thin clients — and so can your agency.

When security is a top priority, thin clients become attractive.

The State Department began deploying them on its classified network in 2006 so employees — who work in embassies and consulates abroad, as well as combat terrorism and narcotics trafficking stateside — could send and retrieve sensitive government messages and documents easily.

In the past, embassy employees stored their hard drives in safes before and after work. Marine security guards roamed the work areas looking for unsecured drives. If they found one, the owner likely received a reprimand. Now, with thin clients, data is securely stored in the data center.

“Users appreciate that they no longer have to worry about putting their hard drives in a safe, and since the advent of thin clients, our security incidents have dropped nearly 80 percent,” says Leon Galanos, the department’s director of global IT modernization. With the project nearly complete, State is eyeing thin clients for its unclassified network, but for an entirely different reason: easier IT management and cost savings.

The Defense Department also is a big thin-client proponent and has installed the technology across many of its agencies and bases, including the Defense Intelligence Agency and the Cheyenne Mountain Air Force Station in Colorado, which provides early warnings of missile attacks. The Army Human Resources Command also plans to switch to thin clients this summer when it moves to new headquarters at Fort Knox.

Thin-client computing and client virtualization are not new; both have seen slow, steady growth over the years. But this approach to the IT infrastructure has gained renewed interest in the federal government as the recession has forced IT departments to operate more efficiently and cost-effectively just as agencies also are focused on implementing tighter security and privacy practices. Centralizing desktop computing and data in the data center lowers IT support costs and improves security, analysts say.

“The reason agencies are interested is management and security, and not having to deal with upgrades and patches and antivirus updates for every desktop computer,” says Shawn P. McCarthy, research director at IDC Government Insights.

Thin clients also strengthen continuity of operations, support green IT efforts and improve remote access. Agencies may have backup data centers, but if employees have office PCs and can’t get to their offices because of a disaster or emergency, they can’t access their applications and hard-drive data. With thin-client technology, users can access applications and data remotely, McCarthy says. In the past, the lack of network connectivity outside the office hindered thin-client growth.

“What’s put thin clients back on the radar is that there’s now connectivity everywhere — at the office, home, everywhere — so that’s changed, and there’s much more interest,” he says.

In Every Time Zone

At State, the 10,000 employees using the classified network need access to simple applications, such as e-mail, a specialized application for drafting telegrams, Microsoft Office and access to a web portal that allows for classified information sharing among federal agencies.

To accommodate employees, the IT department turned to a traditional thin-client approach with Citrix XenApp, in which the data center powers the computing functions and stores all the applications and data. Information flows back and forth between the servers and the thin-client devices on users’ desks.

Security for the classified network is paramount, Galanos says. In embassies, the data stored in servers is secured in locked rooms. The thin clients lack USB ports, so users can’t attach thumb drives or other peripherals to copy data. Each building is wired with fiber-optic cabling instead of copper to prevent people from wiretapping the networks.

Deploying thin clients on the unclassified network is more complex because users worldwide need access to a wider range of applications, including locally developed apps at posts abroad. Users also need good multimedia performance so they can view speeches and events held at headquarters and use video for distance learning, Galanos says.

As a result, the department in April began a thin-client pilot for its unclassified network that gives users a more PC-like experience: Citrix Provisioning Services for Desktops, software that streams an operating system and apps from servers to each user’s desktop or thin-client device, where the software runs locally rather than on the server.

“We have requirements for streaming media, and the traditional thin clients were very choppy, so we looked for more sophisticated technologies,” he says.

If the pilot is successful domestically and overseas, the IT staff will consider several desktop computing options. First, they will leverage existing equipment and use PCs already on users’ desks, but the IT staff will pull out the hard drives. And as those PCs reach the end of life, the staff will consider additional options, including high-end thin-client devices that have processors and memory.

State did explore using Virtual Desktop Infrastructure, which splits a server into virtual machines and provides a virtual computer with a full operating system and applications to each user. But when the IT department tested VDI, the video was still choppy and had poor peripheral support, Galanos says.

“We chose the Citrix Provisioning approach because it keeps the backend resource requirements to a minimum,” Galanos says. “It also provides the best possibility of meeting a range of requirements, from video streaming to local peripheral support, such as USB devices.”

Support for peripherals is important because in 2012, employees will have to use two-factor authentication to log in to their computers. That will require IT administrators to attach smart-card readers that support public-key infrastructure on each desktop or thin client.

Although security was the main reason for thin clients on the classified network, State is considering them for its unclassified network because centralized management simplifies IT support and could save the department money.

For example, when it’s the middle of the night in London, it’s morning in Tokyo. State believes this logic can streamline the software licensing process for computers accessed by the 81,000 users on its networks. By centralizing applications in a data center and delivering applications to users’ desktops only when they need it, the IT staff can substantially reduce the number of software licenses it purchases.

If the thin-client pilot for the unclassified network is successful, State will deploy it worldwide, and eventually the IT department will migrate its classified users to the same application- and OS-streaming technology.

“We’re committed to making the technology work, but if results are discouraging, I have no problem recommending to executive management that we have to wait until the technology catches up to our requirements,” Galanos says.

