At Bromium, we think of everything, or rather we think of each thing you’re doing – as a task.
In an earlier blog, our CTO, Simon Crosby, stated that we define a task as “the most granular unit of computation, initiated on behalf of a user, that can completely and successfully execute with the least possible resource access. Resources here mean files, network services, sharing mechanisms, interaction with the user, or any devices. “
The architecture we’ve built takes an anthropological approach to human-computer interaction. Tasks are personal, contextual, and ephemeral activities. Let’s break it down:
A task is the answer to the question, “What are you doing?” at any given moment. The contrast between my answer and the answer IT would like exists because the tools at their disposal simply haven’t ever taken my humanity into account.
My answer: I’m taking a break from reading reports to pay my bills online.
The answer IT wants: I’m wirelessly connected to the HQ LAN on my domain-joined corporate issued Lenovo x220 running Windows 7 64 bit Service Pack 1 using Internet Explorer 9 to connect to a banking web site over SSL and interact with highly privileged personal information in the same browser instance as I am connected to the corporate intranet Sharepoint.
Context is everything relative to the question, “What are you doing?” including the Who/What/Where/Why/When/How. Each of those variables radically changes my answer. In the aforementioned scenario, if we use the “who” context for the question:
If my wife is asking, “I’m paying our bills online.”
If my boss is asking, “I’m going through those documents you asked me to review.”
If someone I don’t know is asking, “None of your business.”
My answer to “what are you doing?” changes very quickly, especially when multi-tasking. When I change context between applications or browser tabs, I’m changing what I’m doing. Even when I go back to the tab I just came from I might be doing something else. Just for kicks, here’s what my browser tab and task bar look like right now:
Having covered tasks are to us at Bromium, let’s also cover what they are not:
Tasks are not applications
When I use Internet Explorer to get to salesforce.com, IE is not “the task”, it is a means of accomplishing the task. Putting IE in an application sandbox doesn’t protect me when someone hijacks my browsing session. The reality is that every URL is a cloudy blob of apps – should one of them be malicious, a virtual browser doesn’t protect the apps from each other, and doesn’t protect my desktop if the malicious app breaks out of the sandbox.
Tasks are not desktops or endpoints
Enforcing absolute rules on software signatures or behavioral usage numbs me into clicking through whatever it takes to make warning windows go away. Desktop virtualization puts the onus on me, the user; I must be cognizant of what is allowed, supposed to happen, or functional in each desktop (i.e. this is the desktop where I can browse the web, this other desktop is the one where I can access SAP, etc.).
Legacy security solutions are monolithic. They exist to simplify policy enforcement, not to enable users. It seems obtuse to assume there could be a static rule system for all possible user activities, yet that is the status quo. Instead, we at Bromium take a machete to the classic computing architecture, and create slices in time, compute, and resource allocation that allow tasks to exist as independent entities with policies appropriate to the use case – without degrading the user experience.
In the context of IT architecture, each task executes as a purpose-built hardware-isolated micro-VM with dynamic information, application, operating system, network, resource, and peripheral policies deployed via a centralized policy configuration to accomplish a single activity. Then it is destroyed, thereby securing the underlying infrastructure, sensitive information, and concurrent tasks. In the context of me, the end-user, I’m just doing what I need to do, finally.