Back in 2016 when the Singapore government announced its plan to separate government systems from the Internet, many critics suggested this was a backward decision for a smart city. After the WannaCry ransomware attacks in May 2017, those critics have been silenced as the Singapore government announced it had not seen any infections from this virus. In contrast, many organizations elsewhere are still struggling to recover from what was a particularly well-publicized event.
Internet separation can take many forms, some more draconian than others. For businesses, disconnecting from the Internet is likely to negatively impact productivity—and therefore profitability. Whereas for governments, security is the critical factor; whilst productivity is still important, any productivity loss does not have as much impact as it does on a commercial entity.
Aside from email-driven malware such as WannaCry, there are other dangers lurking on the Internet. In some cases, the virus needs no end-user action to surreptitiously place itself onto the users’ computing device (assuming relevant security controls are not present). The potential for this infection to self-detonate without the users’ knowledge—thereby infecting both the local device and most probably injecting a more malicious type of file into the organization’s network—is also quite high.
Whilst many organizations will adopt the approach of aggressive end-user education programs, it is not always possible to control how a user interacts with their device and its applications. So whilst this approach affords a degree of improvement, there needs to be a more in-depth control environment.
Through the careful and educated use of virtualization technologies, Internet separation can be achieved with only the minimum of impact on productivity. These technologies can provide the security that is proposed by this approach, without the significant impact to productivity that commercial organizations are far more concerned about.
Applying virtualization technologies at a device level can provide the end user with multiple images on a single device, so there is an instant cost saving over physical separation since only a single device is required. Because the virtualization layer can deliver multiple images, the one that is defined for Internet usage, for example, can be totally secured from the local network. This means that should a device become infected by malware, it will not immediately proliferate across the network (which is the goal of most malware, especially ransomware). Only a single device will need to be quarantined and disinfected. Another image can provide access to all internal systems whilst denying access to either the full Internet or only select locations (possibly using only whitelisting to limit access externally).
Either way, virtualization technology provides the ability to create a local level of separation. Network virtualization can also be used to create similar zones of trust and mistrust (or no trust), thereby providing the end user with a seamless experience whether they are accessing internal or external systems.
One year ago, the idea of Internet separation was not one that many organizations considered. But with the growing range of cyberattacks, it is time to look at how a virtualization approach can help strengthen an organization’s overall security strategy with limited impact to productivity.