In the zone: Physical to network

For decades, organizations have relied on zone-based physical security to keep assets safe. And while there are a variety of models in use, typically this approach has three distinct characteristics: (1) The existence of an outer standard security zone, which is accessible to appropriately authorized visitors who are sometimes escorted. (2) The existence of an inner high-security zone, which is accessible only to employees or contractors who have undergone security clearance or comprehensive pre-screening, and are registered in the organization's electronic access control system. (3) The fact that the high-security zone can only be accessed from the standard security zone. For outsiders, there is no other route. 

Not surprisingly, this approach to securing assets has migrated into the world of cybersecurity. For example, in order to thwart would-be cybercriminals, some government agencies, banks, health care firms, insurance companies and other organizations, isolate computers attached to secured networks from those attached to less secure networks, including the internet. For employees, this means that they either have no internet access at work, or that they must use two (or more) different computers. Apart from the obvious usability problem, there is a looming obstacle that prevents the vast majority of organizations from adopting it as a best practice: cost.

While the logic of physically isolating networks and endpoints is compelling, the idea of buying tens or hundreds of thousands of dollars worth of additional hardware and software is a non-starter for most organizations. Furthermore, employees would have to shuttle between two (or possibly more) computers to carry out tasks that they used to complete through just one computer. This can significantly diminish productivity and performance – not to mention, lead to plenty of frustrated employees and stressed-out IT staffers!

the virtual container isolates visitors...”

Fortunately, there is a cost-effective and easy-to-manage solution for organizations that want to adopt this time-tested physical security best practice: use a secure virtual container.

A virtual container is a secure, isolated environment on the endpoint for accessing content from any risky source. Similar to how physical security in the lobby separates visitors from sensitive operations and data within the organization, the virtual container isolates “visitors” from the rest of the network.

If malware attempts to infect the endpoint it is trapped within the virtual container (i.e. the standard security zone), and cannot compromise the endpoint or transfer over to the network. The contents of the container can then be wiped to permanently remove the threat, and organizations can identify targeted attacks via integrated endpoint intelligence with SIEM and Big Data analytics. 

When employees find it necessary to transfer files from the virtual container to the network, they use a secure bridge that disarms potentially malicious content by making invisible microchanges that destroy malware, while leaving files intact. From a usability standpoint, while all of this is happening, employees enjoy a virtually undiminished user experience, which keeps them productive.

A zone-based approach to securing assets is a best practice that goes back decades. However, applying this approach to network security is costly for most organizations, plus it can trigger unacceptable productivity loss and employee frustration. 

Simply put, a secure virtual container is a cost-effective, practical and easy-to-manage way for organizations to get “in the zone” and protect their assets from falling into the wrong hands – especially since pre-attack prevention is enormously less costly, risky and challenging than post-attack detection. 

Israel Levy is the CEO of Bufferzone, an advanced endpoint security company.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.