COVID-related activity restrictions have made working from home the norm. Both employers and employees have adjusted how they work to ensure business continuity during this time. Even after the pandemic subsides, it is widely expected that employers will continue to offer more flexibility to employees to work from home at least part of the workweek. These developments are shining a spotlight on endpoint security and the need to ensure that the laptops employees are using are secure and offer the same level of protection as desktops inside the corporate perimeter.
Everyone says security is important. Yet, there are reports every single week about breaches. In just one seven-day period in early February, I saw reports about:
- A virus in an Android application that hacked 10 million devices
- A hacker accessing a water treatment facility in Florida with the objective of radically changing the water's sodium hydroxide levels
- 29 billion remote desktop protocol (RDP) attempts during 2020 aiming to use legitimate credentials to access services so that intrusions would go unnoticed
The current state of the art makes it clear that security continues to be a weak link. Specifically, we are lulled into a false sense of security by antivirus products' claims. Yes, they do an important job. But the traditional methods of securing a laptop with antivirus solutions or a virtual private network (VPN) client running inside Windows are no longer sufficient to ensure the devices' security, especially in the wake of emerging threats. This issue becomes even more serious with laptops used for corporate-sensitive or nation-sensitive use cases.
We need a new paradigm for the secure laptop, inspired by the US government's Commercial Solutions for Classified (CSfC) program.
Secure Laptops: A Layered Approach to Security
The Multiple Independent Levels of Security (MILS) architecture advocates security through isolation. The crux of this is to allow security-sensitive functions to be isolated from the user domain, thereby creating an environment that is free from bypass or tamper.
Two key fundamental properties are essential for foundational security: separation and information-flow control. By separating security functions into different domains and controlling the flow of information between those domains, this approach offers a different paradigm for ensuring confidentiality and integrity for security-sensitive use cases.
In addition to setting security policies for separation and information-flow control, care must be taken to virtualize different operating environments. These foundational properties create a secure laptop configuration that provides:
- Isolation of the Windows environment for the user
- A separate domain for protecting data in transit with two VPNs
- A separate domain for protecting data at rest
- An isolated management domain to allow for secure updates
Isolating the key elements that protect data at rest or during transit significantly increases a laptop configuration's security posture. This is because neither of those domains that are fundamental to ensuring data security are accessible to the user or directly on the network. This creates a "corporate perimeter on the go."
Secure Laptops for High-Threat Environments
The diagram above shows how this could be configured in practice for high-threat environments. The key components are:
- Protected OS: Typically, laptops use the Windows operating system to handle day-to-day activities. Instead, a protected OS runs inside a virtual machine in an isolated, virtualized manner and cannot connect to the Internet directly. Windows connects to the outside only through VPN domains.
- VPN domains: Two separate domains, the inner and outer VPN, host two VPN clients for double protection for data in transit. Each VPN domain connects independently to a separate VPN server with potentially separate credentials to ensure utmost protection. The VPN domains are inaccessible to the user and not subject to bypass or tamper.
- Management domain: One or more separate domains control access to the self-encrypting drive to protect data at rest. This management domain typically also hosts a management agent that provides features such as over-the-air upgrades and fallback to a known-good configuration if an upgrade fails.
- Boot authenticator: This unlocks the laptop through a PIN entry that allows the laptop to be instantiated only with successful authentication.
- Public network domain: This is the only entity that is connected to the Internet; it cannot interact with other security-sensitive domains.
Effectively, this extends the company firewall to the place where you are working, be that a house, a coffee shop, or (yes) an airplane. Corporate IT policies are delivered and managed on a per-laptop basis wherever those assets are located.
This approach shouldn't reinvent the wheel. Organizations often have preferred VPN functionalities that need to work inside the solution's framework. The approach should also enable IT to reside in corporate headquarters, monitor all assets, and perform expected functions, including remote wipes and backups of users' laptops.
Envisioning Secure and Seamless Productivity
The enterprise of the future will depend greatly on commercial and government organizations' ability to seamlessly combine typical laptop user experiences with stringent security measures required for remote work.
The first step is to ensure that all commercially available laptops can support these configurations to give corporate IT users broad choices. As they evolve, touchscreens, hybrid laptops, tablets, and other productivity devices can also take advantage of these enhanced security configurations.
Government users will require laptop capabilities aligned with CSfC and other regulations to provide the security levels needed for handling highly classified information. Using standard commercial technologies to design regulatory-approved cybersecurity solutions will bring these increased levels of security to fruition in a timely manner.