Garrison Technology - Phoenix Datacom...web content. Plus copy and paste – safely 4. Be easy to...
Transcript of Garrison Technology - Phoenix Datacom...web content. Plus copy and paste – safely 4. Be easy to...
Garrison TechnologyHOW SECURE REMOTE BROWSING DELIVERS HIGH SECURITY
EVEN FOR MAINSTREAM COMMERCIAL ORGANISATIONS
The weak underbelly for most enterprises’ cybersecurity is the user endpoint. Laptops, desktops and
tablets are used to access your most critical information and systems. But they are also used to access
Internet services that you know little about – websites which even if not designed to be malicious,
might have been subverted by a malicious attacker.
Traditional controls no longer provide an answer. The attack surface is too large and attackers only
need to find one vulnerability. Spearphishing, watering hole attacks and drive-by-downloads lead to
real business impacts such as data loss, financial theft, ransomware or sabotage.
Is the game over? Must enterprises resign themselves to breaches? Or adopt the restrictive security
practices of military and national security organisations?
Secure Remote Browsing from Garrison provides the answer. By providing truly secure access even to
the most dangerous Internet content, security can be truly proactive about the Internet cyber threat.
And by reducing the need for traditional layered controls, this can lead to an overall cost saving.
At last, it may be possible to achieve the impossible: improved security without restrictions – at a lower
cost.
© Garrison Technology Ltd 20172
How secure remote browsing delivers high security even for mainstream commercial organisations
Understanding the Internet cyber threatThe Internet is a global space which is only very lightly controlled. Amidst the information and the
services that we all rely on are also people and organisations whose interests and objectives are
opposed to yours, and who are willing to do you harm to achieve their aims.
Of course, those adversaries exist in the physical world too. In the physical world, in a developed country
subject to the rule of law, your adversaries might try to break into your buildings in order to steal your
information or goods, or to compromise your systems. But they will need to be careful, because if they
get caught, they can expect to face the criminal justice system.
In the global, connected space of the Internet, your adversaries can operate from jurisdictions where
governments have insufficient resources to pursue them or have been bought off. In some cases, the
governments themselves may be your adversaries. And the Internet provides them with the ability to
operate across multiple territories at the same time in order to play states off against each other and
obscure their identities.
That means your adversaries can simply keep trying – time and time again. They only need to succeed
once. It’s inherently asymmetric and unfair.
www.garrison.com 3
Targeting the weak underbellyYour business is connected to the Internet in two ways. One: through the services that you provide. The
other: through the services that you consume. For security-conscious organisations, it is the latter that
presents the weak underbelly.
When you provide services over the Internet, you get to choose how those services are architected
and delivered. You can define structured interfaces between multiple tiers – separating complex
presentation logic from business logic with well-defined simple interfaces. You can keep tight control
over what presentation logic is used; keep it well patched; turn off unnecessary modules. Of course, it’s
easy to do it badly – there are innumerable websites which are too easy to compromise. But it’s also
possible to do it well.
When your users consume Internet services the situation is quite different. Highly complex logic outside
your control, in multiple applications, plugins and extensions. This software running on thousands of
machines, each controlled by a user with little understanding or interest in security. Highly complex
datatypes and content delivered directly to each of those software elements on each of those machines.
And each of those machines also has access to your most sensitive data and systems.
In this landscape of hyper-complexity, even the security controls themselves can present exploitable
vulnerabilities. The only control that works reliably is the simplest one: turning things off.
SECURE
© Garrison Technology Ltd 20174
How secure remote browsing delivers high security even for mainstream commercial organisations
Cutting the cordIn the highest-security circles – the world of military and national security – that has been the historic
approach. Disconnection from the Internet for classified systems; separate machines for access to risky
Internet content.
In the commercial world, that’s not really an option. Businesses increasingly rely on cloud-based services
for their operations. And in an era of mobility and knowledge-workers, the idea of requiring multiple
machines is usually laughable. A different model is required: one that brings the security benefits of
disconnection while preserving the business benefits of the cloud.
Secure remote browsing technology from Garrison enables this.
SECURE
www.garrison.com 5
Cutting the cordWith secure remote browsing, access to high-risk Internet resources is provided via a sacrificial machine.
Internet content is rendered on the sacrificial machine – which the user views and controls remotely.
If the sacrificial machine is compromised, it has access to nothing sensitive and can do no harm. It can
be easily restarted, restoring it to its original uncompromised state.
And with the sacrificial machine deployed in the data centre or in the cloud, done right, user experience,
workflow and productivity can be maintained.
