Skip to content

About the Zero Trust Ecosystem

The PCoIP Zero Trust Ecosystem is a robust architecture for PCoIP deployments, founded on zero-trust principles and providing extremely secure PCoIP deployments. There are two primary components in the Zero Trust ecosystem: Trusted Zero Clients, which allow end users to connect to their remote desktops, and the Anyware Trust Center, which manages the Trusted Zero Clients and enforces policies and integrity.

Throughout this document, the Trusted Zero Clients may be referred to as endpoints. Currently, the Trusted Zero Client is the only endpoint managed by the Anyware Trust Center.

Security Provisions

The Anyware Trust Center establishes trust between a remote Trusted Client device in several key ways:

  • Birth Certificates: Each factory-provisioned PCoIP Trusted Client provides a certificate, assigned when provisioned by the vendor, which is used to establish a trust relationship with your Anyware Trust Center. If a device has an unknown birth certificate, or if its certificate is not signed as expected, it cannot connect.

  • Digital Twins: The Anyware Trust Center maintains a copy of the expected state and the current (actual) state of each Trusted Zero Client it manages.

    Each time a Trusted Zero Client connects, the Anyware Trust Center reads the endpoint's current state and compares it with the expected state. If the Trusted Zero Client has been tampered with, the two states will not match, and your Endpoint Management Software (EMS) can revoke its trusted status.

    When administrators modify a Trusted Zero Client's settings, the Anyware Trust Center updates its local copy (the expected state), and pushes the changes to the physical Trusted Zero Client the next time it connects.

  • Direct Secure Boot: Users cannot access the firmware, BIOS, or operating system of the Trusted Zero Clients. Each device securely boots directly into the Anyware Client application.

  • OTA Updates: Firmware updates for Trusted Zero Clients are delivered Over the Air (OTA), so bug fixes and security updates can be provided immediately when available. OTA updates are delivered using TUF and Uptane frameworks, providing an update mechanism capable of resisting even nation-state level actors.

Important Terminology

  • Provisioning: Provisioning is performed at the factory, when the Trusted Zero Client is prepared for delivery. This process includes creating the device's birth certificate and signing it with an HP certificate authority.

  • Registration: The initial connection between a Trusted Zero Client and the Anyware Trust Center, when the Trusted Zero Client is added to the Anyware Trust Center's list of managed devices. After registration, the Trust Center can manage the Trusted Zero Client, and users can connect to their authorized desktops.

  • PKI: PKI stands for Public Key Infrastructure, which is a method of distributing and managing security certificates. The Anyware Trust Center supports either an external PKI, which you provide, or an internal service for smaller or less-complex deployments. External PKIs must provide an externally-issued signing CA that the Anyware Trust Center uses to generate operational certificates.

  • Endpoint Management Software (EMS): Also called an Endpoint Manager, the Endpoint Management Software is a third-party application that provides a user interface for the Anyware Trust Center. The Endpoint Management Software is available from your Trusted Zero Client manufacturer.