Our last blog provided an introduction to technologies controlling and protecting employee internet access in the modern enterprise. We also discussed the classic ways internet access is being protected. Make sure to catch up on it here if you have not already.
This blog post will focus on cutting edge isolation technologies which ensure any risky access to the internet is separated into a different environment, ensuring corporate assets are not affected by any potential attacks.
Web isolation technologies take browsing- which is one of the key dangers of the internet- and isolate it into a remote isolated “container”. The user is essentially watching a remote session of the browser which is running in the cloud without exposing their corporate machine to the internet directly.
Recently, web isolation technologies have even been bundled with cloud secure web gateway solutions, which provide access to the internet in an isolated environment that is also controlled by the corporate secure web gateway profile.
This technology provides great protection from browsing-based threats and is significantly better than no isolation at all.
That said, web isolation technology has a number of disadvantages.
From a security perspective, only web browsers are isolated. Any other software accessing the internet does so directly which could expose the corporate machine to potential threats. From a user experience perspective, browsing is remote and this affects user-experience, especially when accessing “heavy” content such as video. These technologies do not provide very good interoperability with other software running locally, in some cases breaking functionality and hurting productivity. Extensions are only partially supported in most cases.
Application isolation technologies can isolate single applications into a separate virtual container which is completely isolated from the base operating system. This can dramatically improve the security posture by running internet facing software such as browsers and email clients – and even Office applications – inside a container which would keep any threats contained.
The concept is similar to web isolation, but the containers run locally, providing the ability to work offline, as well as improve performance while still being isolated on the hypervisor level.
A prominent example is Windows Defender Application Guard which is able to isolate Edge and Microsoft Office.
However, there are still a number of disadvantages to this technique.
Firstly, it is limited to the specific applications certified by the vendor. Each application has to be invested in and optimized to work correctly and seamlessly in the container. This limits the scope of the isolation, and a lot of very relevant software is just not isolated (e.g. Chrome under Application Guard)
Interoperability is very limited. Applications are isolated one by one (one container per application) and are positioned as completely transparent to the user. This causes interoperability and integration between applications to be complicated. Examples could be simple, such as browser or office extensions (breaking corporate processes) but could also have a security impact, such as SSO with Azure Active Directory, corporate password management etc.
Containers are not centrally managed and admins have very limited visibility and management capabilities for what is going on inside the container.
From a security perspective, the network is still shared with the host – potential malware running on the container can still access the network of the host exposing the corporate network to the same threats.
As opposed to application isolation, OS isolation technologies – such as Hysolate Workspace – create an instantly provisioned, light virtual machine on a user’s device. This ensures that anything that happens inside the VM cannot in any way impact the underlying OS (or vice versa).
Unlike application isolation, a full operating system is run in the isolated environment. A user can run any application inside the machine for full usability and complete isolation of any risky internet facing software. This does not require complex integration with software and has significantly less interoperability issues with other processes since a full operating system is running in the virtualized environment. Furthermore, the VM is fully available offline and users can work in low bandwidth environments or on a plane.
Use cases include running risky internet facing workloads inside an isolated container in addition to running an isolated container for accessing corporate resources on unmanaged BYOD environments in a secure manner.
In this two-series blog post, we provided an overview of the available technologies for protecting an organization from the dangers of the internet when the corporate perimeter is no longer relevant.