Should we give everyone a thin client on a separate network for accessing sensitive applications?
We constantly struggle with new security requirements from headquarters. These requirements are one size fits all, meaning maximum security based on everyone using sensitive applications for personnel and payments.
And our scientists and technicians tend to use the same computers for research, downloading and installing new research-related software, and managing their project personnel and funds. This mix of sensitive and non-sensitive, need-to-minimize-risk versus need-to-take-more-risk activities on one computer is a security nightmare.
Since many hacks these days involve deeply penetrating computers and monitoring keystrokes, setting up locked-down virtual machines is hardly worth the effort.
So I'm considering setting up thin clients which can RDP into a Windows Server over a separate, locked-down network which has access only to the Server, and the Server has access only to the pre-defined sensitive applications. DoD, NSA, and other high-security outfits have been running separate computers on separate networks for decades.
What's different now is that the cost of thin clients, servers, and separate networks is approaching the lost productivity costs of locking down our research systems and arguing with headquarters.
This article from The Register triggered my thinking.
Time to define some requirements, create some preliminary system designs, and do some market research.
All of this might be moot if Headquarters doesn't allow us to apply different security standards to different sets of systems. Another Layer 8/9 problem.