Zero Client™ as a Service (ZCaaS) Guide

Table of Contents

Overview of ZCaaS

Zero Client as a Service (ZCaaS) ™ is a temporary “browser in the cloud” you can use to transfer your sensitive information from one cloud service to another without “contaminating” your workstation.  We call it a “zero client” because your workstation acts as a client to a cloud service and zero information is ever stored, processed, or transmitted on your workstation.

ZCaaS is a quick-booting, non-persistent Chromium web browser hosted entirely in the cloud, meaning that no files or data you browse to ever reach your workstation, and when you’re finished, all traces of the session are deleted from the cloud.

The main use case for ZCaaS is interacting with your files that contain sensitive information, such as Controlled Unclassified Information (CUI) or Protected Health Information (PHI), from an untrusted, un-managed, un-hardened, or employee-owned workstation.  From such an unmanaged workstation, you’ll use ZCaaS to browse to trusted and managed cloud-based file shares, such as the Totem Safeshare platform, DoD SAFE, or others.  You’ll view and manipulate the files in the browser, but they can never be downloaded or copied to the workstation.  This removes the need to securely configure — or “harden” — the workstation to protect sensitive files that may reside on it, saving hours of IT security labor per workstation.  And since the ZCaaS session is non-persistent — or ephemeral — you don’t need to worry about hardening the ZCaaS environment either.  This means ZCaaS is a fraction of the cost of the other main option for secure CUI manipulation: Microsoft 365 GCC High.

We based the ZCaaS concept on the now defunct DoD Trusted End Node Security (TENS) program.  TENS was designed to allow DoD remote-working employees to login to DoD-controlled networks from their unmanaged personal devices.  TENS worked very well, and was secure enough to receive an Authority To Operate (ATO) from the DoD.  However, TENS relied on booting a workstation from DVD or USB, which required some reconfiguration of the workstation and took several minutes to boot (at a minimum).  Also, the TENS boot media by its nature contained a limited set of drivers, and so only worked on limited workstation makes and models.  ZCaaS provides the same security features as TENS without the limitations.  ZCaaS can be used from any workstation with internet access.

ZCaaS is powered by Amazon Web Services (AWS) Workspaces Web technologies.  Workspaces is SOC 2 authorized, and hosted in a FedRAMP Moderate authorized environment.

If you need high-fidelity editing of Office or PDF documents, or to interact with ZIP or compressed files, we also offer a Zero Client™ Workstation.  See the ZC Workstation section below. 

A graphical depiction of how all aspects of the ZCaaS are related
ZCaaS Conceptual Diagram

ZCaaS Tutorial Videos

2 Videos

Obtaining a ZCaaS account

Contact Totem to get access to ZCaaS.  We’ll setup billing and provide you with an account and the ZCaaS login.

Logging into ZCaaS

Logging into ZCaaS is easy.  Check out the tutorial video at the top of this page for a run through, or follow these steps:

First: Click "Sign in" on the Workspaces Web landing page
First: Click "Sign in" on the Workspaces Web landing page
Second: Click the "AmazonSSO" button.
Second: Click the "AmazonSSO" button.
Third: Provide your Totem Tech username, password, and multifactor authenticator credentials.
Third: Provide your Totem Tech username, password, and multifactor authenticator credentials.

Then the ZCaaS session will be created.  It can take up to a minute to fully establish the session.  You’ll see the following messages as the session is launched:

ZCaaS session reservation message
ZCaaS Session Connection message
ZCaaS launching message

Once the session is launched, you’ll see a Chrome browser and you are on your way!

ZCaaS session fully launched

ZCaaS interface menu

The ZCaaS menu is at the top left of the session window, and looks like this:

ZCaaS session menu
ZCaaS session menu

In all likelihood, you’ll only use the Fullscreen Mode (crossed X icon) and File Browser (folder icon) menu items.  The use of both of these is demostrated in the tutorial video above.

The Fullscreen Mode is just what it sounds like.  ZCaaS is essentially a browser within a browser, so if you need more real estate on your monitor, use Fullscreen Mode.  Press the ESC key to exit. 

You can use the File Browser to upload files from your workstation to the ZCaaS session.  Once you’ve uploaded those files to the session, they’re available to manipulate in your cloud services open in the session.  Any uploaded or downloaded files are sanitized once the session is ended. 

Bookmarked sites

ZCaaS comes pre-loaded with bookmarks to several commonly used sites for manipulating CUI.  You can get to sites from the “Managed Bookmarks” in the bookmarks bar of the ZCaaS browser:

ZCaaS Bookmarks
ZCaaS Bookmarks

Session timeout and re-establishing session

The ZCaaS session will go to sleep after 15 minutes of inactivity.   You can click the “Retry” button on the inactivity disconnection message and the session will resume in the state you left it:

Retry button after inactivity timeout
Retry button after inactivity timeout

If you accidentally close the ZCaaS window, simply log back in using the ZCaaS login link and your session will resume. 

However, after one (1) hour of inactivity, the session will end and all work and files will be purged from the system.  The best practice if you are finished with the session is to manually end the session.  See the instructions in the next section.

Ending your session

To manually end the session, click the person icon at the top right of the ZCaaS session, and click “End Session”.  Confirm you’d like to end the session by clicking the “End Session” button: 

End ZCaaS session menu drop down
Confirm ZCaaS end session button

Zero Client™ Workstation

The main use case for ZCaaS is to transfer CUI files into a secure long-term file storage and sharing platform, such as Totem SafeShare, without “contaminating” your workstation.  If you need to edit those files, but don’t want to do so on your company workstation, we offer the Zero Client Workstation, or ZC Workstation for short.

ZC Workstation is a small form-factor, lightweight, mini-PC (see images below) with a Fedora Linux operating system configured in read-only mode.  This means that no files can ever be stored on the ZC Workstation, only temporarily manipulated in memory.  Once the Workstation is shut down, those files are purged from the machine.  So, you must save all your files to a cloud-based file share when you are finished editing them.  But the benefit of this setup is that you don’t have to worry about hardening or monitoring the Workstation–we took care of the hardening, and there is nothing to monitor because the system cannot be changed permanently. 

The beauty of this type of Workstation, just like with ZCaaS, is that the risk of successful cyber attack is very low.  Even if an attack is successful — for example a malware infection — a simple reboot of the Workstation purges the malware. 

ZC Workstation comes with the LibreOffice suite of desktop document tools, so you can edit Microsoft Word, Excel, and PowerPoint, as well as Adobe PDF, and you can open and extract ZIP and compressed folders. 

A ZCaaS SafeShare subscription (see pricing) includes up to two ZC Workstations, delivered to addresses of your choosing at no cost. 

Zero Client Workstation front view
Zero Client Workstation front view
Zero Client Workstation back view
Zero Client Workstation back view

Visit the Totem Technologies pricing page.