Endpoint Isolation: Can endpoints be hardened while keeping users productive?

The Challenge

Enterprises, big and small, often need a high grade of endpoint security to comply with industry regulations, client requirements, or simply to prevent disruption to the business and protect internal sensitive information from falling into the wrong hands.

However, to support the modern digital workforce, endpoint security restrictions (e.g. removal of local admin rights, network restrictions, app whitelisting, …) often conflict with the needs of business users.

To collaborate and do business with third parties, users are often required to install or access a wide variety of apps/services on their endpoints, including:

  • 3rd party video conferencing apps (e.g. Zoom, Teams, Webex, BlueJeans, …)
  • Modern collaboration/remote work tools (e.g. Slack, Dropbox)
  • 3rd party access/security agents (e.g. EPP/EDR/VPN/…)
  • Modern development tools for experimentation/research
  • Financial/tax-related software, especially for a multi-national business
  • Various user productivity apps (e.g. a user’s favorite browser, browser extensions, …)

Watch our on-demand webinar on How Working Remotely has Changed our Approach to Endpoint Security (no sign up required.)

Organizations might not allow access to many of the apps above, e.g. because they are not considered secure/trusted, and the IT department is already tied up with other projects. They cannot handle whitelisting and exception handling of each new app. The rate of innovation in software is staggering and it is nearly impossible to review and approve each such application and website.

How can enterprises marry security and business productivity needs on endpoints? One way to do so is via endpoint isolation approaches.

Endpoint Isolation Approaches

With endpoint isolation, users access certain risky applications in an isolated operating system, typically running in a virtual machine. This allows organizations to grant access to additional websites/apps/services without risking corporate data and sensitive apps.

However, endpoint isolation approaches vary significantly. When enterprises consider adopting endpoint isolation, they should first understand the full needs of users to make sure the isolation approach matches their requirements.

Browser isolation

With browser isolation/remote browser approaches, endpoints are configured to use a remote browser app to access certain risky websites. The remote browser could be either in the cloud or on-prem. Some vendors offer an agentless solution and others require installing a new special browser app on the endpoint.

This could be useful for safely accessing uncategorized websites (for example), but it would not allow users to install apps on their endpoints. This is a significant issue, as many modern services require users to install a desktop app for providing users with the full native experience (e.g. video conferencing apps).

Furthermore, browser isolation solutions often suffer from compatibility issues with certain websites, may not support browser extensions, do not natively support local hardware such as webcam/microphone, and may introduce latency due to the remote processing of website content.

OS isolation

With OS isolation approaches, the user has a completely isolated local OS that looks like another space on the user’s desktop. Risky content is automatically launched in this isolated local OS. This enables users to be fully productive, including:

  • Installing any desktop app
  • Getting full local admin rights
  • Safely viewing/editing risky documents
  • Accessing any website/cloud service
  • Plugging risky peripherals

Because of the level of isolation these approaches offer, there is no risk to the corporate network or to corporate data/apps. All of these activities are done in an isolated virtual machine that provides the highest level of security against advanced OS-level threats.

Full OS Isolation with Hysolate

Hysolate hardens your endpoints with full OS isolation. With Hysolate, access to sensitive enterprise apps on the endpoint can only be done from an isolated trusted OS while access to risky/potentially malicious apps is done on a completely separate OS. This is done by leveraging the latest virtualization-based security technologies and enhancing them so that enterprises can instantly split the endpoint into these two isolated operating systems, in a way that is user-friendly and cloud-managed.

Want to learn more about Hysolate and how it can help your team work securely and productively? Request a demo here.

The post Endpoint Isolation: Can endpoints be hardened while keeping users productive? appeared first on Hysolate.

*** This is a Security Bloggers Network syndicated blog from Hysolate authored by Tal Zamir. Read the original post at: https://www.hysolate.com/blog/endpoint-isolation-can-endpoints-be-hardened-while-keeping-users-productive/