Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Trustworthy Network Segmentation for an Untrustworthy World

0
0
Denial is not a strategy. The reality is that networks,PCsand XenApp clientsare susceptible to attacks, if they haven’t been breached already. Network segmentation is an imperative. Organizations need to isolate applications that contain sensitive data, but this approach canintroducethe cost and hassle of issuing a second PC for authorized users. Establish trueend-to-end protections around sensitive assets in applications―no second PC required―with Bromium Protected App. TheChallenge: The Flaws in Existing Defenses and the Network Segmentation Mandate

Security teams continue to introduce new protection mechanisms andadditionallayers of defense. Today, a typical organizationis runningavirtualalphabet soup of perimeter defenses―thinkAV, IDS, IPS andmany other systems. While these respective tools remain important, they’re not foolproof. Especially when tested againstsophisticated cyber threats, these defenses continue to prove vulnerable.

If you’re responsible for security, you must assume that endpoints and networks are compromised,or soon will be,and can’t be trusted. That meanssensitive data, including intellectual property, personally identifiable information, and moreare vulnerable, leavingthebusiness exposed to fines for non-compliance, competitive threats,brand damage, and more.

How do you build trust in an untrustworthy world?These realities are compelling security teams to establish zero-trust architectures via network segmentation.The concept of “zerotrust” has its advocates and its detractors, but the bottom line is this:Organizations need to create separation between sensitive assets and vulnerable networks and PCs.

That’s why security best practices and compliance mandates like the PCI DSS recommend putting sensitive information, such as payment carddata, in a segmented network.By establishing asecurelysegmented network, organizations cancreatean isolated domain for sensitive data.As part ofthiseffort,security teams need to establish a way for authorized users to access sensitive data. Historically, these teams havehad two options:Issuing a dedicated, second PC to authorized users, or employing remote desktopprotocol (RDP)or virtual desktop infrastructure (VDI) clients like XenApp. However, each of these approaches presents significant downsides.

Second PC

Whensecurity teamsissue a second PC,they need toestablishtwo fundamentalcontrols. First,they need to ensureonly these dedicated PCs can access applications in the segmented network. Second,they need to makesurethese PCs can only access the segmented application and network, and no others.

With these controls in place, organizations can establishclear isolation. However,this issuance of a second PCimposes significant penalties:

It adds significant effort and complexity for users. It creates extra procurement, set up, and maintenance work for technical teams. It also adds cost for the business. Remote Desktop/XenApp Clients

Another option is to have authorized users accessthe segmented networkviaRDPor XenApp clients.Thisapproach can bedifficult toimplement, and itintroduces significant security vulnerabilities. Fundamentally, if the host on a user device is compromised, the segmented network willstillbe vulnerable.RDPisa protocol that iscommonlytargetedby cyber criminals. While network-level authentication is required in most RDPand XenAppimplementations, this security mechanism won’t guard against a hackerusingkeyloggers, scraping screen contents or extracting passwords from application memory.

How canyoursecurityteams safeguardsensitive applications and data, without incurring the cost, effort,and complexity associated with introducing a second PCorleaving the business exposed to compromised RDP or XenApp clients?

TheSolution:BromiumProtected App

With BromiumProtected App , you canestablishend-to-end protections around sensitive assets in applications, without issuing second PCs to authorized users.The solution enables customers to completely isolate sensitive applications and secure network connections between clients and servers.ProtectedAppensures sensitive data remains secure, even when networks and PCs get compromised.

Protected App: How it Works

BromiumProtected App offers capabilities for hardware-enforced isolation of remote desktops andXenAppclients. The solution is employed on the user’s windows PC, beneath the operating system (OS) layer, establishing a protected virtual machine (VM) that is completely isolated from the OS.Even if a user’s endpoint is compromised, it won’t pose any risk to the partitioned, protected application. The user can only access the application through the protected VM, which remains isolated from the Windows OS and any malware that may infect it.Further,Protected AppcanisolateRDPandXenApp clientsfrom the host PC,so connectionsto the segmented network can’t beexploited.

Comprehensive Safeguards

BromiumProtected App deliverscomprehensivesafeguards against malware, compromised host OSs, and even malicious administrators.The solution protects organizations against these threats:

Keylogging . Keystrokes that users enter whileworking withBromiumProtected App are invisible to the host. Even if a malicious actor or malware has compromised the host, the host can’t be used to inject keystrokes into the protected VM. Memory tampering . Because its memory is isolated from the Windows OS, the VM’s memory is tamper proof. Disk tampering . The VM is isolated and,becausethe disk is encrypted,itcan’t be tampered with. Kernel exploits . Because the VM is independent of the Windows OS, it isn’t susceptible to a Windows kernel exploit. Unauthorized user commands .Block a number of unauthorized commands, including screen captures, downloads, copy and paste, and printing. Man-in-the-middle attacks . The solution encrypts all network traffic between theBromiumProtected App client and the secure server.This means datacan’t be viewed in the clear by the user’s host OS or when in transit across the network. Benefitsof Protected App

By implementing BromiumProtected App , your organization can realize a number of benefits:

Address critical security threats―with unrivaled efficiency and ease . Thesolution makes it practicalto secure the applications that host sensitive data, without having to ensure endpoint devices are free of malwareor issue a second PC. Establish broad protection against range of threats .BromiumProtected App enables customers to establish strong safeguards around sensitive applications and data, helping ensure confidentiality and integrity. T

Viewing all articles
Browse latest Browse all 12749