In our article on how VMI works, we touched on a couple of the security features of virtual machines and VMI, but this extremely important topic warrants further discussion. In this article, let’s explore the security benefits deeper, and we’ll give a couple advantages of VMI over traditional data-sharing approaches.
Where Data Lives and Its Implications
When you download a file, the data for that file is transferred from a remote server to your physical device, where it lives on the hard drive, either temporarily or permanently. With the ubiquity and reliability of the internet, we are so accustomed to quick access to remote data that few people think about the implications of where the data physically resides. Some people may have forgotten that data even has a physical representation! Information security professionals, however, are not those people.
When data is physically present, it is much easier to copy the 1s and 0s than when trying to copy remotely. Even if the data is protected by passwords and encryption, the physical layout of 1s and 0s on the disk can be copied as an image and the passwords cracked later. Or the disk itself can be stolen. When data is remote, however, there is no way to copy the data itself without breaking into the system. If you cannot get to the server rack physically, you’ll have to do it over a network, and that means breaking in before gaining access.
Now, for any machine to actually use data, it does need a local copy. If you disconnect from the internet, all the webpages already loaded in your web browser do not immediately crash. The data to render those pages lives in RAM, a type of dynamic memory which loses its data when it loses power. Moreover, RAM is expensive, so whatever data lives there is quickly overwritten with new data to avoid expanding needs. This is why RAM is sometimes called working memory. This short lifespan trait makes it much harder to copy a RAM-state, even with access to the physical device.
In traditional data-sharing schemes, such as a company-issued device or MDM schemes, whatever file is shared is sent to the local device as a download and it resides there. It can be locally manipulated, and if need be, re-uploaded to the original datacenter. However, this means the data itself must reside in permanent media (at least for a while), and this poses a security risk. If the user device is lost or stolen, confidential company data could be compromised.
VMI takes advantage of the short lifespan of RAM data to completely avoid any files living on an employee’s device in long-term storage. This makes stealing data that much more difficult for malicious actors.
The Data the User Receives – an Image Only
Entire files certainly can live in RAM, albeit temporarily. In fact, when an Excel, PDF, or any other file is opened on a computer or smartphone, it is usually entirely loaded into RAM. While RAM states are more difficult to copy than hard drive states, a hacker could initiate a RAM dump. The attacker crashes the system, which spits RAM information into a log. Whole, decrypted files and even passwords can be in RAM in plain view. This attack requires the sensitive data be present in RAM at the time of the attack, and it only works once (RAM is wiped at startup), but RAM dumps can pose major security threats nonetheless.
To mitigate this attack vector, VMI goes one step further than just avoiding long-term storage. It never sends the files to the device at all! In a VMI setup, data is stored remotely, and all processing takes place remotely. The Excel, PDF, or other file is never present on the user device at all. The only data available on the user device is a visual image, shown to the user through the display window. Thus, even if an attacker were able to force a RAM dump, only the part of the file visible as an image on screen at the time of the attack would be dumped. If only half of Page 1 of the document was visible at the time of the attack, the attacker only gets half of Page 1, not the whole document.
The idea that only image data is sent to the device also means hidden formulas or information not usually visible, like metadata, cannot be captured from a stolen device, either. This is a very powerful security feature that largely limits the exposure of corporate data to nefarious actions.
Aside from thwarting sophisticated techniques like RAM dump attacks, this idea of image-only data also means rogue employees cannot simply copy text to a clipboard, because text on an image is not readily selectable. Of course, many VMI providers, Hypori included, will blackout the display window when a screenshot action is detected.
With some data-sharing schemes, such as MDM, who controls a device used in both personal and professional capacities can be a contentious question. This becomes particularly thorny when a security emergency arises and an employee does not want all their personal data wiped while the company wants to nuke the device’s storage. With VMI, it won’t matter. A stolen user device can simply be cut off from the network. Company data never lived there anyway, so there are no contentious legal questions about the extent to which a company may control a personal-professional device. At most, a partial visible image of a file may be stolen.
Server Side Containerization
So far I’ve only discussed the security from the user device perspective, but there are also important security implications of VMI on the corporate network and systems as well.
VMI can easily be set up to containerize each user’s virtual environment. Not only does this help cut down on computing resource overheads by excising bloatware and running only enough containers as needed for the current demand, it also means every user can be effectively quarantined if the need arises. A container is basically a stripped down virtual machine, and any inputs and outputs from a container can be authenticated before it passes to the datacenter.
For security, this means any illegal read operations can easily be denied, and any illegal write operations can be discarded by the central databases. Since the containers are guest environments, they’re generally restricted by whatever rules the host decides. Since the host machine is under company control on company property, it is much easier for the company to enforce those rules and safeguard its databases.
Furthermore, since a new container can easily be spun up on demand, every session with an employee device can have its own unique identifier, making tracking of changes and requests for data simpler. This in turn means malicious activity or stolen devices can be detected early. For example, during the last session, the container for a specific employee was fine. This time, the new container, for the same employee, has attempted 3 illegal reads. This latter session seems rather suspicious and can easily be flagged for further investigation.
Finally, because every user has their own container and virtual environment, every session can be encrypted with a different key. Even if an attacker were able to break one key, all other keys would be secure. This contrasts with solutions like corporate VPNs, where a single public key is used by all employees to access the entire internal network. If that key is broken, all communications through that VPN would be compromised.
VMI is Not Security Perfection
VMIs offer plenty of security advantages over other approaches to protecting confidential data while enabling remote work. Among these advantages are containerization, image-only data, and data-at-rest being entirely remote. However, that does not mean VMI is perfect.
One of the weaknesses of VMI is the network upon which it relies. For any remote connection, this will be a problem. Networks can be unreliable or contain security holes. For hyper-sensitive data, such as military and state secrets, it may be necessary to air-gap machines. In that case, if management even permits off-site work, a corporate device issued solely for work, with no connectivity abilities, may be a better approach.
All-in-all, VMI offers plenty of advantages for the regular corporate environment in security. VMI offers advantages in other areas, too, like cost control and user satisfaction (any device, no privacy invasion). Browse our blog for technical explanations and other analyses of VMI’s potential.
Or contact a sales representative to help guide you through the technical and business issues and how VMI might fit your company and workforce.