In the first part of this blog series, we presented three endpoint challenges enterprises must overcome in their digital transformation journeys: threat prevention, user productivity, and user privacy. In this second blog, we show how a radical new approach called “virtual air gap,” or “software-defined endpoints,” improves cybersecurity by orders of magnitude, enables unrestricted user productivity, and provides users with a private, unmonitored personal space on their devices.
What is Virtual Air Gap?
Virtual air gap splits a single end-user device into two or three fully isolated local virtual machines (VMs), each with its own operating system (OS). Everything an end-user does happens in separate, local virtualized operating systems running side-by-side—for example, one that’s locked-down and limited to privileged resources and another for corporate day-to-day work such as email and Internet browsing.
Users can access, install, and work with the websites, apps, external devices like USBs, and cloud services they need, without security constraints and without worrying about endangering or compromising their company’s sensitive data. Best of all, from the user’s perspective, the endpoint looks like a single, unified, familiar Windows desktop, as seen in the this user experience demo.
Here’s why CISOs and IT leaders are using virtual air gap to facilitate digital transformation:
A typical cyber attacker identifies key individuals within an organization and then tries to convince them to open a malicious link in an email, browse to a malicious website, or install a malicious application. The malicious content installs malware on the device OS by exploiting a vulnerability or design flaw in Windows or one of the installed applications. Once this happens, the attacker can proceed to exfiltrate data or do harm.
With a virtual air gap solution, attackers typically end up in the internet VM regardless of the attack vector. But they’re boxed in. There’s no way to access to any corporate resource. That’s because the hypervisor restricts the internet VM’s access to non-corporate/external internet resources.
Malware that fully controls the internet VM’s OS only has access to virtual resources such as a virtual keyboard/mouse/display/disk/network. Even if it tries to capture keystrokes with a kernel-level keylogger, capture the screen, or sniff network traffic, it can only capture the data of the internet VM. Thanks to VM-level isolation created by the solution (see security demo video), the malware is not even aware that other VMs — and the applications and data residing in them — even exist.
Any malicious application that gets into the corporate VM is also thwarted. The malware does not have network access to a command-and-control server on the internet to receive commands from or to exfiltrate data. It cannot see anything on the privileged VM or communicate with privileged network resources.
It all comes down to this: infecting one VM does not, and cannot, infect the others.
As you can imagine, virtual air gap solutions protect an enterprise’s crown jewels against any endpoint OS/app vulnerability, including zero-day vulnerabilities. It also prevents man-in-the-machine attacks, e.g., remote control malware in one VM cannot do keylogging / screenshots / impersonation of user activity in the other VMs.
By design, virtual air gap platforms also protect against insider threats like user data leaks / sabotage. Devices can be configured so that the human operator of the device cannot exfiltrate data out of a sensitive VM and cannot transfer malicious content into the sensitive VM.
Enterprise auditing also gets a boost. User actions such as cross-VM transfers (copy and paste), network access, and plugging external devices can be tracked. This gives enterprises much-needed visibility into malicious insider activity without monitoring activity within the personal/private VM.
Users can also safely connect their laptop to potentially malicious networks, such as home networks, coffee shops, networks abroad, etc. The solution’s network security VM will first cryptographically identify the network and only then decide which VM gets connected to which network and under which restrictions. It can also tunnel the traffic of a sensitive VM through a mandatory VPN gateway, into the corporate network.
Finally, because everything the user does runs in one of a few VMs, an infected VM can be instantly reverted to snapshot (e.g., in case of ransomware), allowing the user to get back to work immediately.
Companies no longer have to limit what users can do with their devices in order to protect sensitive data. Instead, give users an unlocked VM in which they can install any application/plugin, browse any website, plug external USB devices, connect to their home printer, etc. Now they can work much more efficiently and effectively.
Users don’t have to switch mindsets from one context to another when switching among privileged, personal and corporate environments. The solution’s seamless mode presents the user a single unified desktop in which separate isolated VMs all look and act the same.
Unlike a physical air gap solution that requires cumbersome, time-consuming methods to move data among different devices, users with a virtual air gap solution can copy and paste between VMs on their own device, in a controlled, seamless manner.
Users can work anywhere: in the office, at home, abroad, and even offline since the VMs run locally on their physical device. As opposed to remote virtual desktop infrastructure (VDI) solutions, there is no impact on performance when the device is connected over a high latency / low bandwidth network.
People can use Windows 7, Windows 10, or any Linux variant without compromising enterprise security. Enterprises can provide users with legacy applications that only run on older operating systems and modern applications, along with access to developer environments running on operating systems like Linux.
Advanced users like developers can even be local administrators of one of the VMs (e.g., the unlocked VM), allowing them to develop software and experiment without risking enterprise assets.
To ensure privacy, enterprises can provide employees with an unmonitored personal VM where users can access their personal email, do casual browsing, watch videos/movies, etc. All of the data accessed on this VM is stored in the VM’s virtual disk. It never gets mixed with other corporate VMs.
Enterprises can prevent copying and pasting of data between the personal and other VMs. The personal VM can also be forced to only connect to external non-corporate networks.
If an employee leaves the company, the personal VM can either be wiped or provided to the employee so that they can access their personal data stored locally on that VM.
Getting help from the helpdesk doesn’t put private information at risk. When IT helpdesk teams request access to the user’s device for troubleshooting, the user can grant access exclusively to the corporate VM and not to the personal VM. Helpdesk staff cannot see any personal app or data the user has on their device.
The same principle is applied when sharing the device screen during an online conference. The user’s personal notifications/data/apps are invisible to the other participants as the conferencing app runs in the corporate VM while the user’s data is on the personal VM.
Paving the Way for Digital Transformation
Hysolate foresaw the challenges that digital transformation would pose around cyber threats, productivity and privacy. We also saw that other technology approaches that tried to solve these problems were as cumbersome as they were ineffective. They all essentially proved that you couldn’t have it all. That enterprises had to sacrifice security for productivity or privacy for security.
At Hysolate, we believe you can have your cake and eat it, too. That’s why we pioneered virtual air gap and developed the Hysolate platform.
The Hysolate platform is the only solution that makes it easy for enterprises to ensure security and privacy while keeping users productive and happy.
Make sure your digital transformation efforts aren’t thwarted by end-user challenges. Contact Hysolate to find out how you can have it all.