From app sandboxing to OS isolation: How the endpoint is evolving
Last week, HP announced that it has acquired Bromium, maker of an app sandboxing product that uses virtual machines (VMs) to sandbox specific applications, such as browsers and office apps.
This acquisition marks another important milestone in the evolution of endpoint isolation technologies. It exemplifies how the endpoint world is changing from relying on bloated, vulnerable, monolithic operating systems into a zero-trust model in which endpoints become secure-by-design.
What Bromium Does
With Bromium, each sandboxed browser/document runs in a separate VM. This approach can provide great protection against web-based and document-based malicious content. However, it leaves other (non-sandboxed) applications, middleware and the underlying OS itself exposed to countless endpoint security threats.
Furthermore, because of the app-based design, app interoperability features and extensions do not work as expected, and every time a new app version is released, the sandbox might need to be updated to support the latest features. This can be quite taxing on IT teams and frustrating for end-users who run into difficulties when using the apps.
End-users may also be affected by performance issues. Because each app instance (e.g., each browser tab and each document) runs in its own VM, users can end up with too many VMs on their device. This leads to performance degradation in all but the latest laptops.
These enterprise compatibility and performance challenges make the adoption of app sandboxing only practical for locked-down users in a predetermined, limited environment, i.e., people who only use very specific apps and do not have a complex, real-world desktop environment.
Taking Isolation to the Next Level
Endpoints have moved from sandboxing just the browser (with Fireglass and Menlo Security) to sandboxing a few additional popular apps (with Invincea and Bromium). With HP’s Bromium acquisition following Sophos’ acquisition of app sandboxing startup Invincea and Symantec’s acquisition of Fireglass, the importance that larger tech leaders are putting on isolation can’t be overstated.
We now also see Microsoft recommending enterprise customers go even further and fully isolate their operating system by running sensitive tasks on a whole separate physical machine (a concept called PAW – “Privileged Access Workstations”). This indicates that relying on OS-based security solutions is not sufficient in light of today’s threats.
Hysolate takes isolation to the next level by splitting your entire endpoint device into two (or more) operating systems, one per persona/security zone. Each one runs in a local VM side-by-side. It’s as if you had two laptops on your desk, but looking like one seamless desktop environment. One virtual OS could be your general day-to-day productivity environment and another virtual OS could be your sensitive environment for accessing your company’s crown jewels.
This approach makes adopting Microsoft’s PAW recommendation practical for enterprises, and not just for privileged users. It’s also for any knowledge worker interacting with sensitive enterprise resources.
Hysolate’s OS isolation approach ensures comprehensive security-by-design that covers any OS/app vulnerability, including next year’s zero-day vulnerabilities and insider threats, as everything the user will be doing runs in one of a few isolated operating systems. Hysolate also provides users with enhanced productivity as they can do anything on their devices without compromising sensitive resources. This includes full web browsing, using any cloud service, installing applications, developing software, having local admin rights and plugging external devices. The architecture also allows users to mix and match operating systems like Windows 7, Windows 10 and Linux on a single device in an easy, seamless way.
Congratulations to the Bromium team and thanks for helping us spread the isolation message. We believe isolation and compartmentalization is the future for endpoints and that it’s time to complete the journey with full OS isolation.