There’s no silver
bullet when it comes to endpoint security. No matter how many security tools
enterprises layer on, or how locked-down user devices are meant to be, determined
cybercriminals can still ferret through the cracks. That’s why the best
cybersecurity approach is to acknowledge that hackers will get through and to
employ isolation solutions that limit your exposure and mitigate
In recent years,
four isolation approaches have emerged as most promising: browser isolation,
app sandboxing, physical air gap and virtual air gap. The best way to evaluate
them for your needs is to view them from the user’s perspective, the IT admin’s
perspective and, importantly, the attacker’s perspective. So here we go…
end-users to access the web via a browser application running on a locked-down
virtual machine (VM) in the cloud. It blocks malicious web content from the
endpoint device, which is a good thing. But while this frustrates attackers, it
doesn’t stop them from exploiting other vulnerabilities, like email downloads,
other applications, USBs and the device operating system (OS).
end-users’ standpoint, having open web access is a big plus – no one wants to
be blocked from the internet. Performance and reliability issues can crop up,
however, and impact productivity. And IT admins have to deal with browser
compatibility issues and potential attacks on those other endpoint areas.
This entails executing an application in its own sandbox using
virtual machines VMs or other application isolation techniques.Threats coming from a
sandboxed application are contained so they can’t access the endpoint device’s
OS or data. However, like browser isolation, this doesn’t protect other attack
vectors from cybercriminals, including different versions of the same app, the
many unsupported applications, the device’s OS, middleware, malicious external
hardware or networks.
for end-users, performance takes a hit. Each instance of each sandboxed
application runs in a separate VM or other containerization solution, consuming
resources on the device. Separating applications into VMs also creates inherent
interoperability issues that require a lot of IT admin time to mitigate. Plus,
because it’s time-consuming and costly to keep sandboxed apps up to date,
security patches are often delayed and security risks rise.
In short, app sandboxing may be a good first step for small organizations, but it causes more problems than it solves for enterprises that have dozens or hundreds of applications.
Physical Air Gap
A popular endpoint security
strategy for people who have access rights to sensitive data, this requires two
separate physical machines for each privileged user. One, commonly known as the
Privileged Access Workstation (PAW), is dedicated solely to sensitive tasks and
is locked down; the other unlocked machine is for day-to-day corporate work.
have a very hard time penetrating sensitive data unless they have access to the
machine itself. They can’t use popular internet or email entry points. And if
external drivers like USBs are disabled on the PAW, they can’t get through that
way either. Of course, cybercriminals who target the “corporate” machine will
have more luck infiltrating that device, but they won’t be able to access the
crown jewels, which is what they’re looking for in the first place.
From end-user and IT admin viewpoints, physical air gaps have pretty significant downsides. End-users must physically move from one machine to another throughout the day, which can add up to several hours of lost productivity per week. And they have to lug two computers around. IT admins also have twice the burden and overhead since they have double the number of devices to manage with two very different permission settings.
Virtual Air Gap
Virtual air gap
uses a single physical machine to deliver the same-grade security as physical
air gap. In this case, an end-user device is transformed into multiple, fully
isolated virtual OS environments, or endpoints. Everything an end-user does
happens in segregated, local OSes that run side-by-side, one of which can be
locked down and dedicated to sensitive work and the other open to internet and
enamored with virtual air gap. It blocks them from taking over the device and
accessing sensitive resources. Any attackers who penetrate the unlocked OS
cannot see, access or control the sensitive VM. And if the unlocked OS
is configured to be non-persistent, that malware disappears. But, as with
physical air gap, attackers who get their hands on the device itself can
infiltrate by hardware backdoors.
the other hand, appreciate the performance and freedom virtual air gap gives
them. They can access, install and freely work with websites, apps, external
devices like USBs, and cloud services without worrying about compromising their
company’s crown jewels. IT admins like how virtual air gap eases their
management burden. Because it protects some of the same attack vectors that
other endpoint security approaches focus on, IT can eliminate several agents.
Other security agents can be moved below the OS, where users cannot access, tweak
or bypass them.
doesn’t have to be an oxymoron. By matching the right isolation technologies to
your users, enterprises can keep sensitive data secure and users productive.
Tal Zamir, CTO, Hysolate