debunking myths about isolation - hysolate.com · whitepaper: endpoint strategy: debunking myths...

6
Endpoint Strategy: Debunking Myths About Isolation Whitepaper

Upload: others

Post on 21-May-2020

24 views

Category:

Documents


0 download

TRANSCRIPT

Endpoint Strategy:Debunking MythsAbout Isolation

Whitepaper

Whitepaper: Endpoint Strategy: Debunking Myths about Isolation 2

Endpoint Strategy:Debunking Myths About Isolation

Endpoints are, and have always been, a major cyberattack vector. Attackers, aiming at the enterprise’s crown jewels, prove again and again that endpoints are the Achilles heel of an enterprise’s security strategy. As endpoints are the most pervasive IT asset within the organization, any decision to change the endpoint security strategy is not to be taken lightly.

In the past, endpoint security strategies all looked pretty much the same - a standard Windows machine with agents used for antivirus scanning and for enforcing policies restricting web browsing and controlling the use of external devices. That standard

becoming more of a focus.

Several approaches have emerged on this front:

1. Virtual Desktop Infrastructure (VDI)

2. Remote Browsing

3. Application Sandboxing

4. Virtual Air Gap

Virtual Data Infrastructure (VDI) is based on accessing the corporate desktop image from a remote station - a thin or thick client with the screen view and keyboard / mouse input exchanged over the network.

VDI gained traction based on its promise for simplicity in provisioning and management but is far from the holy grail when it comes to endpoint security.

Using VDI does not protect the organization from internal or external threats. Malware can still compromise software on the VDI desktop image and lead to organizational risk - for example, a malicious email exploiting a vulnerability on the VDI OS.

When VDI is used from thick clients or a personal device, attack vectors on that device - such as external hardware, Internet access, or other applications - can be exploited to compromise it and take control of the VDI session.

There are other productivity aspects where VDI is lacking due to the fact that a VDI session requires an active network connection with su�cient bandwidth to the VDI server: It does not allow any o�ine work and, in many cases, provides a suboptimal user experience.

1. VDI – It Only Appears to Solve the Problem

Whitepaper: Endpoint Strategy: Debunking Myths about Isolation 3

Remote Browsing, technologically similar to VDI, allows browsing the Internet only via a browser application running on an isolated, locked-down virtual machine in the cloud (which prevents exploitation of browser-based vulnerabilities on the local machine).

Remote browsing provides the end user with a slower and less interactive browsing experience, as content is displayed as an image or a video stream on the local workstation.

Remote browsing is limited to Internet browsing (as the name suggests…); therefore this approach does not cover attack vectors that are still present on the local machine. Attack vectors such as applications, external hardware, OS vulnerabilities, and additional weaknesses can give an attacker full control of the local machine.

Other disadvantages are related to user experience - both compatibility and performance. Browser interoperability and other applications’ browser plugins are not

conferencing applications, for example, do not work well in such an environment. The fact that the Internet connection always goes through an additional network hop adds latency to website interactions, further degrading the user experience.

Application Sandboxing isolates a few common applications known as prominent attack vectors, by executing each application in its own sandbox, using VMs or other app isolation techniques. This approach contains threats coming from the application within

While avoiding the network-associated overhead of remote browsing, app isolation

be even separate tabs on a browser) is running in a separate VM (or other type of containerization solution). As there are quite a few applications running on a typical user’s endpoint, this can lead to degraded machine performance and poor user experience.

Other complications with this approach are related to interoperability and compatibility. Separating applications into VMs creates inherent interoperability issues among applications that are used to interacting within a single operating system. As every

new version has to be explicitly adapted to work with the sandbox platform. This creates a problem of keeping applications up to date - costing money, time and delaying security application patches (thereby increasing exposure to vulnerabilities).

Furthermore, application sandboxing does not protect against any attack vector beyond the few supported applications - such as vulnerabilities in unsupported applications (the abundance of applications makes it impossible to cover all of them with this approach), the underlying OS, middleware, malicious external hardware, malicious external networks, etc.

While a great thing to do in theory, sandboxing applications causes more problems than it solves.

2. Remote Browsing – Not Quite a Comprehensive Solution

3. Application Sandboxing - Limited in Coverage and Full of Hassles

Whitepaper: Endpoint Strategy: Debunking Myths about Isolation 4

An emerging approach, Virtual Air Gap, borrows its concept from the physical air gap

deliver the top-grade security of the air gap solution, while improving user productivity.

perspective. This new architecture creates a security platform that runs below the OS on the hardware itself. It runs a few operating systems simultaneously inside segregated virtual machines, one per “security zone”, such as Highly Secure, Enterprise Network, and Personal.

A Virtual Air Gap creates full separation, similar to a physical air gap, between a VM with an operating system potentially exposed to any threat vector - an OS attack vector, Internet, external devices or any application - and a VM running a restricted operating system with access exclusively to the organization’s privileged resources.

The fact that multiple VMs are used behind the scenes is transparent to the user,who has an experience of a single desktop and a single operating system. Security-wise, a Virtual Air Gap guarantees that a compromise taking place in the exposed VM, via any

All applications within each operating system run as is, reducing compatibility issues; interactions that involve multiple VMs, such as content transfer, are granularly controlled via policy. Furthermore using only two or three VMs does not impose any noticeable performance impact on enterprise usage.

As a result, users are free to do their jobs without any restrictions hampering productivity,

any endpoint-based attack vector.

4. Virtual Air Gap - Full Control and Uncompromising User Experience

Whitepaper: Endpoint Strategy: Debunking Myths about Isolation 5

An emerging approach, Virtual Air Gap, borrows its concept from the physical air gap

deliver the top-grade security of the air gap solution, while improving user productivity.

perspective. This new architecture creates a security platform that runs below the OS on the hardware itself. It runs a few operating systems simultaneously inside segregated virtual machines, one per “security zone”, such as Highly Secure, Enterprise Network, and Personal.

A Virtual Air Gap creates full separation, similar to a physical air gap, between a VM with an operating system potentially exposed to any threat vector - an OS attack vector, Internet, external devices or any application - and a VM running a restricted operating system with access exclusively to the organization’s privileged resources.

The fact that multiple VMs are used behind the scenes is transparent to the user,who has an experience of a single desktop and a single operating system. Security-wise, a Virtual Air Gap guarantees that a compromise taking place in the exposed VM, via any

All applications within each operating system run as is, reducing compatibility issues; interactions that involve multiple VMs, such as content transfer, are granularly controlled via policy. Furthermore using only two or three VMs does not impose any noticeable performance impact on enterprise usage.

As a result, users are free to do their jobs without any restrictions hampering productivity,

any endpoint-based attack vector.

4. Virtual Air Gap - Full Control and Uncompromising User Experience

Whitepaper: Endpoint Strategy: Debunking Myths about Isolation 6

The endpoint is here to stayEven in the age of the cloud, knowledge workers will continue to use thick endpoints, and legacy applications will prevail.

Design for failurePeople will always make errors, a bloated OS will always have vulnerabilities, and breaches will happen. You need to remain vigilant and prepare for the worst, by making these breaches a non-issue.

Free your usersToday’s users demand more and more �exibility. An organization cannot a�ord to adopt a security strategy that blocks its users from doing their jobs. Create a security strategy that lets them work anywhere and use any OS and application.

Security and productivity can work together. It’s just a matter of getting the right technology in place.

Find out more www.hysolate.com

Key Principles for Developing a Practical andSecure Endpoint Strategy