On today’s worsening cyber threat landscape, attackers are easily bypassing perimeter defense tools such as signature-based antivirus, network sandboxes, secure web gateways and firewalls, to successfully launch attacks though the web.
A recent Gartner report warns organizations about a “cesspool of attacks” leveraging browser and plug-in vulnerabilities, as they target and infect end-users – and ultimately corporate networks -- through the normal, everyday act of browsing the web. In fact, over 80 percent of infections are estimated to originate through the web.
Thwarting Threats through Isolation
Realizing that conventional security approaches are ineffective against the growing risk of web-borne threats, an increasing number of enterprises are taking an isolation-based approach. Isolation is based on the concept of creating an “air-gap” between the web and users, to eliminate the possibility of threats reaching and infecting devices.
However, while isolation is a viable defense strategy, it is critical for enterprises to realize that not all approaches and technologies are created equal. Specifically, two early iterations of isolation - initially VDI-based isolation, which subsequently laid the groundwork for the next step in the evolution: endpoint isolation - have both proven to be ineffective and unsuitable for the enterprise.
The Limitations of VDI-Based Isolation
Virtual desktop infrastructure (VDI) is the practice of hosting a desktop operating system within a virtual machine (VM) running on a centralized server. End users access the remote desktop via a terminal to do their daily work, and any infections are restricted to the remote VM since it is isolated.
However, VDI is not and never will be a security solution. Rather, it is an IT solution that concerns itself with how desktop environments are managed. Enterprises still need to implement policies to restrict end users, which causes many to complain about the rules, and perhaps some to circumvent them. Most importantly, since the remote desktops can access the corporate network, if a single remote desktop is infected with malware, it can spread across the entire enterprise.
Furthermore, the user experience with VDI-based isolation is poor. Access to the remote desktop is via a dedicated client, and VDI technologies are notorious for having latency issues (e.g. consuming rich media). This is unacceptable for many end users who need to be efficient and productive.
In addition, there are the excessive, if not prohibitive costs. VDI essentially doubles the number of OS licenses for both the local and remote desktop, along with the costs associated with the VDI infrastructure. And with respect to scalability, deployment requires a massive VDI farm and an enormous amount of available memory, as end users typically access multiple applications at the same time.
The Limitations of Endpoint Isolation
Endpoint isolation -- which was the next step in isolation’s evolutionary process -- involves running a VM on the endpoint, from which users conduct potentially risky activities such as browsing the web, downloading and opening documents, etc. In theory, this approach is supposed to protect end users from infections and therefore safeguard the enterprise, since the VM is completely isolated from the hosting endpoint. However, in practice things are not as advertised, as many enterprises that have adopted this approach are unhappily discovering.
Specifically, endpoint isolation is unsuitable for large scale deployments due to:
- Deployment and manageability overhead: The software must be installed on each endpoint, which is an almost impossible task for larger enterprises with tens or hundreds of thousands of endpoints.
- Device/OS dependency: Typically, the software supports only certain OSs, versions, CPUs, etc.
- Extreme hardware requirements: Running another (virtual) instance on the same endpoint requires much stronger CPU and memory, which often demands costly upgrades.
- Inferior User Experience: Due to the resources requirements, end users often complain that their machine is more sluggish and slow. In addition, many applications are not supported on the isolating VM.
Web Isolation: A Way Forward
Web isolation, which is also referred to as remote browser isolation, represents the evolution of isolation-based protection. It blocks web-borne threats by handling web sessions remotely, and therefore only delivers end users a 100% safe visual stream of the content they consume. Furthermore, web isolation is a proxy-based approach, and does not require any endpoint installation, nor does it need any OS-level virtualizing.
With some implementation, each web session is handled in a lightweight virtual container that is completely sealed. Since nothing can escape or persist in the container, and because the container is disposed of at the end of each session, the possibility of web-borne threats infecting the enterprise is eliminated. In addition, files can be rendered remotely so that end users can access them, but without downloading them.
Web Isolation: From Best Practice to Fundamental Requirement
VDI-based isolation and endpoint isolation represent early attempts to keep threats from reaching devices and infecting networks. And while these technologies deliver some value, they have serious shortcomings that render them unsuitable for enterprises fighting against the onslaught of web-borne attacks.
The natural evolution of this approach is web isolation, which is suitable for large scale deployment due to the following aspects:
- No endpoint agent: Enables rapid deployment across the enterprise, and eliminates overhead from installing, updating and patching endpoints.
- Seamless user experience: Does not diminish UX or productivity, as end users have secure, unrestricted web access.
- Scales efficiently and cost-effectively: Leverages container and browser virtualization to scale to any extent at minimal costs.
- Device independent: Supports all OSs and devices, including laptops, tablets and smartphones.
We are already seeing many enterprises of all sizes -- and especially large firms with tens of thousands of endpoints-- evolve to a browser isolation strategy. It is only a matter of time before this approach becomes less of a best practice, and more of a fundamental requirement.