Designing Zero Trust Endpoints

Tal Zamir
May 31, 2021
Zero Trust Endpoints with Hysolate

Zero Trust is becoming a standard approach to securing access to enterprise applications (both cloud and on-prem). With Zero Trust, access is granted based primarily on user authentication and risk level, and not on the user’s presence in the corporate network. Based on the user’s credentials, the enterprise can grant access to a subset of enterprise resources and employees can work from any network without relying on a VPN connection. The architecture is called “Zero Trust” because the enterprise shouldn’t automatically trust endpoints within the corporate perimeter. Instead, it should verify all users and endpoints.

Why do “Zero Trust” approaches blindly trust endpoints?

While being a great step in the right direction, common Zero Trust approaches have a fundamental design flaw that is the result of a wrong assumption. The wrong underlying assumption is that the Zero Trust broker can check the health of user endpoints and then trust them with access to enterprise resources. This might be true for some extremely locked-down endpoints. However, most enterprise user endpoints run operating systems like Windows and have a very large and potentially vulnerable code base, a wide variety of legacy applications/middleware, and access to risky malicious networks or internet resources. These endpoints can easily be compromised by determined attackers. Once a device is compromised, the operating system can no longer be trusted as malware resides in the same operating system kernel and can tamper with operating system health checks.

This means that many enterprises that adopt Zero Trust may still mistakenly trust user endpoints. This is a critical flaw as it allows attackers to breach a user’s device and then ride the user’s authenticated session to do harm. Gartner recommends granting access only after getting strong attestation of device identity. Gartner also suggests leveraging 3rd party products that ensure deeper device security and can isolate access on both the endpoint side and on the network side.

Without this missing link of strong device identity, Zero Trust creates a false sense of security as it encourages enterprises to allow access to corporate resources from personal/unmanaged/BYOD endpoints, relying on basic (and easily forgeable) health checks to prevent malware from getting in. This makes things worse, as personal/unmanaged endpoints have a higher probability of getting infected.

Some enterprises try to close this gap by deploying a slew of endpoint detection/protection agents on the user’s device, but this ends up being a cat-and-mouse game with endpoint malware. Furthermore, such agents and restrictions often limit what users can do and can lead to issues with user privacy.

With COVID-19 and the remote-first era we live in, things get worse as more and more employees work remotely and mix both legacy corporate apps and brand new collaboration tools on the same endpoint, opening it up to new types of threats (not to mention the increasing personal usage of endpoints in unmanaged home network environments).

To make Zero Trust a true end-to-end security solution, organizations must design their endpoints to be trusted. However, IT cannot just extremely lock down their endpoints to achieve that level of trust – IT must make sure end-users get a great user experience and can get their jobs done in an efficient, easy, way. Solutions that limit which apps users can use or remove local admin rights will not fly for today’s knowledge workers. Users need a way to use the latest tools and apps, without having IT whitelist every app, website, and service.

The good news is that you can eat the cake and have it too. With Hysolate, you can have endpoints that make end-to-end “Zero Trust” a reality, while allowing users to productively use their endpoints. Hysolate is the first solution that can instantly split the endpoint into two operating systems – one for day-to-day/risky apps and another for sensitive enterprise apps. To users, it looks like two desktop spaces on their endpoint that they toggle between at the click of a button, while behind the scenes it uses cutting-edge virtualization technology, leveraging the latest innovations in virtualization-based security.

While the risky OS can be “open” and allow users to install apps, have local admin rights, and to browse the web freely, the corporate OS is extremely locked down (e.g. can only run signed software, and with least privilege granted to the local user). Furthermore, as Hysolate makes the corporate OS trusted again and isolated from the rest of the world via a strong VM boundary, the Hysolate cloud service can attest to its health with the Zero Trust broker, enabling access to sensitive enterprise apps only from that trusted corporate OS. Attempts to access these apps from other untrusted endpoints or from the risky/non-verified OS will be blocked by the Zero Trust broker, working in tandem with the Hysolate cloud service.

Hysolate boosts the enterprise security stack

Hysolate complements many of the existing enterprise security investments, not just Zero Trust

A few examples:

  • Zero Trust, IAM, PAM – by adding a reliable indication for OS health via OS isolation, Hysolate lets identity, privilege, and access management systems make better decisions and enforce access to enterprise assets exclusively through a trusted OS. This can also apply to legacy VPN gateways that can run host health checks to verify endpoints.
  • EPM and App Whitelisting – With Hysolate, you can eliminate local admin privileges without user pushback by redirecting requests for elevation to the risky OS (e.g. to install apps). Instead of blocking users, they securely get the rights they need, without IT needing to do “exception handling”.
  • EPP, EDR – Hysolate enables organizations to leverage EPP and EDR where they matter the most and have the least disruption to user workflows. By placing endpoint security agents in the corporate OS, they can have less false positives and avoid blocking/slowing users from getting their jobs done on their day-to-day OS.
  • Secure Web Gateways – switch from blocking risky traffic to securely allowing it, enabling full user productivity. The gateway redirects untrusted content (website / document / app), into the risky OS. It works not just for the browser, but practically any app. Hysolate seamlessly integrates with existing gateways to do this redirection, without needing any additional data center/cloud infrastructure.
  • VDI – Hysolate can offload some of the heavy apps that are currently hosted on VDI. For example, apps that require lots of IOPS/CPU/GPU resources can now run locally in the isolated OS instead of hogging the VDI infrastructure. Apps that require a lot of cloud traffic no longer need to go through the corporate network and can go directly from the endpoint to the cloud, via the secure OS.
  • MDM/UEM – instead of asking users to enroll their personal laptops and desktops into your MDM/UEM solution, you can manage a separate disposable VM on their endpoints, without violating their privacy or requiring them to install multiple intrusive agents.

Want to learn more? Read more about Hysolate’s Zero Trust solution here, or request a demo.

Tal Zamir

Tal is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works. An entrepreneur at heart, he has pioneered multiple breakthrough cybersecurity and virtualization products. Before founding Hysolate, Tal incubated next-gen end-user computing products in the CTO office at VMware. Earlier, he was part of the leadership team at Wanova, a desktop virtualization startup acquired by VMware. Tal began his career in an elite IDF technology unit, leading mission-critical cybersecurity projects that won the prestigious Israeli Defense Award. He holds multiple US patents as well as an M.Sc. degree in Computer Science, and the honor of valedictorian, from the Technion.