Imagine, just for a moment, that you ran a bank that every criminal in town desperately wanted to rob. How safe would you feel if your security guards’ strategy for stopping bank robbers was to try and recognize their faces after the bad guys were already inside the lobby and were standing next to the open vault door? As strategies go, it’s a pretty darned risky one … If you fail to spot a robber before he or she makes their move, then you’re in for some unpleasant drama.
That’s pretty much exactly the way many companies still treat cyberscurity – they rely on detection to spot bad guys trying to enter the production network, or else they try to spot clues around their environment that suggest that a bad guy has already gotten already inside. Either way, the attacker is in close contact by the time the defenders spring into action. Close enough that they’re ready to start some trouble. Potentially close enough to your valuables to inflict some serious damage, too.
Wouldn’t it be better if you could separate the general public from your crown jewels so that a metaphorical exploding package couldn’t actually affect anyone? That’s the general concept behind what the industry is beginning to call “isolation technologies.” The idea behind these engineering solutions is to abstract things, people, and stuff as much as possible. That is, to make points of interaction between insiders and outsiders take place in self-contained and blast-tollerant spaces outside of the company perimeter where an activated payload can’t actually harm anyone or anything.
Citrix made a mint with this idea back in the 1990s with their presentation of a Windows desktop that wasn’t a real Windows machine. The user had the functionality that he or she needed to run an application, but there was no real machine to compromise. VMware built on the concept with its own virtualization tech and came out with the Horizon solution. I’ve deployed both and realized some pretty significant reductions in harmful Security Incidents.
The idea has really taken off in recent years with clever tools that completely isolate traffic between users, networks, and activities. Fireglass has a really neat “threat isolation platform” approach that effectively forces all web-based interaction to take place in a secure space outside of the user’s actual production environment, like a military pilot flying a drone from the other side of the world.
There are other solutions out there, and they’re all fascinating to a security researcher. Our objective is to make it safe for good people to do business on the wild and toxic Internet without having a routine transaction blow us in their faces. In the really, really old days, you could protect a PC by storing it in a locked room and maybe assigning a boot password to it. Now, everyone and everything are all networked. We need better ways to keep the bad guys at arm’s length. Fortunately, there are a lot of intriguing and effective ways to make that happen.