Endpoint security is the holy grail for many enterprises and is also an oxymoron. No matter how many security tools you layer on, or how locked-down user devices are, determined cybercriminals can still ferret through the cracks. That’s why the best cybersecurity approach is to use virtualization technology to isolate operating systems that limits your exposure and keeps your sensitive corporate assets safe.
Choosing the Right Virtualization Technology
There are several ways enterprises leverage virtual machines to enhance endpoint security, including virtual desktop infrastructure (VDI), browser virtualization, application virtualization, and operating system virtualization. The first three address only a small fraction of the vulnerability landscape. They also introduce latency, interoperability, and hardware resource consumption issues that can hurt user productivity.
- VDI entails accessing server-hosted virtual desktop images from end-user devices. But if hackers infiltrate the end-user device, they can easily access and control the VDI operating system and resources.
- Browser virtualization requires accessing the web via an application running on a locked-down virtual machine in the cloud. It blocks malicious web content from the endpoint device but it doesn’t stop hackers from exploiting other vulnerabilities, like email downloads, other applications, USBs, and the device operating system.
- Application virtualization technology executes the app in its own sandbox using virtual machines. This restricts its ability to access the device’s system resources and data. However, because each app has to be sandboxed individually, it doesn’t protect against vulnerabilities in other versions of the same app, the many unsupported applications, the underlying operating system, middleware, malicious external hardware or networks. And because it’s time-consuming and costly to keep apps that you virtualize up to date, security patches are often delayed.
Operating System Virtualization: The Next Step in the Virtualization Evolution
When most people think of OS virtualization, they think of “the cloud”, VMware and server virtualization which was built primarily for efficiency. People don’t think about endpoints or security, mostly because they aren’t familiar with it in the context of end-user devices. But OS virtualization, when applied to endpoints, is designed specifically for security.
Operating system virtualization eliminates the endpoint security problems inherent in VDI, browser and application virtualization software. It protects sensitive information against all attack vectors and, in contrast to those other approaches, ensures the performance that knowledge workers need and expect.
With OS virtualization, end-users can access, install, and work with websites, apps, external devices like USBs, and cloud services as they need, without security constraints and without worrying about endangering or compromising their company’s sensitive data.
To understand why OS virtualization is so effective, let’s take a quick look at how it works on the endpoint.
How Endpoint OS Virtualization Works
OS virtualization technology runs below the endpoint device’s operating system (just as it does in the datacenter). It splits each device into multiple, local virtual machines, each with its own operating system. Everything end-users do happens in different operating systems, which run side-by-side with full separation.
The virtual environments are isolated using trusted, security-hardened virtualization (hypervisor) technology. In addition, none of the virtual environments can access the corporate network directly. Instead, they each connect through an invisible network virtualization layer that applies network segmentation on the endpoint.
In most OS virtualization implementations, the hypervisor manages two to three virtual machines running on the device, one per user persona/security zone. A typical set of virtual machines that run side-by-side includes:
- Fully locked-down VM for accessing sensitive corporate data and systems, e.g., IT systems, payment/transaction systems, sensitive customer data, CRM systems.
- Unlocked, open VM for unrestricted access to non-corporate resources, e.g., browsing the full web, installing any application, using external devices.
- Semi-locked-down corporate VM for accessing standard corporate applications, e.g., office documents, corporate email, internal services.
Each VM’s access is limited according to the security zone it belongs to. The open VM can only access the wild internet; the corporate VM can only access non-privileged corporate network; the privileged VM can only access privileged resources. Full OS virtualization solutions, like the Hysolate platform, ensure that users always use the correct virtual OS. If they try to perform tasks in the wrong VM, they will be automatically redirected to the correct one.
Hysolate ensures hackers cannot move laterally in the network to access privileged information. Malware on internet-exposed virtual environments cannot reach or see sensitive resources, which are only accessible via the privileged VM. In fact, hackers can’t even see that other VMs exist. Malware can only access the open VM that it’s contained within. And for added security, that open VM can be programmed to be non-persistent so that it’s automatically wiped clean at prescribed intervals. It can also be remotely wiped clean when required via the Hyoslate management console.
