Last week I described how the move to a resource-level security model and policy, is essential in today’s world of loosely-managed devices, cloud services and BYOX. The old device-centric approach to security is no longer effective – you can’t hide all user devices behind a corporate firewall, it’s not acceptable to lock down mobile devices completely, and it’s too easy to leak and share corporate data from inside a firewalled device.
Having postulated that a new security model is essential, I now owe you an analysis of some of the technologies and methods that might make it a reality. Resource-level security and policy can be thought of as placing a sandbox around corporate data and applications, and there are different levels at which the sandbox can be applied.
1) Application Sandboxing
Repackaging and streaming Windows applications (aka application virtualization) has long been established as a way to avoid the need for complex and lengthy installers and make applications portable. However, it can also isolate the application from the underlying operating system and so could be used as a kind of security sandbox. In practice, app virtualization solutions have been focused on solving desktop management and not security challenges, and so isolation is usually not desirable. Theoretically it could be used to implement a resource-level security policy, but a solution would also need to cover other parts of Windows outside of the application, and compatibility problems mean there are many applications which do not work in a sandbox.
On Mobile, application sandboxing is the key technology in MAM (Mobile Application Management) solutions. The idea is to separate apps that access corporate data from the mobile device owner’s personal apps and data. There are differences in the approach – for example, Good Technology requires that the app is recompiled against their SDK. Others provide restrictive native apps for email and other functions. A more appealing solution is to put a lightweight wrapper around any app so it can be secured without recompilation, which is the approach we take with MobileNow.
2) Virtualization inside the endpoint
Another approach to securing applications is to encapsulate the entire operating system in a virtualization layer on the endpoint, and then remotely manage it and set security policy on it.
On Windows there are many implementations of the various types of virtualization:
- A few years ago Type 1 solutions were heralded as the enabling technology for widespread VDI adoption, not least because they enable offline use cases. Both of the surviving “pure” type 1 technologies are now owned by Citrix, but MokaFive’s BareMetal offers similar benefits and I’ll leave the computer science geeks to fight over the exact definition of “type 1”. Limitations in hardware compatibility and user experience have held back widespread adoption, although Windows 8 Pro now comes with Hyper-V – a type 1 hypervisor with no discernible loss of experience or compatibility – and even works on Mac hardware with Apple’s Boot Camp drivers!
- Type 2 solutions are much more widely used, especially by Mac users running Windows desktops using VMware Fusion or Parallels. There are also solutions for deploying and securing virtual Windows desktops inside Windows to provide separation between corporate and personal environments, including VMware View “local mode” and MokaFive LivePC.
- Bromium’s technology is getting a lot of attention and falls somewhere between all of these categories. It uses a tiny virtualization layer around specific applications and tasks to completely isolate them from the rest of Windows, all the way down to the hardware level. Initially it is focused on internet browsers and Office apps, but I’m told it can be extended to other Windows apps for the right price.
For mobile devices there are hypervisors available from OK Labs and VMware. For Android devices that are “VMware Ready”, the VMware Switch application provides a separate Android instance to isolate personal and corporate work zones at the hardware level. To manage the corporate partition the organization must use the VMware Horizon suite. The same tech is not available on iOS, with speculation that Apple would not allow it, and so VMware offer Horizon Mobile on iOS, which is much closer to an app sandboxing solution.
3) Remote display
Remote display has the advantage that applications run inside a secured datacenter (or in the cloud), not on the endpoint, giving complete control over how much data can leak to the device, and protecting the application from direct attack. Of course, the application running in the datacenter could leak data itself, but it’s within the administrator’s control to lock it down. This approach mostly only applies to Windows applications and desktops, although companies like BlueStacks can run Android applications inside Windows, providing a remote access solution for Android apps too.
Remote display solutions include Session Virtualization (formerly Terminal Server), VDI and Remote Desktop, as well as one-to-one services like GoToMyPC. Microsoft is rumored to be entering the Desktop-as-a-Service market directly through Azure, adding further weight to this model. Note that it is possible to remotely deliver individual applications, and not just complete Windows desktops.
The disadvantage of remote display is, of course, that you need a high quality connection at all times to the remote application. Internet access has become more ubiquitous than ever before, but native apps still provide the best user experience and are impervious to network black spots and outages.
4) Data Sandboxing
The purpose of the above 3 technologies is to protect data by securing the applications that process it. An intriguing question is whether it is possible to secure the data directly. Data Loss Prevention solutions address this challenge but require PKI infrastructure and key distribution, and only work with specific applications. A combination of file-level protection and application wrapping would provide a more general purpose solution. For an example of this in progress, see our DataNow client wrapped inside our MobileNow app wrapper.
Resource-level security and policy is a compelling and perhaps inevitable approach to securing corporate assets in a consumerized, decentralized, cloud-centric world. There are multiple virtualization technologies focused at the application and operating system level which give partial solutions, and research continues into providing a complete, data-centric answer across all platforms. This is a fascinating area and I hoped you enjoyed my brief exploration!