cherezoff - stock.adobe.com
Bromium’s micro-virtualisation technology was originally developed to enable users to open any executable file, document or web page without fear of infecting the host PC or networks, but now the company has turned the concept around.
The original technology puts each task into its own virtual machine (VM) or micro-VM, which is destroyed when the task is completed. If an attack occurs during any of these tasks, the malware remains contained and isolated inside the micro-VM, unable to access the operating system or any other system or network resource.
In the latest evolution of the concept, Bromium is applying its core technology to protect critical applications on the endpoint and secure access to and from the host PC, which means the applications are safe from malware and data theft even if the host operating system is compromised, making access frictionless and secure.
The development is in response to the fact that in the digital economy, organisations’ applications and data are increasingly going to be accessed from environments over which they have no control and which cannot be trusted.
“In a natural extension of what we are known best for, we are now applying virtualisation to shrink the security perimeter down to the application level, effectively putting a bubble around applications that access sensitive business data, providing confidentiality and integrity to that application,” said Ian Pratt, the co-founder and president of Bromium.
“We realised we could create VMs that were more trusted than the host operating system and we could protect applications running in those VMs from the host, which despite an organisation’s best efforts could be compromised,” he told Computer Weekly.
“In this way, we can protect organisations’ intellectual property and high-value assets from threats such as keylogging, kernel exploits, memory and disk tampering, and man-in-the-middle attacks, with sensitive applications walled off from the endpoint and the network.”
These protections are enabled by the fact that “protected apps” are invisible to the host, the connection from client to server is across a secured virtual private network (VPN) connection, the VM is independent of the operating system and the protected VM running Protected App is walled off from the host PC, making it impossible to access the memory and disk.
According to Pratt, the technology means that even if a network or endpoint is compromised, employees can still access a protected application securely, without fear of data leakage or being hacked.
“This represents an evolution in the zero-trust model, which assumes that all networks and devices are compromised, allowing businesses to target security at the applications level where the most critical company data resides,” he said.
This approach means that employees, partners and customers can now access intellectual property and other sensitive data from their own networks and computers without the organisation having to worry about the security status of those networks and devices or any risk of malware infection or data theft.
It also means that organisations will no longer need to deploy second PCs that employees must use if they want to access critical IP, which doubles hardware costs and restricts workflow, said Pratt.
Hardware-enforced virtualisation is now open to most organisations because almost all are using endpoint devices with processors (CPUs) that support microvirtualisation with third-generation virtualisation extensions, he said.
“We have worked with CPU suppliers Intel, AMD and ARM about building in features which enable high-performance, more secure virtualisation by making the CPU understand about running VMs and have it do the hard work of providing that protection. CPUs now have very sophisticated virtualisation capabilities built into them,” he added.
According to Pratt, there are lots of different use cases for this new application of Bromium’s technology, which will be available to the market in the third quarter of the year.
“Banks, for example, can run applications for accessing the Swift financial messaging service in a protected VM to prevent cyber criminals or malware on the host machine or network from accessing that application using stolen credentials to carry out fraudulent transactions,” he said.
Similarly, Pratt said engineering firms can run applications that access blueprints and other intellectual property in protected VMs to ensure that no sensitive data can be extracted from the applications by any malware running on the host.
“In organisations that have a remote working or BYOD [bring your own device] policy, it means organisations do not need to get involved in the security of those devices. This is because employees can simply download the client software to run apps in a protected VM, which organisations can set as a requirement for access to high-value data assets,” he said.
In light of the fact that detection-based security is failing to keep oranisations’ data safe, Pratt said it is becoming accepted practice for enterprises to think about isolating applications.
“We need to move to an architecture where things are designed to be resilient so that if one thing is compromised it does not affect anything else. That is why organisations are looking to isolate applications and are using technologies like ours to segment things in the host operating system to limit the impact of malware infections.”