Zero Client™ as a Service (ZCaaS) Guide
Table of Contents
Overview of ZCaaS
Zero Client as a Service (ZCaaS) ™ is a temporary “browser in the cloud” you can use to transfer your sensitive information from one cloud service to another without “contaminating” your workstation. We call it a “zero client” because your workstation acts as a client to a cloud service and zero information is ever stored, processed, or transmitted on your workstation.
ZCaaS is a quick-booting, non-persistent Chromium web browser hosted entirely in the cloud, meaning that no files or data you browse to ever reach your workstation, and when you’re finished, all traces of the session are deleted from the cloud.
The main use case for ZCaaS is interacting with your files that contain sensitive information, such as Controlled Unclassified Information (CUI) or Protected Health Information (PHI), from an untrusted, un-managed, un-hardened, or employee-owned workstation. From such an unmanaged workstation, you’ll use ZCaaS to browse to trusted and managed cloud-based file shares, such as the Totem Safeshare platform, DoD SAFE, or others. You’ll view and manipulate the files in the browser, but they can never be downloaded or copied to the workstation. This removes the need to securely configure — or “harden” — the workstation to protect sensitive files that may reside on it, saving hours of IT security labor per workstation. And since the ZCaaS session is non-persistent — or ephemeral — you don’t need to worry about hardening the ZCaaS environment either. This means ZCaaS is a fraction of the cost of the other main option for secure CUI manipulation: Microsoft 365 GCC High.
We based the ZCaaS concept on the now defunct DoD Trusted End Node Security (TENS) program. TENS was designed to allow DoD remote-working employees to login to DoD-controlled networks from their unmanaged personal devices. TENS worked very well, and was secure enough to receive an Authority To Operate (ATO) from the DoD. However, TENS relied on booting a workstation from DVD or USB, which required some reconfiguration of the workstation and took several minutes to boot (at a minimum). Also, the TENS boot media by its nature contained a limited set of drivers, and so only worked on limited workstation makes and models. ZCaaS provides the same security features as TENS without the limitations. ZCaaS can be used from any workstation with internet access.
ZCaaS is powered by Amazon Web Services (AWS) Workspaces Web technologies. Workspaces is SOC 2 authorized, and hosted in a FedRAMP Moderate authorized environment.
If you need high-fidelity editing of Office or PDF documents, or to interact with ZIP or compressed files, we also offer a Zero Client™ Workstation. See the ZC Workstation section below.
Obtaining a ZCaaS account
Logging into ZCaaS
Then the ZCaaS session will be created. It can take up to a minute to fully establish the session. You’ll see the following messages as the session is launched:
Once the session is launched, you’ll see a Chrome browser and you are on your way!
ZCaaS interface menu
The ZCaaS menu is at the top left of the session window, and looks like this:
In all likelihood, you’ll only use the Fullscreen Mode (crossed X icon) and File Browser (folder icon) menu items. The use of both of these is demostrated in the tutorial video above.
The Fullscreen Mode is just what it sounds like. ZCaaS is essentially a browser within a browser, so if you need more real estate on your monitor, use Fullscreen Mode. Press the ESC key to exit.
You can use the File Browser to upload files from your workstation to the ZCaaS session. Once you’ve uploaded those files to the session, they’re available to manipulate in your cloud services open in the session. Any uploaded or downloaded files are sanitized once the session is ended.
ZCaaS comes pre-loaded with bookmarks to several commonly used sites for manipulating CUI. You can get to sites from the “Managed Bookmarks” in the bookmarks bar of the ZCaaS browser:
Session timeout and re-establishing session
The ZCaaS session will go to sleep after 15 minutes of inactivity. You can click the “Retry” button on the inactivity disconnection message and the session will resume in the state you left it:
If you accidentally close the ZCaaS window, simply log back in using the ZCaaS login link and your session will resume.
However, after one (1) hour of inactivity, the session will end and all work and files will be purged from the system. The best practice if you are finished with the session is to manually end the session. See the instructions in the next section.
Ending your session
To manually end the session, click the person icon at the top right of the ZCaaS session, and click “End Session”. Confirm you’d like to end the session by clicking the “End Session” button:
Zero Client™ Workstation
The main use case for ZCaaS is to transfer CUI files into a secure long-term file storage and sharing platform, such as Totem SafeShare, without “contaminating” your workstation. If you need to edit those files, but don’t want to do so on your company workstation, we offer the Zero Client Workstation, or ZC Workstation for short.
ZC Workstation is a small form-factor, lightweight, mini-PC (see images below) with a Fedora Linux operating system configured in read-only mode. This means that no files can ever be stored on the ZC Workstation, only temporarily manipulated in memory. Once the Workstation is shut down, those files are purged from the machine. So, you must save all your files to a cloud-based file share when you are finished editing them. But the benefit of this setup is that you don’t have to worry about hardening or monitoring the Workstation–we took care of the hardening, and there is nothing to monitor because the system cannot be changed permanently.
The beauty of this type of Workstation, just like with ZCaaS, is that the risk of successful cyber attack is very low. Even if an attack is successful — for example a malware infection — a simple reboot of the Workstation purges the malware.
ZC Workstation comes with the LibreOffice suite of desktop document tools, so you can edit Microsoft Word, Excel, and PowerPoint, as well as Adobe PDF, and you can open and extract ZIP and compressed folders.
A ZCaaS SafeShare subscription (see pricing) includes up to two ZC Workstations, delivered to addresses of your choosing at no cost.