Guest blog: Good Things Come in Small Packages
Citrix friend Bromium launched its micro-virtualization technology at GigaOm Structure, June 2012. Former Citrix team member, Tal Klein, gives the details in this guest blog.
Now that Bromium has launched, we’ve asked our friends at Citrix to come visit at their blog for a spot of tea (as Simon Crosby might say) and write a few words about what we do, what they do, and how we might solve customer problems together. Ok, ditching the royal “we” and moving on to me.
Four months after leaving Citrix, I’m super excited to be officially telling you about the Bromium Microvisor™, our second-generation virtualization platform that adopts a revolutionary new approach to the use of hardware virtualization. As the title of this blog states, good things come in small packages – we call ours micro-virtualization, with the goal of making endpoint devices inherently secure and trustworthy.
The Bromium Microvisor automatically protects each vulnerable task on the operating system and instantly hardware-isolates it within a micro-VM, which is a lightweight, hardware-backed isolation container that polices access to all OS services. Micro-VMs run natively on the OS without performance impact, but continually protect the system – even from unknown threats: A micro-VM can only access OS services or devices via simple controls that pause the execution of tasks and instantaneously arbitrate access through the Microvisor. This provides an unbreakable hardware backstop for all software isolation technologies used by the OS and its applications, and imposes tight control on access to sensitive data, networks and other resources.
In the desktop arena, Bromium applies micro-virtualization within a running Windows desktop to automatically identify and instantly isolate individual tasks, protecting against current and future targeted attacks by design. The technology has broad applicability, from endpoint protection to the consumerization of IT. But let’s talk about Desktop Virtualization.
XenDesktop fulfills a critical role in enterprise IT. Windows desktops and apps are here to stay. However, users will always be human (and by that I mean gullible and fallible, like me and you) and software will always be vulnerable, so the bad guys will get in. The Bromium system architecture assumes that users will make mistakes, and that zero-day vulnerabilities are inevitable. It is built from the ground up with the presumption that a micro-VM will be compromised at some point, but guarantees that the attacker could not gain access to sensitive data or applications, or persist an attack. A micro-VM can only access data on a “need to know” basis, and any changes it makes are nulled as soon as the user closes the application, thereby automatically incapacitating malware and eliminating remediation costs, even for PCs that haven’t been patched.
In Citrix-speak, regardless of which FlexCast flavor you may use to deliver your Windows desktops and apps, our technology can guarantee end-to-end security for users on laptops using Citrix Receiver to access their hosted sessions. Bromium protects data on the endpoint at runtime, and will prevent attacks from all outside vectors (USB, web, applications, mime types, etc.) on the client by design – there is therefore no risk of a user’s “personal” activities such as web browsing or web-mail compromising Receiver, the browser, the desktop, or the enterprise. To that end, we are working with Citrix on the development of a Bromium plug-in for Receiver and are seeking beta customers who have implemented Receiver in their enterprise.
With the Bromium Microvisor on every corporate laptop there would be no risk of an attack such as the RSA APT compromise, in which a user might click on an infected email attachment and expose the company’s most sensitive information to malware. Further, our technology ensures end-to-end secure access to enterprise web apps, or to enterprise SaaS apps/clouds by isolating individual web sites in micro-VMs that are not only protected from the aforementioned outside vectors, but also from each other. This translates to complete security for anyone using a rich client to access a hosted Citrix environment.
If we start thinking outside the endpoint, Bromium micro-virtualization could also be used to protect server-side hosted browsers or other productivity applications and vulnerable MIME-Types, preventing an attack from compromising Windows Server instances running client applications… But I’m getting ahead of myself.
Starting with the Bromium plug-in for Receiver, as we continue to explore the state of data, desktops and apps in the wild I’m sure we’ll discover many more use cases, and we look forward to working closely with Citrix on joint solutions that will benefit every type of desktop deployment in the enterprise. Bromium micro-virtualization is the only technology that can safely enable trusted and untrusted applications and data to coexist on a single system with guaranteed mutual isolation. Please give us a visit at www.bromium.com to learn more and join the conversation!