Securing the architecture as the perimeter vanishes.

It’s become a commonplace in the industry that the perimeter is vanishing (if indeed it hasn’t already done so, with the possible exception of a few tightly controlled and secured enclaves). Bring-your-own-device (BYOD), pervasive mobile computing on increasingly powerful devices, and the swift movement of data and services to the cloud have all contributed to this trend. How does an enterprise approach security in this new world? We spoke with Ntrepid’s Chief Scientist Lance Cottrell about how his company sees the challenge. One thing he’s convinced of: “Detection is a failed strategy. Detection's not a bad thing; you want to detect malware but thinking you can count on detecting things is the road to ruin.”

Ntrepid began building tools for government use against extremely high threat targets, Cottrell said, and ended up realizing they had the tools to make an extremely secure web browser. “Browsers are the Achilles heel of network security,” he observed. Other aspects of a network are easier to lock down, but browsers use complex paths and very diverse interactions. By comparison with the browser, email is easy. To be sure, email probably remains the largest source, numerically, of malware attempts. “But you can also scan emails at your leisure,” Cottrell said. “You can look for patterns, whereas with web-based attacks you have a millisecond to decide whether something is good or bad, whether to let it through or not. And that requires some sort of signature-based scan which is manifestly ineffective now. So we're focused on building a technology that encapsulates the browser. The browser's too big ever to be secured itself, so we're going to wrap it inside a virtual machine. Anything that does get in is trapped, and can be easily destroyed at the end of every session whether you detect it or not.”

Cottrell thinks Ntrepid’s our core customers will be in highly sensitive businesses at considerable risk of losses through web-based attacks. They’ll also be in high-compliance industries, like financial services and healthcare. And any company that holds a lot of third-party data would be another customer—consider the reputational disaster a compromised cloud provider faces.

Cottrell agreed with other experts we spoke to that ease of installation and use are vital. Their Passages product, he says, “is almost completely transparent, which is why we used a standard browser as opposed to trying to write our own, and making people discover some new work processes. Despite the fact that it's running in a virtual machine on the desktop, to the user it looks like an absolutely normal browser. All the content works because we lock it down so tightly we can allow things like Flash and Java, and Javascript, all the things that make the web work the way it does, we can allow those to function cleanly. The only twist we've put in is actually on downloads, so that if you want to move a file to your actual desktop it passes through our cloud service where we scan the heck out of it with a whole bunch of different scanners. And we can take our time with that, and then the user has to manually initiate a download, because we want to eliminate the drive-by downloads.”

Scanning downloads turns out not to slow users down, Cottrell said. The number of files people actually download to their desktop turns out to be surprisingly small. Most of the time users are, say, viewing a pdf or a video in a browser, and there's no need to move anything to the normal desktop. For the few files a user actually wants to download, the system imposes a delay of only a few seconds. "This is important, because anything that's annoying to a user, they'll rapidly try to circumvent it. Experts need to stop victim-shaming. Normal people have normal work to do, and our security systems need to recognize that and work within that rather than saying ‘no, no, no, you're doing it wrong’.”