After what feels like a lifetime spent in virtualization, ranting with my peers as one of the most vocal participants in the space, after almost a decade spent trying to make virtualization work for cybersecurity, it is with a heavy heart that I must pronounce virtualization based cybersecurity dead.
Virtualization based cybersecurity solutions vary, but the key issue I have is that they just do not work at scale in a cost effective way and this is a big problem when you consider that we ultimately need to protect lots of users.
Almost a decade ago, it seemed like a brilliant idea to leverage virtualization technologies for cybersecurity purposes and indeed it was a great idea.
In those early days of browser isolation cybersecurity, I was first developing the Safeweb model of cybersecurity with Robin Goldstone at Lawrence Livermore National Laboratory. We were learning how to leverage desktop virtualization technology to physically isolate the web browsing activity of 5000 federal government users, a production model now called Safeweb.
Safeweb, the concept of isolating your browsing activity away from your internal networks is a fantastically good idea in general, primarily because the web browser is the primary attack vector for cyber attacks.
As the thinking goes, if you physically isolate your users web browsing away from your internal networks, you isolate the riskiest behaviour and shut down the most common infiltration and exfiltration points.
In our early implementations of the Safeweb model, we were using desktop virtualization technology to achieve this end, we gave 5000 federal government users a non-persistent virtual desktop each, upon which they were free to browse the open internet. Their local machines were totally locked down and disconnected to the outside internet and this model worked fantastically well, it was loved by the users themselves.
We realized back in those early days that you simply cannot shut down the internet and investigate every time a cyber attack occurs, your users need the internet to stay in touch with colleagues and family, to conduct their jobs on a daily basis and they freak out when its not there. So we gave each user a virtualized browser and let them use the internet to their hearts content, away from the valuable IP on LLNL networks.
When we built the first Safeweb platform for LLNL, I remember it dawning on me during the deployment that the physical isolation of browsing activity (what we now call browser isolation) was a completely new model and the only other group I knew about who were using the same model at the time were Los Alamos National Laboratory, but they called it a ‘glovebox’.
I remember looking around for competitors at that time and after a year or two three of them appeared on my radar (my browser isolation radar is here in case you were curious) as different implementations of the same model, I saw three different approaches to isolating a users browsing activity and I found different flaws in each of them.
The first company to appear on my radar was Bromium, primarily because they made a point of stupidly attacking VDI (the technology we were using for Safeweb at the time) before they released their own technology. I can only assume that they did this at the time because they knew VDI presented a viable server side alternative to their own client side solution.
Bromium launched a curious kind of client-side hypervisor, one built on top of the XenServer virtualization technology, that sort of sits above and below the guest operating system on the machines it protects.
My main problem with Bromium is that they break the physical isolation model, replace it with virtual isolation and ask us to trust the code, but we have done that already, we don’t trust the code, hence physical isolation being the key element in trusted isolation cybersecurity models.
We already know that hackers can break out of Bromium’s virtual isolation because somebody did that already and once again, it turns out that we just cannot trust virtual isolation or the code, nothing but physical will do.
Bromium is also a client side solution which is a huge pain in the ass if you want to deploy it across the enterprise. It needs to be the lowest level software on the hardware, meaning a destructive install with Bromium installed before then reinstalling the OS and whatever applications you had before, something that is very expensive to implement over an entire enterprise and lots of users.
I only today argued with Bromium on Twitter about the cost of their technology and the expense of the required hardware and install process, they used the cost of a successful cyber attack to justify their prices…
There are two other approaches of note, Menlo Security and Spikes, I am going to lump these two together into one pot, because they are pretty similar in that they are both server based virtualization approaches to browser isolation cybersecurity and both are built on flawed architectures.
Spikes approached the isolation model from a browser perspective, they used to have their own proprietary browser, streamed from a proprietary server appliance and reliant on a proprietary fork of VNC for display.
My primary issue with Spikes is that their virtualization architecture results in a horribly bloated platform that can only support a maximum of 150 concurrent sessions per box and even worse that box is a proprietary appliance. Then, just to make matters even worse, they decided against licensing a proper display protocol like PCoIP or HDX and instead decided to flog that dead horse VNC into life and turn it into a somewhat acceptable user experience under the right network conditions.
The problem Spikes has (or rather their parent Cyberinc) is that it doesnt matter how many free appliances they give away to encourage adoption, their architecture is still bloated and reliant on an appliance that only they sell, not an ideal infrastructure for hosting thousands of simultaneous users.
Menlo Security on the other hand approach isolation from a wider perspective. I actually like Menlo and they get that sometimes you need to isolate more than browsers, they also let you isolate documents and emails, protecting you from phishing in a sensible, counterintuitive way.
But whilst their infrastructure may be cloud server friendly, their architecture is based on a virtual appliance, one that is bloated at scale because it leverages a centralizes server side virtualization architecture at its core. No matter how efficient your hypervisor, when you get to really large scale, centralized server based virtualization solutions are horofically expensive to host unless they are grid distributed and Menlo plainly isn’t using a grid distributed virtualization architecture.
Menlo architecturally does not offer a cost effective solution, one that can cost effectively be scaled over 100k+ users without spending a fortune on server resources and this brings me to the main point of this article.
Virtualization based isolation technologies are dead because they are unable to to cost effectively protect large amounts of users at once.
Cyber attacks are everyones problem, a problem that affects millions of normal internet users and while isolation cybersecurity maybe protecting the priveleged few right now, it is still too expensive to protect everyone.
All those years ago at LLNL, the mother of Safeweb said something to me that looking back seems almost prophetic. She told me that unless we could get the price of Safeweb down to single digit dollars per user per month, it will never be adopted on a mass scale and never protect the bulk of users.
She was right.
When we talk about isolating a users internet facing activity, at the most basic level their web browsing, we are talking about millions of web users and virtualization based solutions clearly offer no cost effective way of protecting the vast bulk of them, they are just too expensive for the many.
Once upon a time leveraging virtualization to isolate risk seemed like a really good idea, but that was before we understood the efficiencies of containerization at scale in comparison to virtualization based models and the importance of that comparison when isolating browser compute loads.
Now we understand that if you really want to accommodate a very large amount of users on your platform at once, if you want to isolate each individuals browsing activity into their own disposable and isolated environment, then virtualization is a really inefficient way of doing it.
I think virtualization based cybersecurity platforms are dead because virtualization technology was never meant to isolate large amounts of individual users browsing activity at once, virtualization was meant to virtualize servers and consolidate server loads, it just happened to be the best way to handle browser isolation that we knew of at the time.
For those with the budgets to spend and IP they absolutely have to protect, virtualization based browser isolation offers a welcome respite from the vast majority of cyber attacks, but that doesnt mean its fit for purpose.
We have come a long way in ten years, especially those of use who had to go through the browser isolation curve the hard way and pivot their production platforms away from virtualization towards containerization.
Right now there is only one container based cybersecurity based isolation platform on the planet, the Safeweb Engine, an evolution of previous virtualization based platforms and a vastly more efficient way of physically isolating large amounts of users web browsing activity at the same time.
I have been isolating browsing activity longer than most, I was present at the birth of the browser isolation cybersecurity space and with the launch of the worlds first container based cybersecurity isolation platform, I herbey declare virtualization based cybersecurity platforms to be legacy.
May they rest in peace, they have served us well.
If you are a virtualization cybersecurity refugee and need rescuing from large scale expenditure, download our Safeweb Presentation to learn more. If you would like to comment, criticise or argue with me about any of this, feel free!