ARTICLES

Device-level OS Isolation with an Integrated User Experience

Isolation. Segmentation. Quarantine. While these words have come to characterize the spring/summer of 2020, they are also familiar terms within the cyber security and networking communities. Long before the COVID-19 pandemic, network architects and engineers used isolation, segmentation, and quarantining/sandboxing to protect network environments, systems, data, and applications. Cordoning off entities within environments isn’t just considered a best practice, some cyber security regulations such as PCI DSS require it.

That said, while these ideas are not new or novel, the lack of separation—accompanied by requisite security controls—between entities, emboldened by overprovisioning, has resulted in numerous large-scale breaches. Once an attacker finds their way into the network, often through phishing or other endpoint vulnerability, it’s game over. A flat network or single, monolithic operating system (OS) provides the open road to treasure-troves of data and/or resources.

In the past few years, segmentation and microsegmentation have taken their turns in the buzzword spotlight, and not without due cause. While microsegmentation, especially when paired with “zero trust,” was splattered across vendor websites and conference booth spaces, the concept is founded in tried and true principles of security: segment as close to the asset as is possible, whenever possible. In the non-networking realm, it’s why people store valuables like wills and expensive jewelry in bank vaults, off their home premises. It's why military networks, industrial control systems, and the stock exchange run air-gapped networks.

This is not to say an isolated network can never be breached; it’s just exponentially harder and takes an ambitious attacker to do so. It's this concern that has led highly regulated industries to issue work-only devices to employees and makes IT and security teams buck at the idea of BYOD. Yet, over the years we’ve seen the convergence of work and personal lives; lines are blurred between “work hours” and “off hours,” social media use for personal versus professional reasons, and representation of the employee as an individual compared to their corporate persona. Few of us can truly say our work lives and personal lives are separate, and, frankly, many wouldn’t have it any other way today.

Rethinking isolation

But this conundrum requires security teams to think about how to use isolation in a new way...because only the biggest gear heads will tolerate carrying around a phone for work, a phone for personal use, a laptop for work, and a laptop for personal use. While some government/military, financial services, or critical infrastructure organizations can force employees’ hands, fewer enterprises can insist on that specification as a condition of employment.

Hysolate, an endpoint isolation vendor based in Tel Aviv, is using the concept of isolated workspace-as-a-service to help enterprises protect corporate resources when devices are used for more than “work only” purposes (i.e., almost always). While the company was founded long before much of the planet had to start working from home, today, the need to keep work and personal networking environments isolated is more important than ever. As security practitioners (which are, I assume, the majority of people reading this), it’s easy to forget that large portions of the workforce aren’t provided work laptops, and when employees were forced to work from home, they had to start using personal devices. In some cases (gasp!), this meant using their own tablets or mobile phones until the company could come up with a better solution.

This mix and match work environment introduces tremendous security risk, and that’s where Hysolate fills the gap. Even under the best of circumstances, workstations have become multipurpose tools, with users crossing the work-personal divide many times per day. Hysolate is deployed as a light agent and instantly creates a virtual machine that splits endpoint devices into isolated operating system environments, governed by separate policy sets. “Hysolate is the first isolated workspace as-a-service solution that lets you easily create isolated workspaces on corporate and non-corporate devices, in minutes, and manage them from the cloud”, said Marc Gaffan, CEO. Companies use Hysolate to protect corporate devices executing high-risk activities in an isolated workspace, and secure corporate access from unmanaged devices with a VM-based, isolated workspace.

Transparent, secure user experience

The benefits of this architecture are that no network changes are needed, and the user experience is seamless—in most cases, users won’t even realize they’re working in separate workspaces. From a security standpoint, said Gaffan, “admins don’t have to bother spinning up a new OS, but they’ll have the ability to create different environments with different rights, and different networking policies for each isolated environment, and the appropriate applications will run right from there.”

Especially in a time of additional stress, it’s important for security teams to facilitate employee productivity. And that’s not always possible with traditional security controls. However, Hysolate is an easy way for security teams to segment or isolate working environments and apply least privileged access to work environments without undertaking an enormous architectural project. Gaffan called the platform an “integrated workstation with protected, split virtual environments.” With the device running as separate environments, the corporate workspace can be configured to prevent web browsing, files being opened, app downloads, and more. However, the user will continue to have access and flexibility within a separate OS, governed by more lenient permissions, while quarantining off corporate resources and network activity.

Though the concept isn’t new, the ease of use and flexibility of the Hysolate platform is. If the isolated environment is infected by malware, it can’t spread, and the entire device doesn’t need to be reimaged. If a user detonates a phishing link from their personal email account, the damage is contained to the personal OS. With this approach, employees can work from one device—whether it’s corporate owned or personally owned—and be able to access everything they need to access—whether it's for their own fun and information or for work purposes—while the organization remains safe from cyber threats.