Today many organizations find themselves addressing concerns over their proprietary information being stolen and their systems being compromised. Some may view this as a single problem since, in most cases, system compromise is an overture to information theft. The most common ways in which computers are compromised include visiting a web site with malicious content, opening a harmful file — malicious or otherwise — attached to an e-mail message, running a program of dubious provenance and clicking the “yes” button on every message that pops up on the screen. Organizations are fighting back by installing virus scanners, blocking known malicious web sites, filtering incoming e-mail and locking down (aka “hardening”) operating systems as much as possible. But let us take a step back and think about this whole situation again.
What are organizations trying to protect and what are their goals security-wise? The first and foremost is that they need to be able to protect their information. Secondly, they do not want to be connected with any kind of illegal activities, such as being identified as the origin of, or associated in any way with, an attack or a repository of illegal material. Knowing this, is it possible to conjure a scheme that is better than the existing one, and enable us to achieve our stated security goals? Perhaps. Let us start with information protection.
People tend to freely and without concern download and store all sorts of company documents, plans and other information on their (in most cases, company-owned) computers. This is an accepted practice for all employees in virtually all organizations. But if such a computer is compromised, an attacker will have access to all of that stored information and possibly have the ability to gain access into the organization’s internal networks. In other words, the attacker may be able to connect to other systems within the organization and steal more information that way. An obvious remedy for this situation is not to store any information on a computer nor allow the computer to connect to any of the internal systems. But this is not easy to accomplish because employees are using their computers for various purposes in different roles while performing their jobs. Instead of trying to separate these different roles within a single computer, let us do the opposite – assign a single role to a single computer.
Let us assume that each person has a computer that can connect only to internal systems but cannot connect to the Internet, cannot receive e-mail or any other data from outside of the organization. The only things that users can do on this computer are to access and create internal documents, communicate and share data — but only with other people within the organization — and possibly send e-mail out of the organization. This will prevent most of the ways in which a computer can be compromised, as people will be unable to visit malicious web pages external to the organization, download and run programs from these external web sites, or open suspicious attachments sent by unknown senders. So far so good. But this will also prevent employees from accessing any external web site which they might need for their job.
Preventing people from browsing the Internet may be a bit draconian in this day and age so let us provide another computer to each of the employees that they can use to access the public Internet. This second computer can only be used to browse the Internet, and it cannot be used to connect to any of the internal systems. Employees are free to download whatever application they want from the Internet and install it on that computer. There is a certain probability that some of these programs will be malware, which will infect the computer. This malware could be used to send spam or attack other sites, and this is something that we have to deal with. However, organizations’ internal systems will be protected, as this computer will not be able to access any of them by design.
Now we need to provide the capability for them to receive e-mail from outside of the organization, so let us give them yet another computer for that purpose only. This incoming mail can be scanned and verified against known malicious content at the ingress point and then delivered to individual mailboxes.
If we would do that we would end up with a situation where each person within the organization will have, at least, three computers each for a different purpose and each with a different “security posture.” Since each computer is assigned only a single role it should be possible to configure them accordingly. Some computers will have very restrictive configuration, while configuration of others can be very permissive. But giving multiple computers to each employee would be very expensive, and people’s desks would become rather cluttered. Lucky for us, there is an easier way how to accomplish this.
Instead of using physical computers we can use virtual computers. From the user’s perspective, a virtual computer looks and feels like a physical computer but it is actually only an application running on a real (physical) computer. A single physical computer can support multiple virtual computers, and each virtual computer is independent from any other virtual computer running on the same physical computer. If not explicitly enabled, one virtual computer cannot communicate with any other virtual computer, exactly as if you had multiple physical computers, but with less clutter on your desk. Technology of virtual computers is well known, and users can choose from multiple commercial and free offerings (e.g., VmWare, VirtualBox, Xen and many others).
Going back to our initial idea of using a separate computer for each role, all we need to do is to create multiple virtual machines, each for a specific purpose. One virtual computer for accessing internal systems, one for receiving e-mail and one for browsing the Internet. Recall that we still have to address the problem of a compromised virtual computer that could be used for attacking other sites. One way how to prevent this from happening is to create a new virtual computer every time a user wants to visit an external site, and destroy it every time the user closes the web browser. That way, even if the user visits a malicious web page and the virtual computer is compromised, the consequences will be minimal. The compromised virtual computer does not have any organization’s data stored on a local drive and cannot access any of the internal systems. Additionally, the (virtual) computer is short-lived and will be destroyed together with any malware that may get installed, so we do not need anti-virus software. The next time the user wants to visit a web site, a brand new virtual computer will be created and will be given to the user’s disposal.
If this solution sounds too easy, that’s because it is, since we have not yet addressed some aspects, like transferring files from external sources into internal systems, but even that should be doable with minimal hassle. In one scenario a file could be sent to a designated place within the organization where all sorts of checks and testing could be performed before the file is allowed to be deposited on an internal server.
It seems that in a world with an unlimited supply of throwaway virtual computers we can improve the overall security posture of an organization. At last, something positive from a throwaway culture!