Bromium, Inc. has announced the release of Protected App, which allows organisations to establish robust, end-to-end protection around their critical IP and high-value assets (HVA).
Protected App will address the challenges of a shrinking security perimeter, and the loss of trust many organizations have experienced after constant breaches compromising their networks.
Bromium Protected App safeguards organizations' intellectual property (IP) and HVAs from threats such as keylogging, screen capture, memory tampering, and man-in-the-middle attacks, with sensitive applications walled off from the endpoint.
"Organisations have been fighting an ongoing cyber battle, but they have been let down by layered defenses failing to stop or slow down attacks. This failure has resulted in organisations feeling like they can't trust their own networks or endpoints, which has forced them to move high-value services and IP off the network and restrict access," commented Robert Bigman, Former CISO of the CIA. "Protected App can be used by organizations to enable trusted client access for employees and third-party partners to your intellectual property from their 'dirty' networks and endpoints, without ever having to worry about their security posture."
"Zero Trust as a concept is solid, but in practice it's become a real barrier to user productivity," comments Gavin Hill, VP Product & Strategy, Bromium. "Some organisations deploy second PCs that employees must use if they want to access critical IP, which doubles hardware costs and restricts workflow. It's clear that we need a new approach to Zero Trust that secures networks and applications but doesn't affect workflow."
Protected App is the first to use hardware-enforced virtualisation on the endpoint, below the operating system (OS), ensuring total isolation for applications from the operating system while securing the network connection to server applications hosting critical IP. "Protected App builds a wall around remote and virtual desktop applications on the endpoint, allowing employees to access sensitive applications without the need to use a second PC or risk infection from a compromised endpoint or network," explains Hill.
This allows users to work seamlessly between their endpoint and sensitive applications, even if the host PC has been compromised. To the end user, all activity is performed on their endpoint. This means they can work as they always do, but the connection to the sensitive data and IP is running completely isolated in a micro virtual machine (VM), which the host OS cannot see.
Bromium Protected App will defend organizations from:
- Keylogging – keystrokes in Protected App are invisible to the host and the host cannot inject keystrokes into Protected App
- Man-in-the-middle – as the connection from client to server is across a secured VPN connection
- Kernel exploits – as the VM is independent of the OS, kernel exploits of the Windows host will not impact Protected App
- Memory tampering – the protected VM running Protected App is walled off from the host PC making it impossible to access the memory
- Disk tampering – the protected VM running Protected App is walled off from the host PC making it impossible to access the disk and the disk is encrypted
- Screen capture – prevent remote access tools from capturing or recording users' screens
- Registry updates – as the root of trust is below the OS, kernel exploits of the Windows host will not impact Protected App
- Prevent copy & paste, downloading, printing and screen capture exploits
Hill concludes, "The security perimeter is shrinking, and the old castle and moat concept of security is dead. Even if you do trust your own network and devices, remote working, cloud computing and the connected economy all mean that your apps and data are going to be accessed from environments you have no control over and can't trust. Our vision for Protected App is all about making this access frictionless and secure."