By Tal Zamir
When it comes to protecting “the last mile” – or end-user devices – many enterprises see two basic choices: either lock down devices and limit what end-users can access, essentially handcuffing their ability to work efficiently, or prioritize productivity and take some chances with security.
But with endpoints being the darling of cyber-attackers and most companies playing in fiercely competitive markets, this either/or proposition is fast becoming untenable. And now, thanks to a new software-defined endpoints approach, it’s no longer necessary.
Today’s Uneasy Reality
In many enterprises, CISOs, IT admins and end-users are increasingly at odds, as security is pitted against productivity and one is often compromised for the other.
CISOs are under tremendous pressure to protect the corporate crown jewels and make sure their company doesn’t wind up as another cyber-victim statistic. Mandated to slash exposure to cyber threats, they’re empowered to take whatever actions they deem necessary.
So what do they do? Because laptops and desktops are the most vulnerable part of the organization, as well as the gateway to the heart of the enterprise, CISOs have IT deploy a wide and complex array of pinpointed endpoint security products, from next-gen antivirus, application sandboxing and data leakage protection (DLP) to threat detection and more. This adds ever-more mechanisms on top of the existing endpoint infrastructure, which is essentially the same as it was 20 years ago: a piece of hardware running a single bloated OS with a huge pile of software agents, legacy middleware and applications.
Knowing that even best-in-class point products can’t guarantee protection, many CISOs block and/or limit end-user access. Some allow email but block attachments, others eliminate the ability to use personal email, browsing or cloud storage, while others take the radical approach of completely locking down devices.
High-security enterprises that also want to foster productivity often implement a physical air gap solution, where each user gets two workstations: one for unrestricted Internet access and another for locked-down access to sensitive resources. Even industry giants like Microsoft are recommending the use of air gapped machines for sensitive workers because of endpoint threats (a program called “Privileged Access Workstations”). However, while this dramatically increases security, it degrades user experience and productivity and is impractical or too expensive for most enterprises.
IT Operations Teams
IT operations teams have their hands more than full. In addition to all the ‘regular’ work of provisioning, updating and recovering endpoints, they must deploy and manage whatever their CISO mandates. This often includes up to a dozen agent-based security point products, many of which come with their own complications and application compatibility issues. For instance, consider the extensive policy development and platform integration work DLP requires (as well as the interactions IT must have with end-users because of DLP’s inherent invasiveness).
IT teams spend countless hours fine-tuning configurations, testing devices, and keeping automated patching systems up to date – or dealing with inevitable losses when patches fail and systems are breached. This doesn’t even take into account large enterprises where some departments are still working on systems with Windows 7, or where multiple security teams are charged with different activities and the left hand doesn’t know what the right hand is doing.
End users are often overlooked in the struggle for security. The typical enterprise user isn’t allowed to browse the web freely, plug in some external devices, install applications or add-ons, use modern cloud services or communicate effectively with others. These restrictions often result in high user frustration and degraded business productivity.
Of course, many workers are very tech-savvy, thanks to growing up in the age of mobile and cloud services. As a result, they find creative ways to work around ineffective security restrictions. They’ll find ways to use USB keys, send documents to their personal emails, browse the Internet and access the software they need to be productive.
Either that or they just let productivity slip because hey, it’s not their fault they don’t have the tools they need to do their job well. Or maybe they’ll take a job at a different company that gives end users the tools and freedom they want and are accustomed to.
There are some companies that put end-user productivity above security. However, letting users work freely on their endpoints with almost no security measures puts enterprises at grave risk of compromising their most sensitive assets.
Going Virtual with Software-Defined Endpoints
It’s clear that enterprises can no longer choose between security and productivity, and that endpoints have to change in order to enable both. The good news is we have a way to revolutionize the endpoint without pulling the rug out from under us.
In the same way that the data center is now fully virtualized by default with software-defined computing, networking, storage – even the perimeter is software-defined – there is now enough endpoint capacity to run fully virtualized operating systems, making our endpoints software-defined as well.
With software-defined endpoints, a “virtual air gap” architecture delivers high-grade security while simultaneously boosting productivity. Endpoints are built on top of a slim hypervisor layer that sits below the device’s operating system. They’re highly flexible, compatible and secure by design. Everything an end user does happens in virtualized desktops, running locally, side-by-side with full isolation. The entire experience is seamless for users. The apps they're working on automatically launch in the correct, designated VM. To the users, it looks and feels like their familiar Windows desktop.
This software-defined endpoint approach provides long-awaited benefits to all stakeholders:
CISOs can be sure that whatever happens in the OS is confined to its own virtual environment and can't reach or affect the organization’s most sensitive systems and assets. They ensure military-grade security by having no single vulnerable OS control the endpoint. Instead, the endpoint is now composed of an OS per security zone, as if the user had multiple air-gapped workstations on his desk, e.g., one for outbound or risky access and one for sensitive access. They also get “below-the-OS” security they could only dream of, enhancing or replacing existing OS-based security agents.
IT gets greater endpoint flexibility and robustness with easier deployment, update and troubleshooting mechanisms. For example, they no longer need to maintain a golden OS image per hardware model, and a faulty software update in a VM can now be instantly reverted.
IT seamlessly runs a centrally managed hypervisor on each endpoint. Guest operating systems can still be managed through existing IT management workflows, but the structure of these endpoints can now be easily shaped and controlled through a central enterprise management console, including advanced security and IT controls that weren’t possible before.
Employees can now freely use their endpoints, unleashing innovation and productivity. They can connect to the cloud, browse any website, install any app, and work with third-party content, both online and offline. One virtual desktop can be running Windows 10 with full local admin rights and full Internet connectivity, alongside another virtual environment running Windows 7 for accessing sensitive corporate assets. End users can even get a private zone for personal use that they can keep to themselves.
It’s time to put the security versus productivity dilemma to bed. With software-defined endpoints, businesses can deliver a completely unrestricted, easily managed and fully secure user experience, providing a win-win-win for CISOs, IT operations and end users alike.
About Tal Zamir
Tal Zamir, Co-founder and CEO of Hysolate, is a passionate entrepreneur and veteran R&D leader with 15 years of experience in the cyber and IT domains.