© Garrison Technology Ltd 20176
How secure remote browsing delivers high security even for mainstream commercial organisations
In a way, yes. And indeed, some organisations have deployed secure remote browsing using traditional
VDI technologies. But using legacy remote desktop products presents a host of challenges:
• Cost
• Poor user experience
• Residual concerns over security vulnerabilities.
Any secure remote browsing technology must allow a secure device to view and control a less secure,
sacrificial, machine. But the right solution should also:
1. Provide a high level of confidence that the stream of data showing what the sacrificial machine
is doing cannot be used as a path to attack the secure client device
2. Provide a high level of confidence that the communications channel used to control the sacrificial
machine cannot be used as a path to attack the secure client device
3. Deliver a great user experience, even for Internet video and increasingly graphical interactive
web content. Plus copy and paste – safely
4. Be easy to deploy. Reasonable demands on the network and support for all types of devices
5. Offer a clear user interface that intuitively helps users understand when they are interacting with
high-risk Internet sites that should not be trusted with sensitive information
6. Be cost-effective. Blocking sites and moving their traffic to secure remote browsing can deliver
an overall cost saving.
With ultra-high-security and a great user experience at an affordable price, Garrison’s technology
delivers on all fronts.
Isn’t that just remote desktop?
www.garrison.com 7
The founders of Garrison realised that software-based technology would never achieve their goals for
a secure remote browsing solution. The price-performance challenge is simply too great and security
vulnerability too high.
Instead, the Garrison SAVI® Isolation Appliance is a unique hardware appliance engineered from the
ground up to deliver security and performance at an affordable cost. At the heart of Garrison is our
patented Silicon Assured Video Isolation (Garrison SAVI®) technology.
Garrison SAVI® technology relies on the use of the ARM® devices found in mobile phones and tablet
devices. Two ARM® devices are used as a pair to create a SAVI Node:
• The ARM® device on the left hand side in the diagram above works like a tablet – consuming and
rendering Internet content. With on-board hardware graphics acceleration and video decoding,
it delivers an excellent price/performance profile
• The video output from this ARM® device which would normally be transmitted to a screen for
display is instead transmitted to the camera input of a second ARM® device. This device takes
the camera input, compresses it – using the on-board video compression hardware found in
every smartphone – and transmits it for display at the user’s endpoint
• In the reverse direction, keyboard and mouse commands are transmitted via Garrison’s Hardware
Security Enforcement Fabric which ensures that this channel is unidirectional and bandwidth-
limited – and that an audit copy of every interaction is available for monitoring.
How does Garrison work?
© Garrison Technology Ltd 20178
How secure remote browsing delivers high security even for mainstream commercial organisations
The Garrison SAVI® security design means that even if the ARM® device on the left of the diagram gets
compromised, the worst it can do is to show bad pictures to the user. And as soon as the user’s session
is complete, the device will be fully wiped down at the hardware level to ensure that no malware can
persist.
The Garrison SAVI® Isolation Appliance packs 288 of these SAVI Nodes into a 3U rackable chassis,
supporting up to 288 concurrent users – each of which will receive a high-quality user experience even
for rich media content.
Depending on the frequency with which access to risky sites is required, a single appliance can support
much larger numbers of endpoints. And for widespread use across a complete enterprise, appliances
can be stacked to provide effectively unlimited scalability – either on-site, or in a 3rd party data centre
to be delivered as a cloud-like service.
www.garrison.com 9
Browsing is only the start. In addition to the Garrison SAVI® Isolation Appliance, Garrison supplies the
Garrison Transfer Appliance – a parallel hardware appliance that ensures that Garrison users can copy
and paste risky Internet content via their enterprise clipboards with complete security. The Garrison
Transfer Appliance also provides a way for users to print risky web pages to sensitive corporate printers.
Many file downloads can be kept in the cloud and viewed using Garrison. But when file downloads
truly are required at the corporate desktop, Garrison is designed for easy integration with existing and
planned content scanning, filtering and transformation pipelines – such as the existing email attachment
security pipeline.
Enterprises have a tactical need for business enablement today – enhancing the user experience when
users need to visit risk sites that are blocked. And that need will grow, as increased threat levels mean
fewer and fewer sites can be trusted.
But with Garrison, enterprises have a strategic opportunity too. If users are content to browse with
Garrison, a much wider range of web traffic can be moved out of the enterprise. Not only will this improve
security – it will allow spend on traditional layered security defences to be reduced.
Security, usability or cost? With Garrison, there’s no need to compromise.
The bigger picture
© Garrison Technology Ltd 201710
How secure remote browsing delivers high security even for mainstream commercial organisations
CD00000092v2.3 - October 2017
For more information please contact Phoenix DatacomTel: 01296 397711Email: [email protected]: www.phoenixdatacom.com