Home » Security Bloggers Network » How We Used the Latest Windows10 Technology to Build an Isolated Workspace-as-a-Service

How We Used the Latest Windows10 Technology to Build an Isolated Workspace-as-a-Service

by Oleg Zlotnik on September 23, 2020

Hysolate has been providing hyper-isolated environments to endpoint desktops for years. Using that knowledge and experience that we have gained, we recently released Isolated Workspace-as-a-Service (IWaaS), which brings some exciting and novel capabilities to the user’s desktop, leveraging state of the art virtualization and container technologies.

In this post, we’ll try to get a deeper look at the technological breakthroughs that allowed us to build IWaaS. But before diving in, let’s have a short recap of what IWaaS is.

IWaaS enables organizations to instantly deploy and manage local virtual environments, that we call workspaces, on any workstation – both managed and personal devices. It provides a strong VM-based isolation, combined with security, networking, and application policies, that are centrally managed from the cloud. As IWaaS runs locally, no additional data center costs are required.

In this post we will go over some common organization challenges that IWaaS helps to solve. You can also learn more during our live webinar on September 30th.

Protect corporate devices with isolated workspaces for high-risk activities

With Hysolate, administrators can provision a second environment, completely isolated from the fully managed host environment, where users can perform work that previously was not allowed.
That might include web browsing to some non-whitelisted websites, 3rd party app installation, and full access to external devices such as USB and printers that were previously blocked.
For the security team, that’s great news! They can now restrict, harden, and secure the host OS even more, while the users are happy that they can do even more than before – in the new isolated workspace environment.

Some of the technical requirements for that use case would be:

Sponsorships Available

Complete guest to host isolation between the two environments, so in case the productivity environment is compromised, the host OS remains safe.
A separate network stack that allows users to access web pages that were previously blocked by the corporate proxy, with increased privacy. Malware getting into the productivity environment must remain isolated also on the network level, not being able to spread to other corporate devices and servers.
Excellent performance, allowing users to use apps like Zoom for work (that might have been prohibited before, due to recent vulnerabilities) but also to watch Netflix in their personal time.

Secure corporate access from BYOD

With Hysolate, users who are working from home or using their personal laptops can instantly provision a 2nd secure environment for corporate work. That corporate environment would be pre-bundled with the apps that are needed for work, combined with policies that allow secure remote access, without affecting the personal environment. IT admins can think of it as deploying a pre-configured, deterministic, and ready for use Docker file that works on any personal environment while providing complete separation between personal and corporate data.

Some of the technical requirements for that use case would be:

Strong host to guest isolation between the two environments, keeping the corporate data secured from potential malware on the host.
Immediate provisioning and no OS management overhead – IT doesn’t want to manage more (even if virtual) OSes or maintain heavy deployment methods.

No matter the use case, we would also require consumer-grade UX for users, and easy central management for administrators.
Let’s now dive into the technology that helped us build IWaaS.

Virtualization

Many people know Microsoft’s Hyper-V, a hypervisor that runs a huge chunk of the virtual machines out there, both in the cloud as Azure VMs, and on private data centers as Windows Server VMs. Being so popular means it’s also very targeted by attackers. Microsoft invested a lot into securing it, including a generous bug bounty program, that made it one of the most secured hypervisors out there.

Some people might also be familiar with the new Windows Containers technology that we’ve covered before. But did you know there are actually four types of containers inside Windows?

Helium – application isolation, based on filesystem and registry virtualization. Used mainly for Windows Store Apps containerization. No security guarantees.
Argon – user session isolation, with a shared kernel. No security boundary.
Krypton – hypervisor isolation – a container running on a lightweight Hyper-V VM, which is based on the host kernel. Resistant to kernel attacks.
Xenon – hypervisor isolation used for hostile multi-tenant hosting. The VM can be based on multiple different kernels. Also known as Hyper-V Containers.

With the main goals of security and performance, Hysolate is the first company outside of Microsoft to use Krypton Containers and we’ve built IWaaS upon it.

It might be clear how hypervisor-based isolation provides the best security boundaries, but what about performance? Some of the benefits of using Krypton Containers over traditional Hyper-V VMs:

Reduced disk space – the OS inside the container is a clean copy of the host’s OS. The host’s system binaries are mapped as read-only NTFS reparse points into the guest, eliminating the need to keep 2 copies of every system binary as with traditional VMs. The entire size of the container, able to run a full Windows 10 OS, is less than 20Mb.
We then validate the integrity of the mapped files inside the container by levering other technologies such as Code Integrity.

