Completely securing the endpoint is hard. Securing it without sacrificing user productivity is even harder. Think of a modern laptop running a Windows 10 OS, for example. The OS consists of millions of potentially vulnerable lines of code. It has many legacy components written with old security standards in mind. The kernel is probably executing several third-party drivers that might also be vulnerable. Finally, there are dozens of daily-use applications. Some are provided, managed and patched by the enterprise, while others are installed on demand by users; the latter are not always from legitimate sources, making it harder to track and assess security. Timely detection and prevention of threats is a cat-and-mouse game, where a single win for the attackers is game over for the user.
Consider, too, the rate at which organizations are moving to the cloud. For those using the endpoint purely as a browser, web isolation products can significantly enhance security by isolating browser access to risky websites and, sometimes, to risky email attachments, too. Using ChromeOS, an operating system built for the cloud with security in mind, can provide additional security benefits.
But using only a browser is not yet practical for most organizations. Many legacy line-of-business applications are still being used daily. Workers install video conferencing applications to meet with business partners. Developers install and update software for their daily work. Almost every popular, modern cloud application (Slack, Teams, Office, etc.) comes with a full desktop client that offers superior features. For organizations looking to adopt these tools, web isolation solves only part of the problem.
VDI or Desktop-as-a-Service (DaaS) solutions allow companies to shift corporate application workloads to the data center or the cloud. By limiting endpoint operations to that of a thin client, and only connecting them to this infrastructure, the list of potential attack vectors narrows and becomes very secure.
But using VDI/DaaS for the entire organization becomes very expensive if massive numbers of users need remote access simultaneously. Further, the user experience and latency are far from ideal, and offline work is impossible. In terms of security, while the endpoint is now more secure, the threat still exists – it just moves to the data center or the cloud, where, in essence, a fat Windows desktop is running. With DaaS, security might be even more challenging when multiple users share the same virtual OS; a single threat can potentially compromise multiple user sessions at once.
Hypervisor-Based Isolation
The world trusts modern hypervisors to securely run servers, containers and other workloads in the cloud. Sometimes, multiple hypervisors run side-by-side on the same physical server, though they’re completely separated and isolated from each other. Unlike modern OS kernels, hypervisors are designed to perform a very specific task. Their code base is usually very small, well-reviewed and thoroughly tested, making it very hard to exploit. Empirically, it’s very rare to see a hypervisor-related vulnerability discovered or published.
Is it possible to secure the endpoint with hypervisor-grade isolation? Imagine a “productivity environment” where workers can browse any website; open any email attachment or install and execute software, all without endangering the corporate environment or the organization’s crown jewels. Even better, malware or attackers who compromise this environment are trapped inside by strong, hypervisor-based isolation boundaries.
Windows Sandbox
Microsoft has been investing a lot in virtualization-based security (VBS) in recent years. Hypervisor-based isolation is a key element, whether it’s used to isolate LSA secrets with Credential Guard or to isolate critical Device Guard code. With the release of Windows 1903, Microsoft has introduced Windows Sandbox, describing it as a “lightweight desktop environment tailored for safely running applications in isolation.” Windows Sandbox enables users to spin up, almost immediately, a second, isolated instance of Windows with a click of a button.
Windows Sandbox is based on the new “Krypton VM Containers” – Hyper-V-backed lightweight containers. The lightness is reflected in:
- Reduced disk space: The container reuses the host’s binaries, reducing its disk footprint and making it easier to manage. This also means it remains as patched and secure as the host.
- Optimized memory and CPU usage: The host’s kernel is aware of the container, and manages it as yet another application. That means improved CPU and memory allocation based on actual demand and usage.
- Paravirtualized GPU: By enabling GPU acceleration inside the container, the CPU has less work to do.
Unlike web isolation products, Windows Sandbox can isolate almost any application. With the Krypton optimizations, it’s fast and doesn’t place too many demands on hardware (any three-year-old laptop should suffice), making it dramatically more affordable than VDI. The virtualization layer is barely noticeable, making the performance superior to VDI/DaaS.
The Missing Pieces
Can Windows Sandbox enable organizations to provide an isolated “productivity environment” while further hardening and securing the host OS? In theory, it could, but in practice, unfortunately, it lacks certain capabilities necessary for enterprise environments:
- Manageability: It’s hard to deploy and impossible to manage (policies, applications) Windows Sandbox with MDM systems such as Microsoft Intune.
- Usability: Windows Sandbox is non-persistent. Applications installed by users or administrators are going to be wiped on reboot. User settings, cookies, and browsing history will not be saved.
- OS integration: While users can install risky software inside the container rather than on the host, they are not forced to do so.
- Security: While fully isolated in terms of code execution, Windows Sandbox doesn’t provide network isolation. Malware can access and attack other devices accessible by the host, even if behind a Network Access Control (NAC).
- Software Compatibility: Some applications fail to run or to be installed inside Windows Sandbox.
Hypervisor-based isolation has clear benefits over traditional security methods. By avoiding the cat-and-mouse game, and moving to “mitigation by isolation”, organizations can increase security and productivity, and reduce costs. Once some of the aforementioned gaps are filled, hypervisor-based isolation could become the future of endpoint security.