There’s an old saying in IT: The best way to secure a server is to leave it off. While humorous, this security method is obviously not helpful, but there’s a somewhat similar, ultra-secure technique that is useful—power the server on but leave it off the Internet. The server can be part of a local area network, but this network is not connected to the Internet and is therefore isolated making it impossible for malware to get on the machine without human help. This technique is called “air gapping” and is commonly used in ultra-secure environments such as government and military installations.
With the latest advances in virtualization technology, the notion of isolation for security control holds tremendous promise. Isolation through virtualization has the wonderful property of being able to effectively block all malware attacks without the need to understand the attack, detect the attack, or recognize the signature of the attack. Isolation through virtualization is much like the “air-gapped network”—the offending malware cannot traverse from one isolation zone to another.
Isolation technology makes the most sense in two places: on the client web browser, where 80 percent of the malware is getting into the enterprise; and on the servers in the data center, where the valuable stuff resides. On the end point, the basic idea is that by using advanced virtualization, we can execute the code of a web page in some type of disposable virtual container. A virtual container can be thought of as a petri dish. The web code runs in the dish, and any infection is isolated to only the dish. The dish is then discarded at the end of every web session, starting with a fresh one whether there is an infection identified or not. The big advantage to this approach is that it fundamentally stops all malware without requiring prior knowledge of the attack. The challenge to this approach has been to deploy the isolation in a manner that does not interfere with end user devices or behavior. Recent developments in this area are very promising, with a number of companies creating isolation for the end point that seems to work seamlessly and at scale.
In the data center, the problem is reversed. Advanced virtualization technologies are used to insert security controls, such as always-on encryption, seamlessly in between the application/data and the underlying infrastructure. All data that passes through the security controls layer is always encrypted all the time, but the layer is transparent to the application. Unlike the “petri dish” of the end point, virtualization in the data center is more akin to a canine invisible fence, for the application or for developers. Developers working on the cloud are free to launch servers and to copy and move data, but the security controls are always in place to ensure that sensitive data is properly controlled in accordance with corporate policy. Developers or insiders cannot turn this encryption off or tamper with it, since only the corporate security team has access to the keys.
These two approaches use similar core technology (the idea of a virtual container to act as a boundary), but they are implemented in almost a reciprocal manner. Given the level of development and activity in both areas, however, it is becoming very clear that isolation will become a fundamental part of security strategies over the next decade.
Here is a list of interesting companies and open source projects that embrace the notion of using virtualization as an isolating technology:
