Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/4/2021
01:00 PM
Arun Subbarao
Arun Subbarao
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Secure Laptops & the Enterprise of the Future

The enterprise of the future will depend upon organizations' ability to extend the company firewall to everywhere people are working.

COVID-related activity restrictions have made working from home the norm. Both employers and employees have adjusted how they work to ensure business continuity during this time. Even after the pandemic subsides, it is widely expected that employers will continue to offer more flexibility to employees to work from home at least part of the workweek. These developments are shining a spotlight on endpoint security and the need to ensure that the laptops employees are using are secure and offer the same level of protection as desktops inside the corporate perimeter.

Everyone says security is important. Yet, there are reports every single week about breaches. In just one seven-day period in early February, I saw reports about:

Related Content:

Mobile Endpoint Security: Still the Crack in the Enterprise's Cyber Armor

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

The current state of the art makes it clear that security continues to be a weak link. Specifically, we are lulled into a false sense of security by antivirus products' claims. Yes, they do an important job. But the traditional methods of securing a laptop with antivirus solutions or a virtual private network (VPN) client running inside Windows are no longer sufficient to ensure the devices' security, especially in the wake of emerging threats. This issue becomes even more serious with laptops used for corporate-sensitive or nation-sensitive use cases.

We need a new paradigm for the secure laptop, inspired by the US government's Commercial Solutions for Classified (CSfC) program.

Secure Laptops: A Layered Approach to Security
The Multiple Independent Levels of Security (MILS) architecture advocates security through isolation. The crux of this is to allow security-sensitive functions to be isolated from the user domain, thereby creating an environment that is free from bypass or tamper.

Two key fundamental properties are essential for foundational security: separation and information-flow control. By separating security functions into different domains and controlling the flow of information between those domains, this approach offers a different paradigm for ensuring confidentiality and integrity for security-sensitive use cases.

In addition to setting security policies for separation and information-flow control, care must be taken to virtualize different operating environments. These foundational properties create a secure laptop configuration that provides:

  • Isolation of the Windows environment for the user
  • A separate domain for protecting data in transit with two VPNs
  • A separate domain for protecting data at rest
  • An isolated management domain to allow for secure updates

Isolating the key elements that protect data at rest or during transit significantly increases a laptop configuration's security posture. This is because neither of those domains that are fundamental to ensuring data security are accessible to the user or directly on the network. This creates a "corporate perimeter on the go."

Secure Laptops for High-Threat Environments

The diagram above shows how this could be configured in practice for high-threat environments. The key components are:

  • Protected OS: Typically, laptops use the Windows operating system to handle day-to-day activities. Instead, a protected OS runs inside a virtual machine in an isolated, virtualized manner and cannot connect to the Internet directly. Windows connects to the outside only through VPN domains.

  • VPN domains: Two separate domains, the inner and outer VPN, host two VPN clients for double protection for data in transit. Each VPN domain connects independently to a separate VPN server with potentially separate credentials to ensure utmost protection. The VPN domains are inaccessible to the user and not subject to bypass or tamper.

  • Management domain: One or more separate domains control access to the self-encrypting drive to protect data at rest. This management domain typically also hosts a management agent that provides features such as over-the-air upgrades and fallback to a known-good configuration if an upgrade fails.

  • Boot authenticator: This unlocks the laptop through a PIN entry that allows the laptop to be instantiated only with successful authentication.

  • Public network domain: This is the only entity that is connected to the Internet; it cannot interact with other security-sensitive domains.

Effectively, this extends the company firewall to the place where you are working, be that a house, a coffee shop, or (yes) an airplane. Corporate IT policies are delivered and managed on a per-laptop basis wherever those assets are located.

This approach shouldn't reinvent the wheel. Organizations often have preferred VPN functionalities that need to work inside the solution's framework. The approach should also enable IT to reside in corporate headquarters, monitor all assets, and perform expected functions, including remote wipes and backups of users' laptops.

Envisioning Secure and Seamless Productivity
The enterprise of the future will depend greatly on commercial and government organizations' ability to seamlessly combine typical laptop user experiences with stringent security measures required for remote work.

The first step is to ensure that all commercially available laptops can support these configurations to give corporate IT users broad choices. As they evolve, touchscreens, hybrid laptops, tablets, and other productivity devices can also take advantage of these enhanced security configurations.

Government users will require laptop capabilities aligned with CSfC and other regulations to provide the security levels needed for handling highly classified information. Using standard commercial technologies to design regulatory-approved cybersecurity solutions will bring these increased levels of security to fruition in a timely manner.

Arun Subbarao is Vice President of Engineering at Lynx Software Technologies, responsible for the development of products for the Internet of Things and cybersecurity markets. He has 20+ years of experience in the software industry working on security, safety, virtualization, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.