Extending Zero Trust to the Endpoint — Hysolate

Tal Zamir, Founder and CTO, Hysolate

What is Zero Trust?

Initially, Zero trust referred to an enterprise security architecture that relied on a trusted internal network protected by firewalls that enforce perimeter security. However, with enterprises adopting mobile and cloud technologies, the perimeter is becoming increasingly difficult to enforce. In addition, attackers have a variety of ways to get into the internal network. One of the main methods is breaching a user’s device that is allowed to connect to the enterprise network. Another flaw in the perimeter-based security model is the risk of insiders who act within the corporate perimeter.

As a result, enterprises are starting to move away from network perimeters into a Zero-Trust Architecture (ZTA). With ZTA, access is granted based on device/user credentials and not on the user’s presence in the corporate network. Based on the user’s credentials, the enterprise can grant access to a subset of enterprise resources and employees can work from any network without relying on a VPN connection. The architecture is called “Zero Trust” because the enterprise doesn’t automatically trust devices within the corporate perimeter. Instead, it verifies all devices/users.

User Devices: The Zero Trust “Achilles Heel”

This means that many enterprises that adopt ZTA still mistakenly trust user devices. This is a critical ZTA flaw as it allows attackers to breach a user’s device and then ride the authenticated user’s session to do harm.

Furthermore, as ZTA creates a false sense of security, it encourages enterprises to allow access to corporate resources from personal/unmanaged/BYOD devices, relying only on basic health checks to prevent malware from getting in. This makes things worse, as personal/unmanaged devices have a higher probability of getting infected.

Fixing the Weakest Link in the Zero Trust Concept

One way to increase trust in user access is by requiring that enterprise access is always done through a secure trusted OS, e.g. through a VDI desktop or through a jump box. Even if the OS on the physical device is compromised, having enterprise access run on a separate trusted and isolated OS eliminates a lot of common threats. However, setting up, configuring, and maintaining a whole separate OS image on VDI/jump box is expensive, complicated, and error prone. Furthermore, it degrades the user experience, as it requires users to go through another hop in the network for every interaction they do with every app on that remote OS. In the era of remote work/COVID-19, this becomes even worse, as connectivity may vary for people in different locations, in different home networks, etc.

There’s a better way. At Hysolate, we achieve this new ZTA architecture by splitting a user’s device into two segregated zones, each running in its own OS, leveraging the latest hypervisor and virtualization-based security technologies. One OS is the user’s unmanaged/untrusted/personal OS and another is an instantly-provisioned trusted corporate OS running in a VM — this VM is magically spun up without any infrastructure cost/image building work, etc. The corporate VM runs a locked-down operating system and can contain an inaccessible client certificate that vouches for the integrity of the VM. The ZTA broker would only allow that corporate VM running on Hysolate to have access to sensitive enterprise applications. It’s impossible for the end-user to access these applications from any other untrusted environment/device. Furthermore, our solution lets IT isolate this corporate VM from the user’s personal OS, including fine-grained cloud-managed controls over clipboard, USB, network, applications, etc. With this architecture in place, the Zero Trust puzzle can now be complete and enterprises can really move to a secure-by-design architecture.

Learn how Hysolate makes zero trust access a reality by splitting a users device into two separate zones. Request a demo with a member of our team.

About the Author

Subscribe to our blog and get updates straight to your inbox: https://www.hysolate.com/blog/

Originally published at https://www.hysolate.com on September 1, 2020.

Hysolate is a software platform that enables locally deploying and remotely managing virtual, secured, environments on a single endpoint.