Trustworthy Network Segmentation for an Untrustworthy World

  • Denial is not a strategy. The reality is that networks, PCs and XenApp clients are susceptible to attacks, if they haven’t been breached already.
  • Network segmentation is an imperative. Organizations need to isolate applications that contain sensitive data, but this approach can introduce the cost and hassle of issuing a second PC for authorized users.
  • Establish true end-to-end protections around sensitive assets in applications—no second PC required—with Bromium Protected App.

 The Challenge: The Flaws in Existing Defenses and the Network Segmentation Mandate

Security teams continue to introduce new protection mechanisms and additional layers of defense. Today, a typical organization is running a virtual alphabet soup of perimeter defenses—think AV, IDS, IPS and many other systems. While these respective tools remain important, they’re not foolproof. Especially when tested against sophisticated cyber threats, these defenses continue to prove vulnerable.  

If you’re responsible for security, you must assume that endpoints and networks are compromised, or soon will be, and can’t be trusted. That means sensitive data, including intellectual property, personally identifiable information, and more are vulnerable, leaving the business exposed to fines for non-compliance, competitive threats, brand damage, and more. 

How do you build trust in an untrustworthy world? These realities are compelling security teams to establish zero-trust architectures via network segmentation. The concept of “zero trust” has its advocates and its detractors, but the bottom line is this: Organizations need to create separation between sensitive assets and vulnerable networks and PCs. 

That’s why security best practices and compliance mandates like the PCI DSS recommend putting sensitive information, such as payment card data, in a segmented network. By establishing a securely segmented network, organizations can create an isolated domain for sensitive data. As part of this effort, security teams need to establish a way for authorized users to access sensitive data. Historically, these teams have had two options: Issuing a dedicated, second PC to authorized users, or employing remote desktop protocol (RDP) or virtual desktop infrastructure (VDI) clients like XenApp. However, each of these approaches presents significant downsides.

Second PC 

When security teams issue a second PC, they need to establish two fundamental controls. First, they need to ensure only these dedicated PCs can access applications in the segmented network. Second, they need to make sure these PCs can only access the segmented application and network, and no others.  

With these controls in place, organizations can establish clear isolation. However, this issuance of a second PC imposes significant penalties: 

  • It adds significant effort and complexity for users.  
  • It creates extra procurement, set up, and maintenance work for technical teams.  
  • It also adds cost for the business. 

Remote Desktop/XenApp Clients 

Another option is to have authorized users access the segmented network via RDP or XenApp clients. This approach can be difficult to implement, and it introduces significant security vulnerabilities. Fundamentally, if the host on a user device is compromised, the segmented network will still be vulnerable. RDP is a protocol that is commonly targeted by cyber criminals. While network-level authentication is required in most RDP and XenApp implementations, this security mechanism won’t guard against a hacker using keyloggers, scraping screen contents or extracting passwords from application memory.  

How can your security teams safeguard sensitive applications and data, without incurring the cost, effort, and complexity associated with introducing a second PC or leaving the business exposed to compromised RDP or XenApp clients? 

The Solution: Bromium Protected App 

With Bromium Protected App, you can establish end-to-end protections around sensitive assets in applications, without issuing second PCs to authorized users.  The solution enables customers to completely isolate sensitive applications and secure network connections between clients and servers. Protected App ensures sensitive data remains secure, even when networks and PCs get compromised. 

Protected App: How it Works 

Bromium Protected App offers capabilities for hardware-enforced isolation of remote desktops and XenApp clients. The solution is employed on the user’s Windows PC, beneath the operating system (OS) layer, establishing a protected virtual machine (VM) that is completely isolated from the OS. Even if a user’s endpoint is compromised, it won’t pose any risk to the partitioned, protected application. The user can only access the application through the protected VM, which remains isolated from the Windows OS and any malware that may infect it. Further, Protected App can isolate RDP and XenApp clients from the host PC, so connections to the segmented network can’t be exploited.   

Comprehensive Safeguards 

Bromium Protected App delivers comprehensive safeguards against malware, compromised host OSs, and even malicious administrators. The solution protects organizations against these threats: 

  • Keylogging. Keystrokes that users enter while working with Bromium Protected App are invisible to the host. Even if a malicious actor or malware has compromised the host, the host can’t be used to inject keystrokes into the protected VM.  
  • Memory tampering. Because its memory is isolated from the Windows OS, the VM’s memory is tamper proof.  
  • Disk tampering. The VM is isolated and, because the disk is encrypted, it can’t be tampered with.  
  • Kernel exploits. Because the VM is independent of the Windows OS, it isn’t susceptible to a Windows kernel exploit.  
  • Unauthorized user commands. Block a number of unauthorized commands, including screen captures, downloads, copy and paste, and printing.  
  • Man-in-the-middle attacks. The solution encrypts all network traffic between the Bromium Protected App client and the secure server. This means data can’t be viewed in the clear by the user’s host OS or when in transit across the network. 

Benefits of Protected App

By implementing Bromium Protected App, your organization can realize a number of benefits: 

  • Address critical security threats—with unrivaled efficiency and ease. The solution makes it practical to secure the applications that host sensitive data, without having to ensure endpoint devices are free of malware or issue a second PC.  
  • Establish broad protection against range of threats. Bromium Protected App enables customers to establish strong safeguards around sensitive applications and data, helping ensure confidentiality and integrity. The solution protects organizations’ IP and other sensitive data from a broad range of threats.   
  • Deliver a non-disruptive, seamless user experience that maximizes productivity. With Bromium Protected App, users aren’t disrupted. Users can work with the same devices and interact with applications like they always have—without having to learn new interfaces or establish new workflows. 


Security teams can’t ignore the fact that endpoints and networks are susceptible to compromise, if they haven’t been hacked already. To contend with these threats, network segmentation is emerging as a key imperative. With Bromium Protected App, your organization can realize the security of true network segmentation, without having to incur the cost and disruption associated with issuing a second PC for authorized users.  

To learn more, visit the Bromium Protected App page or request a demo. 

The post Trustworthy Network Segmentation for an Untrustworthy World appeared first on Bromium.

*** This is a Security Bloggers Network syndicated blog from Bromium authored by Kimberly Becan. Read the original post at: