Standard security strategies aren’t working so enterprises are turning to isolation-based prevention
by Tal Zamir, Co-Founder & CEO, Hysolate
Endpoints are a favorite target for cyber attackers. They’re also the Achilles heel of any enterprise’s security strategy. As studies show, endpoint vulnerabilities are only getting worse as attackers get more sophisticated and employees unwittingly expose their devices to risk. Clearly, the standard security strategies of years past (e.g. using antivirus scanning and restricting web browsing and external devices) can’t thwart these attacks. That’s why organizations are changing their focus to isolation-based prevention.
In recent years, four isolation approaches have emerged: Virtual Desktop Infrastructure (VDI), remote browsing, application sandboxing and virtual air gap. Many organizations are struggling to understand which is best for their company. Here’s an overview of the four methods’ pros and cons.
- VDI: Centralizes Management but
Easy to Compromise
VDI entails accessing server-hosted desktop images from remote thin or thick clients. It gained Traction because it makes IT provisioning and management easier. In addition to employees using VDI, some businesses use it to allow third-parties “controlled” access to corporate assets. Others use VDI servers as “jump hosts” for IT admins and privileged users when managing the enterprise crown jewels.
But VDI is far from the Holy Grail when it comes to endpoint security:
- Malware can still compromise software on the VDI desktop image and lead to organizational risks, such as malicious emails exploiting a vulnerability on the VDI operating system.
- Attack vectors on the thick client and personal devices, including external hardware, Internet access or other applications, can be easily exploited to compromise the machine and control the VDI session.1, 2
- User productivity takes a hit. VDI sessions require an active network connection with sufficient bandwidth to the VDI server. It doesn’t allow offline work and when online, performance is often visibly slow.
- Remote Browsing: A Partial Solution
Technically similar to VDI, remote browsing allows Internet use via a browser application running on a locked-down virtual machine in the cloud. It prevents exploitation of browser-based vulnerabilities on the local machine, which is valuable.
Challenges remain, however:
- It leaves attack vectors exposed. As the name suggests, remote browsing doesn’t cover attack vectors such as applications, external hardware, and OS vulnerabilities, through which attackers can gain full control of the endpoint device.
- Browser performance suffers. End users get a slower and less interactive experience as content is displayed as an image or video stream on the local workstation.
- User experience is degraded. Browser interoperability and other applications’ browser plugins affect productivity. For example, many leading conferencing applications don’t work well with remote browsing. The Internet connections go through an additional network hop, adding latency to website interactions.
- Application Sandboxing: Limited
In Coverage
Application sandboxing isolates prominent attack vectors by executing each application in its own sandbox using virtual machines (VMs) or other application isolation techniques. It contains threats coming from the sandboxed application and prevents them from affecting the OS. Unlike remote browsing, there’s no network-associated overhead.
However, while great in theory, application sandboxing can cause more problems than it solves:
- Sandboxing applications doesn’t protect against vulnerabilities in the many unsupported applications, the underlying OS, middleware, malicious external hardware, and networks, etc.
- There’s significant performance overhead since each instance of the application runs in a separate VM or other containerization solution. With numerous applications running on a typical user’s endpoint, this can lead to slow machine performance.
- Separating applications into VMs create inherent interoperability issues among applications that are reliant upon interacting within a single OS. Because every application is customized to run in the sandbox VM OS, each new version has to be explicitly adapted for that sandbox platform. This makes it time-consuming and costly to keep applications up to date. It often results in delayed security application patches and, therefore, increased risk.
- Virtual Air Gap: Full Isolation
A virtual air gap is an emerging approach that is akin to physical air gaps, where there are separate physical machines dedicated for classified usage. Virtual air gap uses a single physical machine to deliver the same top-grade security. Each endpoint device is split into multiple isolated virtual OSes. It works by creating a security platform that runs below the OS on the endpoint hardware itself. With a virtual air gap, each environment runs locally, side-by-side with full separation.
Virtual air gap removes some of the obstacles other approaches introduce:
- Attackers who penetrate the endpoint’s corporate or personal virtual desktop, in which IT may have enabled Internet and external device access, cannot see or control the sensitive VM. Compromises within the exposed environment, via an attack vector, remain contained within that VM. The other VMs are unaffected.
- Virtual air gap approaches fully isolate access to sensitive resources without limiting the user’s freedom. Users do their jobs without restrictions or lag times hampering productivity.
- Compatibility issues are rare since all applications within each OS run “as is.” Interactions that involve multiple VMs, such as content transfer, are granularly controlled via policy.
With endpoint cyber attacks becoming more sophisticated, it’s clear that existing security solutions are no longer adequate for protecting enterprises. Isolation approaches are promising – just make sure you evaluate them for comprehensiveness, security capabilities, impact on user productivity, and best fit with your business.
1 A Practical Attack Against VDI Solutions
2 Pentests in Restricted Environments
About the Author
Tal Zamir is co-founder and CEO of Hysolate. He is a passionate entrepreneur and veteran R&D leader with 15 years of experience in the cyber and IT domains. Tal started his official career in the Israeli Ministry of Defense, in which he pioneered multiple mission-critical cyber products. He then joined the leadership team of Wanova – a desktop virtualization startup that was later acquired by VMware. He holds multiple US patents as well as an M.Sc. degree in Computer Science from the Technicon.