Definitions and explanations for Cyber Essentials terminology

What is a thin client?

A thin client is a type of simple computer with no hard drive and only a base operating system embedded in its firmware. It is a much smaller device than a regular PC, taking up very little desk space, with ports that allow you to plug it directly into a network, monitor, keyboard and mouse.

Thin clients are configured to connect to cloud servers where users access virtual desktops and apps. All applications and data sit on servers which exist in different locations but are accessed over the internet. Once switched on, a thin client boots up very quickly and the first thing you see is your cloud log in. Any user can sit at any thin client for quick access to the cloud portal. There is no data saved on the device itself, it is really just an access point to a virtual machine, therefore, there is no “off cloud” or “off line” capacity.  (See guidance: About virtualisation.)

A thin client does connect to the internet and this alone would present risks. It is also possible to modify some thin clients to make them operate more like PCs which can complicate security issues. Cyber Essentials requires the built in firmware  and any operating system in thin clients be supported and receiving security updates.

How do I know if I am using a thin client?

A regular desktop PC (also called a fat client or thick client) has its own operating system installed on it (Mac OS, Windows 10, Linux etc.). It also has the storage capability to run local files, programs and applications when it is off line.

You will know if you are using a thin client because when you switch it on, you can only log onto your server, there are no other function available.  The device is much smaller than a PC because all of the things that make it work aren’t actually on the machine.

What is a VLAN?

Your Local Area Network (LAN) is everything inside of the router that your internet service provider has given you to connect to the wider internet. It might include all the computers, mobile devices and IoT devices in your home or office.
VLAN stands for Virtual Local Area Network. It is a technology that allows you to split a network into segments using low cost switches. Computers, servers and other network devices can be connected or separated regardless of their physical location. Even if these devices are scattered in different locations, it wouldn’t matter because a VLAN can group them into separate virtual networks.  You can use VLANs to improve network security by, essentially, putting all sensitive information and the users who have access to it on a separate network. No other types of information can travel on that VLAN and only authorised users have access to it, whether it’s a guest network or a VLAN to separate your work and home devices when your office is at home. The separation means that devices on separate networks can’t communicate directly. Instead, the data has to go through firewalls which can protect the network.  This ensures that if malware infects a device in one network, the devices in the other, separate network, will be protected.

A VLAN can be used to create a sub-set which is part of a network that is segregated from the rest of the organisation’s IT infrastructure. For Cyber Essentials a VLAN can be used to create a boundary between what is in scope and software and devices that are out of scope.  For example you can use a VLAN to block access to the internet and this should be used to segment any unsupported software or devices from accessing the internet.   

 

What is a sub-set?

A subset is part of an organisation’s IT network that has been segregated from that of the rest of the organisation by a firewall or VLAN. If only part of an organisation is going to be assessed for Cyber Essentials this part must be technically separated from the parts that are not within the assessment.  This is done by creating a sub-set for either the in-scope or out of scope aspects. Any assessment scope without a technical network boundary is not acceptable, for example an individual project team will not be an acceptable scope unless the IT systems associated with that team is in a technical network subset.  This is to ensure the assessed part of the organisation is protected from malware that may infect the un-assessed part of the network.

 

What is a virtual server?

By installing a piece of software called a hypervisor over the hardware of a server, the power from one server can be divided up. Each divided part of the server can be given its own operating system and applications and used for different functions. This turns the divided sections of the server into virtual machines (VM) and the server as a whole into a virtual server (VS). Virtualisation  utilises much more of the capacity of the server than if it was being used for one function,and so is more efficient.