In the early days of computing, if you were to enter a high security computing environment you would often see workers with two computers on their desks, each connected to different networks, each physically isolated from the other.
An ‘air- gapped' computer is one that is not connected to the internet, or, for that matter, connected to anything else that is connected to the internet. The idea is that you protect your internal networks and computers from cyber-attack by physically isolating them from the computers that connect to the outside internet.
This made sense in the old days; they realised that the vast majority of malware, ransomware and cyber-attacks originated from the open internet and shut down the infiltration points on their networks by simply shutting off the internet.
For those workers that did need access to the internet, you simply gave them an extra computer connected to a physically isolated network, confident in the knowledge that hackers could not magically jump across the air-gap.
It was frequently practiced in military and government networks, but you also tended to see air-gapped networks in industrial control systems (SCADA), financial systems (stock exchanges) and life critical systems like those which control nuclear power plants or aircraft.
Today however, the air-gap is not quite as sexy as it used to be . Some consider the air-gap as a tool of cyber-security as discredited for several perfectly decent reasons, none of which are applicable to browser isolation.
Any number of people familiar with the cyber-security world can point out half a dozen instances where air-gapped computers were successfully hacked. State sponsored actors such as the NSA have developed special hardware specifically designed to penetrate air-gapped networks. You can even use smartphones to penetrate an air-gapped network if you can breach the secure area it's located in. A recent thesis outlined the ‘out-of-band covert channels' (OOB-CCs) used to breach air- gapped networks and systems using acoustic, light, seismic, magnetic, thermal, and radio-frequency based techniques.
Furthermore, isolating your entire network from the outside world could be bad idea for business. In the competitive markets that most businesses operate in, the demand for real time data and the introduction of automation makes it almost inevitable that there are going to be links between your internal and external networks. Modern data hungry networks need all kinds of live data to operate, they need production data, software integrations, automation data, engineering data and even something as simple as software updates mean that connecting your network to external networks is pretty much a defacto requirement of modern business IT if you want to survive.
So in the face of these completely reasonable arguments, the air-gap as a tool of isolation cyber-security has fallen out of fashion. No CEO would reasonably consider shutting off their company from the outside world and I don't know anyone who would consider disconnecting themselves from the internet to protect themselves from malware and ransomware.
While there are plenty of reasons not to air-gap your business IT infrastructure, that you should be leveraging the air-gap when it comes to your users' internet browsing.
The reasons against air-gapping your IT infrastructure do not apply in the context of browser isolation and when we turn to the subject of using the air-gap to isolate your employees internet browsing, it suddenly starts to make a lot of sense, because the internet browser is often the primary attack vector for malware, ransomware and cyber-attacks according to a recent research study on malware infection from the Ponemon Institute.
Browser isolation is a simple idea which evolves of the old air-gap cyber-security model. With browser isolation, you are physically isolating your users' web browsers away from the rest of your IT infrastructure, separating the most vulnerable part of your IT from the valuable part of your IT. It makes perfect sense from a cyber-security perspective.
To put it simply, malware and cyber-attacks mostly originate through the browser, so physically isolating your browsers is the most effective way of stopping these attacks in the first place. In doing so, you simultaneously shut down 95 percent of the hatches hackers use to enter your business and free up valuable resources to focus security on other vulnerabilities.
This browser isolation model of cyber-security has been embraced by the US federal government because it is highly effective.
Today, air-gap browser isolation is widely used at both secure government institutions and big business, both of whom have valuable IP to protect, but even though browser isolation is still too expensive for individuals and small businesses to leverage, it is increasingly being used in lots of ways to effectively protect internet users from malware and cyber-attack.
The risk of your air--gapped and isolated browser being breached using ‘covert channels' is highly unlikely: Browser isolation as a tool of cyber-security works at scale because cyber-attacks via covert channels are highly specialised and do not scale to cover large amounts of users. Unless there is a reason for state sponsored hackers like the NSA to come after you and your business, nobody else is likely to have the skillsets, tools or knowledge to breach your air-gapped browsers through covert channels. The vast majority of attackers are trying to install ransomware on your computer and steal financial or sensitive information over the internet. Unless your attackers are seriously motivated, highly skilled, well funded and have a specific interest in hacking you and your business, an air-gapped and well isolated browser will protect your users from the majority of malicious malware and cyber-attacks.
The browser doesn't need to connect to every other part of your business: The vast majority of internet users do not really need their browsers to be connected to anything else, the browser is a standalone piece of software used for a specific purpose and if you physically isolate it away from the rest of your business, it does not create much impact.
It makes downloading files a little more complicated, but that's the only time the outside internet needs to ‘reach into' your business, when it is trying to send you files. The rest of the time the browser is just a window, one that can easily be isolated away from the rest of your IT infrastructure without damaging your bottom line or annoying your users.
Browser isolation is the future of end-user cyber-security and there are different providers of browser isolation platforms, but they are mostly all trying to achieve the same goal, safely isolate your browser and the associated risks of using it. There are different approaches to browser isolation but they are mostly all adhering to the old air-gap model of cyber-security because it works.
Contributed by Guise Bule, founder, tuCloud Federal Inc
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.