Endpoint Isolation: Can endpoints be hardened while keeping users productive?
How can enterprises marry security & business productivity needs on endpoints? I will discuss different approaches including endpoint isolation.
The ChallengeEnterprises, big and small, often need a high grade of endpoint security to comply with industry regulations, client requirements, or simply to prevent disruption to the business and protect internal sensitive information from falling into the wrong hands. However, to support the modern digital workforce, endpoint security restrictions (e.g. removal of local admin rights, network restrictions, app whitelisting, …) often conflict with the needs of business users. To collaborate and do business with third parties, users are often required to install or access a wide variety of apps/services on their endpoints, including:
- 3rd party video conferencing apps (e.g. Zoom, Teams, Webex, BlueJeans, ...)
- Modern collaboration/remote work tools (e.g. Slack, Dropbox)
- 3rd party access/security agents (e.g. EPP/EDR/VPN/...)
- Modern development tools for experimentation/research
- Financial/tax-related software, especially for a multi-national business
- Various user productivity apps (e.g. a user’s favorite browser, browser extensions, …)
Endpoint Isolation ApproachesWith endpoint isolation, users access certain risky applications in an isolated operating system, typically running in a virtual machine. This allows organizations to grant access to additional websites/apps/services without risking corporate data and sensitive apps. However, endpoint isolation approaches vary significantly. When enterprises consider adopting endpoint isolation, they should first understand the full needs of users to make sure the isolation approach matches their requirements.
Browser isolationWith browser isolation/remote browser approaches, endpoints are configured to use a remote browser app to access certain risky websites. The remote browser could be either in the cloud or on-prem. Some vendors offer an agentless solution and others require installing a new special browser app on the endpoint. This could be useful for safely accessing uncategorized websites (for example), but it would not allow users to install apps on their endpoints. This is a significant issue, as many modern services require users to install a desktop app for providing users with the full native experience (e.g. video conferencing apps). Furthermore, browser isolation solutions often suffer from compatibility issues with certain websites, may not support browser extensions, do not natively support local hardware such as webcam/microphone, and may introduce latency due to the remote processing of website content.
OS isolationWith OS isolation approaches, the user has a completely isolated local OS that looks like another space on the user’s desktop. Risky content is automatically launched in this isolated local OS. This enables users to be fully productive, including:
- Installing any desktop app
- Getting full local admin rights
- Safely viewing/editing risky documents
- Accessing any website/cloud service
- Plugging risky peripherals
Full OS Isolation with HysolateHysolate hardens your endpoints with full OS isolation. With Hysolate, access to sensitive enterprise apps on the endpoint can only be done from an isolated trusted OS while access to risky/potentially malicious apps is done on a completely separate OS. This is done by leveraging the latest virtualization-based security technologies and enhancing them so that enterprises can instantly split the endpoint into these two isolated operating systems, in a way that is user-friendly and cloud-managed. Want to learn more about Hysolate and how it can help your team work securely and productively? Request a demo here.
Endpoints and Network Segmentation Best Practices
What the IT world needs now: fast access to any app, anywhere, securely!
Application Sandboxing: 3 Perspectives To Consider