Many IT organizations use app sandboxing in an attempt to safeguard sensitive information from cybercriminals. It’s a pretty straight-forward concept: contain threats coming from the sandboxed application to prevent them from affecting the operating system. Google Chrome and Apple Safari are simple examples of this technique in action.
It’s kind of like making sure your kids can’t track sand from their outside sandbox into your house, where it would keep showing up in unexpected, hard-to-get-rid-of places.
By executing an application in its own sandbox using virtual machines (VMs) or other application isolation techniques, you restrict its ability to access the system resources and data of the device it’s running on.
So how effective is this app sandboxing? Let’s take a look at what cyber attackers, end-users, and IT administrators think of this virtualization approach.
The ATTACKER Perspective
App sandboxing definitely frustrates attackers who target an app that employs this technique. It blocks them completely. But persistent attackers know there are many other ways to infiltrate the endpoint.
Because each app has to be sandboxed individually, it doesn’t protect against vulnerabilities in other versions of the same app, the many unsupported applications, the underlying OS, middleware, malicious external hardware or networks. Cyber criminals can easily trick users into downloading and running malware from email, for instance. And insider threats remain…threatening.
The USER Perspective
Anything that gives users more freedom is always a plus. With app sandboxing, users have fewer restrictions on what documents they can access. However, the cons of app sandboxing outweigh the pros here. For one thing, there’s significant performance overhead since each instance of the application runs in a separate VM or other containerization solution. Running numerous sandboxed apps on a user’s device slows down machines and what users can do with them.
But it’s the app compatibility problem that makes sandboxing impractical in real enterprise environments. Separating applications into VMs creates inherent interoperability issues among applications that are reliant upon interacting within a single OS. Because every app is customized to run in the sandbox VM OS, each new version has to be explicitly adapted for that sandbox platform–and that’s not something most IT shops can keep on top of. As a result, users are often surprised with apps that simply don’t work like they used to, or at all.
The IT ADMIN Perspective
There’s not a lot for IT administrators to like about app sandboxing. They spend a lot of time mitigating compatibility issues. And because it’s time-consuming and costly to keep sandboxed apps up to date, security patches are often delayed and security risks rise.
THE BOTTOM LINE
App sandboxing was all the rage before endpoints became the darling of sophisticated cyber attackers. They may be a good first step for small organizations, but they cause more problems than they solve for enterprises.
What do you think? What pros and cons have you run into with app sandboxing?
Ready to level-up protection without impacting user productivity? Try Hysolate’s free Windows Sandbox solution to safely isolate all your risky applications.
Written in January 2019, updated in April 2021 for accuracy.