Browser isolation for the film industry through ThinLinc - MPA Content Security Best Practices
Written by Jean Zagonel
30th March, 2022
Several film production studios, including VFX, have been using ThinLinc as a tool to provide secure internet connections to thousands of production workers. The setup is known as browser isolation and is required by the Motion Pictures Association (MPA) through the Content Security Best Practices Common Guidelines.
ThinLinc fulfills the requirement of the implementation guidance as stated on page 50 of the manual “Browser Isolation via an isolated virtual environment, which allows isolated Internet browsing and email access. This must be completely isolated from the production network”. Below you find some common Questions and Answers about browser isolation through ThinLinc.
How to get browser isolation through the ThinLinc setup?
ThinLinc is a server for Linux Remote Desktops and provides remote access to Linux Applications through VNC and SSH. Typically, a ThinLinc session offers the user a whole Linux Desktop; however, in this case, the user only gets access to the browser running remotely.
The system administrator interested in limiting the ThinLinc remote session to a single application publication needs to customize ThinLinc.
The customization setup steps are explained in the following tutorial Running a single app with ThinLinc.
How does the secure browser look for the user?
The user can access the secure browser through ThinLinc from a device running either Windows, Mac or Linux. Once installed the ThinLinc native client, the user should be able to find the icon on the computer desktop or menu bar. After clicking there and opening the application, the user should fill in the server name, username, and password and click on connect. A ThinLinc window should open with the browser available for the user; in this case, the browser is running remotely on the server. The user can’t transfer files from the internet browser to the local machine and vice versa.
The users also benefit from the continuity of their sessions. It is possible to disconnect from ThinLinc at any moment and return to the same session as opened before, e.g., having all the browser tabs open.
Why is ThinLinc a secure method for browser isolation?
ThinLinc allows the creation of an enclaved system, which means that the data never leaves the server room. The production systems can be air-gapped from the internet, meaning that eventual threats, such as viruses, will remain isolated in the ThinLinc server and not affect the production environment. The same principle applies to files used in the production environment that can’t be shared on the internet. ThinLinc transports the pixels and sound to the client device, making it possible to interact and visualize things while allowing the user to move the mouse and use the keyboard on the server-side. The system administrator can restrict access to local devices and disable the clipboard function if required.
How is the browser isolation through ThinLinc scalable?
ThinLinc has no technical limitation for the number of users connected to the system and is easily scalable. The ThinLinc server architecture includes the ThinLinc agent and master. The increase in hardware can be handled with the addition of new ThinLinc agent servers, a simple task for the sysadmin. It offers other functionalities such as load balancing and high availability. ThinLinc is implemented in organizations with thousands of concurrent users and works smoothly. The limitations are related to hardware and network connection capabilities. ThinLinc is free of cost for up to 10 users per organization. For bigger installations, licenses are sold on Cendio´s website.
Learn more with Ghost VFX case study
Ghost is a modern studio providing cutting-edge VFX solutions for major Hollywood studios. With the use of ThinLinc are providing their talented graphical artists a controlled and secure way of accessing the internet.
Case study Ghost (pdf)