There’s no silver bullet when it comes to endpoint security. No matter how many security tools enterprises layer on, or how locked-down user devices are meant to be, determined cybercriminals can still ferret through the cracks. That’s why the best cybersecurity approach is to acknowledge that hackers will get through and to employ isolation solutions that limit your exposure and mitigate damage.
In recent years, four isolation approaches have emerged as most promising: browser isolation, app sandboxing, physical air gap and virtual air gap. The best way to evaluate them for your needs is to view them from the user's perspective, the IT admin's perspective and, importantly, the attacker's perspective. So here we go…
Browser Isolation
This requires end-users to access the web via a browser application running on a locked-down virtual machine (VM) in the cloud. It blocks malicious web content from the endpoint device, which is a good thing. But while this frustrates attackers, it doesn’t stop them from exploiting other vulnerabilities, like email downloads, other applications, USBs and the device operating system (OS).
From the end-users’ standpoint, having open web access is a big plus – no one wants to be blocked from the internet. Performance and reliability issues can crop up, however, and impact productivity. And IT admins have to deal with browser compatibility issues and potential attacks on those other endpoint areas.
App Sandboxing
This entails executing an application in its own sandbox using virtual machines VMs or other application isolation techniques.Threats coming from a sandboxed application are contained so they can’t access the endpoint device’s OS or data. However, like browser isolation, this doesn’t protect other attack vectors from cybercriminals, including different versions of the same app, the many unsupported applications, the device’s OS, middleware, malicious external hardware or networks.
Unfortunately for end-users, performance takes a hit. Each instance of each sandboxed application runs in a separate VM or other containerization solution, consuming resources on the device. Separating applications into VMs also creates inherent interoperability issues that require a lot of IT admin time to mitigate. Plus, because it’s time-consuming and costly to keep sandboxed apps up to date, security patches are often delayed and security risks rise.
In short, app sandboxing may be a good first step for small organizations, but it causes more problems than it solves for enterprises that have dozens or hundreds of applications.
Physical Air Gap
A popular endpoint security strategy for people who have access rights to sensitive data, this requires two separate physical machines for each privileged user. One, commonly known as the Privileged Access Workstation (PAW), is dedicated solely to sensitive tasks and is locked down; the other unlocked machine is for day-to-day corporate work.
Attackers have a very hard time penetrating sensitive data unless they have access to the machine itself. They can’t use popular internet or email entry points. And if external drivers like USBs are disabled on the PAW, they can’t get through that way either. Of course, cybercriminals who target the “corporate” machine will have more luck infiltrating that device, but they won’t be able to access the crown jewels, which is what they’re looking for in the first place.
From end-user and IT admin viewpoints, physical air gaps have pretty significant downsides. End-users must physically move from one machine to another throughout the day, which can add up to several hours of lost productivity per week. And they have to lug two computers around. IT admins also have twice the burden and overhead since they have double the number of devices to manage with two very different permission settings.
Virtual Air Gap
Virtual air gap uses a single physical machine to deliver the same-grade security as physical air gap. In this case, an end-user device is transformed into multiple, fully isolated virtual OS environments, or endpoints. Everything an end-user does happens in segregated, local OSes that run side-by-side, one of which can be locked down and dedicated to sensitive work and the other open to internet and email.
Attackers aren’t enamored with virtual air gap. It blocks them from taking over the device and accessing sensitive resources. Any attackers who penetrate the unlocked OS cannot see, access or control the sensitive VM. And if the unlocked OS is configured to be non-persistent, that malware disappears. But, as with physical air gap, attackers who get their hands on the device itself can infiltrate by hardware backdoors.
End-users, on the other hand, appreciate the performance and freedom virtual air gap gives them. They can access, install and freely work with websites, apps, external devices like USBs, and cloud services without worrying about compromising their company’s crown jewels. IT admins like how virtual air gap eases their management burden. Because it protects some of the same attack vectors that other endpoint security approaches focus on, IT can eliminate several agents. Other security agents can be moved below the OS, where users cannot access, tweak or bypass them.
Endpoint security doesn’t have to be an oxymoron. By matching the right isolation technologies to your users, enterprises can keep sensitive data secure and users productive.
Tal Zamir, CTO, Hysolate