Improved memory management – the container’s memory is managed dynamically by the host’s kernel, as if it was a simple application. Unlike traditional VMs, where memory is preallocated regardless of actual usage in the guest or the host, leading to inefficient utilization.
Improved scheduler and CPU usage – the guest’s scheduling is done from the host’s kernel, as if it was another process, leveraging some of the advanced NT scheduling features. That leads to better CPU utilization and reduced power/battery consumption.
Paravirtualized GPU – the hypervisor can expose a fully paravirtualized GPU, with full DirectX support, allowing to use modern hardware-accelerated applications inside the container. Traditional VMs usually emulate the GPU in software, providing poor performance and high CPU usage.

Other than saving space, reusing the host’s files for the container allows us to deploy IWaaS instantly. But not only can administrators deploy IWaaS to the entire organization within minutes, they also don’t need to manage the OS patching. As long as the host is patched (we provide a host checking tool to enforce that), the container is fully patched too.

Networking

Hysolate IWaaS provides administrators full networking controls, where they can enforce networking access based on IP addresses, protocols, and unlike with most hypervisors, also by domain names – similar to advanced firewalls.
We then apply the administrator’s policy as Windows Filtering Platform rules, that provide excellent security (Windows Firewall and other filtering features are using it too) and performance.

To make security even better, the enforcement happens outside of the container, on a dedicated Hyper-V virtual switch, making it not vulnerable to attacks from inside the container. For example, DNS requests that originate from the container, are intercepted by our DNS proxy and are sent to the target only if allowed by the policy.

Those capabilities allow administrators to restrict network access only to the corporate VPN gateway or web proxy in the BYOD use case, or to a dedicated secure web access gateway in the productivity use case. In both cases, malware on the personal environment won’t be able to utilize network attacks to infect the corporate environment.

More security

While we’ve set strong hypervisor-enforced boundaries between the container and the host, those boundaries sometimes need to be crossed in a controlled way. We provide administrators with an easy but powerful way to control how data is transferred between the environments. For instance, in the secure BYOD use case, it’s possible to allow file transfers only to the host, to reduce the chance of copying an infected file into the corporate environment, but allow copying text both ways.

Not only can we greatly reduce the chances of malware getting into the container, but we can also prevent malware and insiders from accessing corporate files by reading them directly from the container’s disk on the host.
By default, the container’s disk is fully encrypted with the industry-standard and FIPS 140-2 compliant BitLocker Full Disk Encryption, making it almost impossible to read the disk’s content from the host.
Additional anti-malware protections include anti-keylogging and and anti-screenshotting from the host, to reduce chances of sensitive data theft even more.

Other centrally managed policies allow control of cross-environment printing, automatic redirection of certain (or all) USB devices and Web Cameras into the container, and more.

Additionally, we provide an easy way to customize IWaaS security settings, without using traditional management tools such as Intune. Administrators can easily control whether users can be elevated to Windows administrators, with or without UAC or are they allowed to download or install 3rd party software (can be granularly fine tuned with Windows Defender Application Control policies).

Finally, if a laptop running IWaaS is suspected to be compromised or stolen, administrators can remotely lock or wipe the container’s disk, to protect sensitive data. It’s also possible to define rules to lock IWaaS automatically when the laptop leaves a geographic perimeter (geofencing) or if it hasn’t reached out to the management console for a specified time.

UX and usability

We’ve worked hard to make IWaaS friendly and intuitive to both administrators and end-users.On the administration part, we’ve built our management console as a cloud service. This makes it easy to use, without the overhead of hosting, maintaining and securing the console, which we take care of for you at the highest standards, with SOC 2 and ISO 27001 certification.
With the integration to your existing identity provider, such as Azure Active Directory, it’s easy to invite specific users or a group of users to start using IWaaS.

On the endpoint, IWaaS can be installed manually through an email link, or automatically through Intune and other MDM systems. After the installation, users get a friendly walkthrough of IWaaS and how to use it. But honestly, there is not much to explain as we’ve made it very intuitive.

For example, the Isolated Workspace environment uses a dedicated Windows theme with a unique color, clearly distinguishing it from the main desktop. Some other Windows settings were tweaked to make the UI inside the container simple to use. Furthermore, while the Isolated Workspace is a separate OS running in a VM, the environment feels just like another desktop in Windows 10, similar to the Windows 10 multiple desktops feature. We make sure this Isolated Workspace “desktop” is consistent with the user’s environment, including synchronization of display settings, regional settings, time zone, language/keyboard input methods, etc.

Beyond usability features, we were also able to make the Isolated Workspace to load and respond quickly, even when behind the scenes there is a lot going on, including the creation of an instant VM based on the host OS, combining it with a separate user disk, attaching admin-provisioned apps, configuring security policies, etc.

To summarize, Hysolate Isolated Workspace as a Service leverages the latest virtualization tech from Microsoft combined with our patented IP and domain expertise for making virtualization practical to users, IT, and security teams.