Endpoint Isolation: Can endpoints be hardened while keeping users productive?

Tal Zamir
April 11, 2021
endpoint isolation

How can enterprises marry security & business productivity needs on endpoints? I will discuss different approaches including endpoint isolation.

The Challenge

 

Enterprises, big and small, often need a high grade of endpoint security to comply with industry regulations, client requirements, or simply to prevent disruption to the business and protect internal sensitive information from falling into the wrong hands.

However, to support the modern digital workforce, endpoint security restrictions (e.g. removal of local admin rights, network restrictions, app whitelisting, …) often conflict with the needs of business users.

To collaborate and do business with third parties, users are often required to install or access a wide variety of apps/services on their endpoints, including:

  • 3rd party video conferencing apps (e.g. Zoom, Teams, Webex, BlueJeans, …)
  • Modern collaboration/remote work tools (e.g. Slack, Dropbox)
  • 3rd party access/security agents (e.g. EPP/EDR/VPN/…)
  • Modern development tools for experimentation/research
  • Financial/tax-related software, especially for a multi-national business
  • Various user productivity apps (e.g. a user’s favorite browser, browser extensions, …)

Watch our on-demand webinar on How Working Remotely has Changed our Approach to Endpoint Security (no sign up required.)

Organizations might not allow access to many of the apps above, e.g. because they are not considered secure/trusted, and the IT department is already tied up with other projects. They cannot handle whitelisting and exception handling of each new app. The rate of innovation in software is staggering and it is nearly impossible to review and approve each such application and website.

How can enterprises marry security and business productivity needs on endpoints? One way to do so is via endpoint isolation approaches.

Endpoint Isolation Approaches

 

With endpoint isolation, users access certain risky applications in an isolated operating system, typically running in a virtual machine. This allows organizations to grant access to additional websites/apps/services without risking corporate data and sensitive apps.

However, endpoint isolation approaches vary significantly. When enterprises consider adopting endpoint isolation, they should first understand the full needs of users to make sure the isolation approach matches their requirements.

Browser isolation

 

With browser isolation/remote browser approaches, endpoints are configured to use a remote browser app to access certain risky websites. The remote browser could be either in the cloud or on-prem. Some vendors offer an agentless solution and others require installing a new special browser app on the endpoint.

This could be useful for safely accessing uncategorized websites (for example), but it would not allow users to install apps on their endpoints. This is a significant issue, as many modern services require users to install a desktop app for providing users with the full native experience (e.g. video conferencing apps).

Furthermore, browser isolation solutions often suffer from compatibility issues with certain websites, may not support browser extensions, do not natively support local hardware such as webcam/microphone, and may introduce latency due to the remote processing of website content.

OS isolation

 

With OS isolation approaches, the user has a completely isolated local OS that looks like another space on the user’s desktop. Risky content is automatically launched in this isolated local OS. This enables users to be fully productive, including:

  • Installing any desktop app
  • Getting full local admin rights
  • Safely viewing/editing risky documents
  • Accessing any website/cloud service
  • Plugging risky peripherals

Because of the level of isolation these approaches offer, there is no risk to the corporate network or to corporate data/apps. All of these activities are done in an isolated virtual machine that provides the highest level of security against advanced OS-level threats.

Full OS Isolation with Hysolate

 

Hysolate hardens your endpoints with full OS isolation. With Hysolate, access to sensitive enterprise apps on the endpoint can only be done from an isolated trusted OS while access to risky/potentially malicious apps is done on a completely separate OS. This is done by leveraging the latest virtualization-based security technologies and enhancing them so that enterprises can instantly split the endpoint into these two isolated operating systems, in a way that is user-friendly and cloud-managed.

Want to learn more about Hysolate and how it can help your team work securely and productively? Request a demo here.

Tal Zamir

Tal is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works. An entrepreneur at heart, he has pioneered multiple breakthrough cybersecurity and virtualization products. Before founding Hysolate, Tal incubated next-gen end-user computing products in the CTO office at VMware. Earlier, he was part of the leadership team at Wanova, a desktop virtualization startup acquired by VMware. Tal began his career in an elite IDF technology unit, leading mission-critical cybersecurity projects that won the prestigious Israeli Defense Award. He holds multiple US patents as well as an M.Sc. degree in Computer Science, and the honor of valedictorian, from the Technion.