Hardware-Secured Remote Browsing

Anyone who has endured one of my graduate courses knows the huge fuss I make about learning to read technical papers – and this includes patents. “Unless you can sit down and digest a complex paper,” I explain each semester to my students, “you will never be able to truly understand the nature of advanced cyber security technology.” Of course, this is always followed by a collective student groan, because young people barely read these days (ahem).

I mention this anecdote, because after a technical review last week with an interesting UK-based cyber security company called Garrison, I sensed that there was something much deeper in what the principals were explaining to me. So, I followed my own advice and downloaded one of their patents – and I must say that it was a delightful read. (Henry Harrison, Secure Control of Insecure Device, US Patent Application #20160261634).

Founded in 2014 by two former BAE executives named Garfield and Harrison – bizarrely, the last names of two assassinated US Presidents – the name-melded Garrison is built on the notion that sacrificial hardware ought to reside between valuable endpoints and potentially dangerous web content. The resulting secure remote browsing is not a unique concept, but I can assure you that the technical approach being taken by this British start-up is quite fascinating.

First, here’s the general idea: Rather than allow their critical endpoints to point at web content natively, enterprise security teams can place a chunk of virtualized computing in-between, not unlike the familiar proxy concept. This intermediate component would then ingest potentially dangerous web content, and provide a safe rendering to the user. Inputs from the users would, in turn, be relayed safely back to the web site through this remote browsing intermediary.

Now, most commercial remote browsing solutions implement this concept in software, citing the obvious benefits of virtualization: Ease of expansion, low implementation cost, flexible functionality, and on and on. But the Garrison team has taken a much different route: Their innovation involves special hardware with a pair of cooperating ARM chips involved in a handshake that works in a surprising scalable manner – given the hardware orientation.

Let’s start with all the nasty content from the web site to the user: One ARM processor runs as a tablet with a browser executing normally all the web content, including scripts, GIFs, text, JPEGs, and so on. But where this ARM chip would normally push the output to a connected display, the Garrison solution pushes the output to a second ARM processor, in a handshake protocol that is based on their patented Silicon Assured Video Isolation (SAVI)method.

What happens is that this second ARM processor operates as a sort-of “camera,” compressing and “taking a picture” of the web content, represented as a bitmap. This second ARM also has the job to relay user commands, input, and clicks to the tablet processor via the so-called Garrison Hardware Security Enforcement Fabric (HSEF) technology. Between SAVI and HSEF, users interact with the web via the safe intermediary – aka secure remote web browsing.

During my conversation with the Garrison team, I asked about how an enterprise could possibly scale this hardware solution. Even if an appliance included dozens or hundreds of ARM-pairs, busy web traffic, I posited, would create quite a traffic jam. They did the math for me, however, explaining that the processors are allocated when required, so an appliance with hundreds of chip pairs can support thousands of concurrent users.

I also asked the obligatory cyber security question about residual, hold-over data, given the obvious shared resource approach being taken on the platform. The team replied by taking me through the Garrison Secure Reboot process, which involves a full power-cycle with reboot management to ensure that malware from user X will not cascade to user Y if the same ARM pair is being used in successive remote web browsing sessions.

The Garrison team also pointed out during our discussion the obvious performance and security improvements that come with a hardware-based solution. That is, while compression and related tasks for bitmap manipulation might provide sufficient motivation for the ARM design, it’s hard to argue the point that hardware does introduce some advantages in the avoidance of vulnerabilities.

Look, many of you reading this article will have a negative reaction to a hardware appliance being placed at some gateway or chokepoint in the enterprise. With the perimeter dissolving and LAN-access to the web for employees waning as a computing model, it is natural to brush off anything that involves hardware. But upon closer inspection, including Garrison’s cloud solutions, this really does look like a viable option.

My advice is that if you are reviewing secure remote browsing solutions – and in 2018, I think every enterprise security team absolutely should – then make sure you include this approach in your technical reviews and source selection. It is entirely possible that the Garrison solution will not fit your situation, but I think you’ll be surprised to find how scalable and flexible the platform turns out to be.

Give them a call and please share your experiences.