How to Isolate Sensitive Data from Compromised PCs and Networks
- In your organization’s IT environment, the reality is that networks and end user PCs are vulnerable, which leaves your sensitive data exposed.
- To contend with this reality, establishing segmented networks for sensitive data is an urgent requirement, however this approach can present a host of excessive costs and risks.
- With Bromium Protected App, organizations can establish secure, segmented networks and enable authorized users to access the data they need—while establishing end-to-end protections around sensitive assets in applications.
Challenges: Compromised Endpoints Undermining the Business
Today’s CIOs have their hands full. They face the constant struggle of finding the right balance between end user convenience and productivity on one hand and security on the other hand. On top of this, they are responsible for addressing compliance requirements while optimizing infrastructure and business agility. Ultimately, it is the CIO that bears responsibility for business continuity, and in the digital economy, the quality and availability of digital services are inextricably intertwined with the business’ brand and market prospects.
The problem is that in many businesses today, compromised networks and PCs are undermining all of the CIO’s objectives. Over the years, security teams have continued to introduce new security mechanisms, and increasing layers of defense. However, against sophisticated cyber threats, these defenses continue to prove vulnerable.
Consequently, sensitive data, including intellectual property and personally identifiable information is vulnerable, leaving businesses exposed to fines for non-compliance, competitive threats, brand damage, and more.
The New Reality: Zero-trust Architectures Required
Today, CIOs and their IT and operations teams have to assume the worst: Endpoints and networks are compromised, and can’t be trusted. How do you move forward given these realities? How do you build trust in an untrustworthy IT environment? These realities are compelling IT and security teams to establish zero-trust architectures via network segmentation. The phrase “zero trust” has its advocates and its detractors, but the bottom line is this: Organizations need to create separation between sensitive assets and vulnerable networks and PCs.
By establishing a securely segmented network, organizations can create an isolated domain for sensitive data. That’s why security best practices and compliance mandates like the Payment Card Industry Data Security Standard recommend putting sensitive data, such as payment card data, in a segmented network. At a high level, here’s the process for establishing a zero-trust network segment:
- Identify the sensitive data that needs to be protected, such as intellectual property, customer data, payment information, and so on.
- Define which people need access the data, and assign permissions based on offering the lowest level of privileges required for users to fulfill their responsibilities.
- Build a zero-trust network that isolates sensitive data.
- Identify the specific path between the client and server application.
As part of the effort associated with defining user roles and permissions, IT teams need to establish a way for authorized users to access sensitive data. Historically, these teams have had two options: Issuing a dedicated, second PC to authorized users or employing remote desktop protocol (RDP) or virtual desktop infrastructure (VDI) clients like XenApp. However, each of these approaches presents significant downsides:
When your IT team issues a second PC, they need to establish two fundamental controls. First, they need to ensure only these dedicated PCs can access applications in the segmented network. Second, they need to make sure these PCs can only access the segmented application and network, and no others.
With these controls in place, your organization can establish clear isolation. However, this issuance of a second PC imposes significant penalties:
- It adds a lot of effort and complexity for users.
- It creates a lot of extra procurement, setup, and maintenance work for your technical teams.
- It also adds a lot of cost for the business.
Remote Desktop/XenApp Clients
Another option is to have authorized users access the segmented network via RDP or XenApp clients. This approach can be difficult to implement, and it introduces significant security vulnerabilities. Fundamentally, if the host on a user device is compromised, the segmented network will still be vulnerable. RDP is a protocol that is commonly targeted by cybercriminals. While network-level authentication is required in most RDP and XenApp implementations, this security mechanism won’t guard against a hacker using keyloggers, scraping screen contents or extracting passwords from application memory.
How can your organization safeguard sensitive applications and data—without incurring the cost, effort, and complexity associated with introducing a second PC or leaving the business exposed to compromised RDP or XenApp clients?
The Solution: Bromium Protected App
With Bromium Protected App, you can establish end-to-end protections around sensitive assets in applications—without having to issue a second PC for authorized users. The solution enables customers to completely isolate sensitive applications and secure network connections between clients and servers. Protected App ensures sensitive data remains secure, even when networks and PCs get compromised.
How it Works
Bromium Protected App offers capabilities for hardware-enforced isolation of remote desktops and XenApp clients. The solution is employed on the user’s Windows PC, beneath the operating system (OS) layer, establishing a protected virtual machine (VM) that is completely isolated from the OS. Even if a user’s endpoint is compromised, it won’t pose any risk to the partitioned, protected app. The user can only access the application through the protected VM, which remains isolated from the Windows OS—and any malware that may infect it. Further, Bromium Protected App can isolate RDP and XenApp clients from the host PC, so connections to the segmented network can’t be exploited. With these advanced capabilities, the solution offers safeguards against malware, compromised host OSs, and even malicious administrators.
By implementing Bromium Protected App your organization can realize a number of benefits:
- Address critical security threats—with unrivaled efficiency and ease. Bromium Protected App makes it practical to secure the applications that host sensitive data, without having to ensure endpoint devices are free of malware or issue a second PC.
- Establish broad protection against range of threats. Bromium Protected App enables customers to establish strong safeguards around sensitive applications and data, helping ensure confidentiality and integrity. The solution protects organizations’ IP and other sensitive data from a broad range of threats.
- Deliver a non-disruptive, seamless user experience that maximizes productivity. With Bromium Protected App, users aren’t disrupted. Users can work with the same devices and interact with applications like they always have—without having to learn new interfaces or establish new workflows.
The unavoidable, disturbing reality is that end user PCs and networks are susceptible to compromise, and this leaves your business’ sensitive data and brand exposed. Given these realities, network segmentation is emerging as a key imperative. With Bromium Protected App, your organization can realize the security of true network segmentation, without having to introduce the risks associated with RDP and XenApp or incur the cost and disruption associated with issuing a second PC for authorized users.