In that scenario, the department will continue its server virtualization deployment overseas and use Wake-On-LAN remote management tools to update patches and to turn off computers that are left on overnight, he says.

Lightening the Load

The Defense Intelligence Agency, a combat-support agency that provides military intelligence, embraced thin clients in 2003 to make it easier for analysts to disseminate and analyze intelligence information. Back then, staffers had as many as three to 13 computers on each of their desks that connected to separate networks.

DIA launched a thin-client initiative, the Department of Defense Intelligence Information Systems (DODIIS) Trusted Workstation program, which lets employees securely view data across classified and unclassified networks on a single computing device, says Ryan Durante, chief of cross domain solutions at the Air Force Research Laboratory, which manages the effort.

“Now they can view different classified and unclassified environments on multiple windows on the same thin client,” he says.

To date, the lab has installed 20,000 thin clients, about 11,000 for DODIIS and about 9,000 for other Defense agencies. For DODIIS, the Air Force Research Laboratory standardized on Sun Ray thin clients using the Solaris 10 operating system with Trusted Extensions. On the backend, it uses Citrix XenApp for large installments and Microsoft Terminal Services for smaller installments. The Research Laboratory has installed about 100 server farms across 40 to 50 sites.

When Citrix or Terminal Services delivers the applications, Sun’s server software keeps the networks separate but lets users view applications and data from different networks on their monitors.To bolster security, data is encrypted at rest and in transit. The login process also requires two-factor authentication — a user name and password, as well as a smart card that verifies a user’s identity, Durante says.

Photo: Michael Okoniewski
Thin clients let intelligence officers reclaim desk real estate by replacing as many as a dozen devices with one, says the Air Force Research Laboratory’s Ryan Durante.

Saving Space

Space is a primary concern at Cheyenne Mountain Air Force Station, which is why IT administrators there have deployed thin-client technologies. The Space Command facility, which is the alternate command center for the North American Aerospace Defense Command (NORAD) and the Northern Command, is built inside a mountain, so every bit of floor and desk space counts.

The IT staff deploys a mixed environment of regular PCs and various thin-client technologies. But to ease the space constraints, it provides users with thin clients wherever possible.

The facility first installed thin clients in 2002 when it equipped users with blade PCs, which are actual PCs housed in the data center and made accessible through small thin-client devices on the users’ desks. Today, 20 percent of computers at Cheyenne Mountain are blade PCs.

“It’s a lot of people in a small space, so it’s difficult to have full-sized PCs on users’ desks. And by going to blade PCs, it gives us not only a smaller footprint for both space and power, but it also provides noise reduction at the users’ work­stations,” says Doug Deubach, program manager for the 721st portion of the Integrated Solutions Command and Control, which handles IT for Cheyenne Mountain.

Because people needed access to different networks, many users once had five or more desktop computers at their workstations, says Mike Foster, network control chief. The reduced number of devices frees up desk real estate and makes it easier to maintain the proper temperature in offices. Plus, with thin clients, users no longer have to worry about accidentally kicking and damaging their PCs in the cramped quarters, he says.

Thin clients also lower IT support costs, which can result in substantial cost savings, points out Richard Johnsen, senior network engineer at the headquarters Air Force Security Forces Center at Lackland Air Force Base, Texas.

Security Forces serves as the Air Force’s police department. The employees at the center implement the agency’s rules and regulations. In 2002, Johnsen replaced 200 desktop PCs with 200 blade PCs from ClearCube. And today, as the center has added employees, the number has grown to 350 blade PCs locked in an alarmed room with video cameras.

Half of the original blade PCs, which are eight years old, are still running. They have 1.8-gigahertz processors with 2 gigabytes of RAM, which is more than sufficient, says Johnsen, who says he plans to replace them in the next two years.

Because blade PCs are so much easier to manage, Johnsen has reduced his IT staff from 11 to six people. “Over the past eight years, we’ve saved a considerable amount of money because we’ve reduced manpower,” he says.

The blades are simpler to manage because his IT team can remotely install software patches or updates with management software. And rather than troubleshooting PCs on users’ desks, the department can solve hardware issues centrally at the data center.

“We are in a 40,000-square-foot building, and [IT staffers] only have to walk 25 feet and they can touch every computer in the building,” Johnsen says. “It really eases up on the management of computer systems. For me, they don’t need special skills. They don’t need thin-client knowledge. My staff is just managing PCs, and they are doing it centrally.”

Security is also improved. People can’t come in and steal PCs or data from employees’ desks, he says. “The worst thing that could happen is they steal the thin client; it costs only $200, and there’s no data on it.”

Pleasing Your Users

The Army Human Resources Command recently tested thin clients and will soon migrate 60 percent of its users to them. The remaining 40 percent require processing-intensive applications and will continue using regular desktops.

The command will standardize on DODIIS technology — Sun Ray thin clients and Citrix XenApp on the back end — when its employees move to new office space in Fort Knox this summer.

Sanjeev Verma, IT project manager for the Human Resources Command, says the primary reasons for the switch are improved security, cost savings and a better user experience. During testing, users discovered that legacy applications powered by servers actually ran faster than on their existing desktop PCs.

“I got a lot of comments that said, ‘What are we waiting for? It is so fast,’ ” he says.

Photo: Nicholas McIntosh