RIP Virtualization Based Cybersecurity
After what feels like a lifetime spent trying to make virtualization work for cybersecurity, it is with a heavy heart that I must pronounce virtualization based cybersecurity dead. Virtualization based cybersecurity solutions vary, but the key issue I have is that they just do not work at scale in a cost effective way and this is a big problem when you consider that when we talk about the internet, we are talking about millions of internet users, the many and not the few.
Almost a decade ago, it seemed like a brilliant idea to leverage virtualization for cybersecurity.
In those early days of remote browser isolation cybersecurity, I was developing the Safeweb remote browsing model with Lawrence Livermore National Laboratory. We were learning how to leverage non-persistent desktop virtualization technology to deliver a remote browsing solution to 5000 federal government users, a model that we now call WEBGAP.
WEBGAP means isolating your browsing activity away from your internal networks and it is a fantastically good idea in general, primarily because the web browser is the primary attack vector for cyber attacks. If you provide your users with remote browsers, you isolate the associated risks and shut down the most common infiltration points on your networks.
In our early implementations of the WEBGAP model, we were using desktop virtualization technology to deliver remote browsers, we gave 5000 federal government users a non-persistent virtual desktop, upon which they were free to remotely browse the internet. Their local machines were totally locked down and disconnected to the outside internet and this model worked fantastically well, it was particularly loved by the users themselves.
We realized back in those early days that you simply cannot shut down the internet and investigate every time a breach is detected, your users need the internet and they freak out when its not there. So we gave each user a virtualized remote browser and let them use the internet to their hearts content, away from the valuable IP on federal government networks.
When we built our first remote browsing platform for LLNL, it dawned on me during the deployment that the physical isolation of browsing activity (what we now call browser isolation) was a completely new model and the only other group I knew about who were using the same model at the time were Los Alamos National Laboratory, but they called it an ‘internet glovebox’, remember that these people are nuclear scientists.
I remember looking around for competitors at that time and after a year or two they appeared on my radar as different implementations of the same model, I saw three different approaches to isolating a users browsing activity and I found different flaws in each of them.
I found all of them to be hugely inefficient at scale and this becomes obvious the second you start playing them at vast scale. They leverage virtualization instead of containerization and they leverage a centralized SAN based architecture, neglecting the obvious costs efficiencies around browser compute isolation that grid distribution architectures can bring to the table. I think that virtualization based isolation technologies are dead because they are unable to to cost effectively protect large amounts of users at once, failing the internet test by default.
Cyber attacks are OUR problem, its a problem that affects millions of normal internet users and while browser isolation cybersecurity maybe protecting the privileged few right now, it is still too expensive to protect everyone.
All those years ago at LLNL, Robin Goldstone the 'mother of Safeweb' said something to me that looking back seems almost prophetic. She told me that unless we could get the price of remote browsing down to single digit dollars per user per month, it will never be adopted on a mass scale and never protect the bulk of internet users in the real world.
She was right.
When we talk about isolating internet user activity, we are actually talking about millions of simultaneous web users and virtualization based solutions built around centralized architectures offer no cost effective way of protecting the many, they are just too expensive. Once upon a time leveraging virtualization to deliver remote browsers seemed like a really good idea, but that was before we understood the the browser compute load for what it really was.
Now we understand that if you really want to accommodate a large amount of users on your platform at once, if you want to isolate each individuals browsing activity into their own disposable environment, if you want to be paranoid give each tab its own disposable container, then virtualization is a really inefficient vehicle. I have been isolating browsing activity longer than most, I was present at the birth of the browser isolation cybersecurity space and with the launch of the worlds first container based cybersecurity isolation platform, I hereby declare virtualization based cybersecurity platforms to be legacy.
May they rest in peace, for they have served us well.
EDITORIAL NOTE: What’s that? You like the things we write? Follow @WEB_GAP on Twitter for more!