Client virtualization still has its fans and use cases: A look at Hysolate and Qubes OS

Isolation starting from the operating system is one way to ensure data protection without restricting user productivity.

We’ve been looking at different security by isolation methods for protecting users and their data, from isolated browsers to app sandboxing like Bromium and Windows Sandbox. But, you can further isolate user endpoints with solutions like Hysolate and Qubes OS. You may remember Rachel talking about both back when she covered how client VMs have evolved. We’ve covered Bromium already, so it’s time to look at the other two.

Quick review of their similarities

Hysolate and Qubes OS offer similar products aimed at similar, yet different audiences. While many security solutions sit on top of the operating system, Hysolate and Qubes OS serve as either the OS itself or sit beneath in a more trusted level. Both are examples of micro-segmentation and zero trust. They prevent someone from accessing everything should they manage to breach the system from one vector.

Hysolate and Qubes OS share a lot of similarities in their overall methods: both offer a local security solution sitting on endpoints and security through containerization. Additionally, they both can spin up non-persistent VMs that email attachments open into as well as offering copy/paste policies between VMs.

But then differences between the two become more apparent, especially in their philosophies: Hysolate assumes users don’t understand VMs and handles everything involved, while Qubes OS allows users to dive into the nitty-gritty of managing everything themselves. Additionally, Hysolate is commercial while Qubes OS is open source.

Hysolate overview

Designed with the enterprise in mind, Hysolate built their eponymous platform around reducing user friction and improving user productivity while at the same time still offering restrictions to more regulated corporate data. Hysolate came out of stealth in 2018, but more recently released their Hysolate 2.0 platform.

Hysolate sits in a higher trusted state than the operating system, which can be Windows 7, Windows 10, Linux, and eventually macOS (currently in alpha, with GA planned for next year). I spoke with CEO Tal Zamir to learn more about their platform.

He explained that end users will typically see two containers, one designed to be less restrictive and used for anything (personal), while the other will have more restrictions placed upon it (business). Admins can create additional VMs as needed for each user, with the only limitation being up to the endpoint hardware. With Hysolate 2.0, they added the ability to create user privileges where some users can spin up their own VMs. (Tal told me that's just not a typical use case, though.) Admins can also set policies that redirect users to the proper VM depending on the task they’re trying to do. (Example: Maybe they try to log in to Salesforce from the personal VM accidentally; Hysolate will redirect them to the proper VM.)

Another nice feature of Hysolate is that if the user takes a screenshot with both VMs on the screen simultaneously, only the VM they’re currently in will appear. The goal is to protect the more restrictive VM from a hacker should they gain access to the personal VM, but it works both ways.

System requirements for Hysolate aren’t too exacting, with the goal of it working on any endpoint from the last five years. Recommended hardware:

  • 8GB RAM
  • 256 SSD
  • Intel Core i5

Tal explained that their customers often fall into two common use cases: protecting privileged users or allowing developers freedom. The first use case allows privileged workers to complete their work from anywhere through a hypervisor-based VPN, which forces all traffic from the restricted VM through a corporate VPN so it never connects to any outside network (the personal VM still can, though).

The other use case involves finding a middle ground between allowing developers the ability to use or access any OS, app, device while still providing some security for corporate data. With the two isolated containers, developers can still get their work done without too much interference from admins looking to reduce the chance of data exfiltration.

Qubes OS overview

Now, this OS isn’t likely going to appear in the enterprise, given its limited management capabilities and not-especially-friendly setup. Qubes OS serves as more of highly customizable option for single endpoints for the more security-minded whose organization does BYOD. Qubes OS is extremely niche—but there is plenty of GUIs built in that many users could still pick it up and learn it on the fly with all the online guides the Qubes OS website provides. Still, despite it being a more difficult option to use that doesn’t mean it’s not interesting to examine.

Qubes OS is a free, open-source OS based upon Linux and XenClient XT architecture. It’s designed to be installed bare metal and uses a modified Xen hypervisor. It also can be installed on a USB flash drive or external HD for boot, but not in a VM.

System requirements:

  • 64-bit Intel/AMD processor
  • 4GB RAM
  • 32GB disk space (SSD recommended)
  • Legacy boot mode
  • 4.x releases require Intel VT-x with EPT or AMD-V w/RVI
    • Plus, Intel VT-d or AMD-Vi

The whole OS is designed to provide “security by compartmentalization,” breaking out everything into different virtual machines, or “qubes,” with each one based upon TemplateVM.

The default Qubes OS provides three initial VMs classified for work, personal, and untrusted use, as well as a special qube for the dom0 (domain 0, which serves as the initial domain started by the Xen hypervisor), which runs Desktop Manager and Window Manager. That qube is considered the most trusted and does not connect to the internet (reduces the chance it gets compromised). Each user gets to ultimately decide how to use each qube. They also come with a color-coding system, which you could use to indicate security level of qubes if you wish (e.g., red for VMs accessing untrusted websites, etc.). Network cards, USB controllers, and other parts of the OS also have their own containers.

Though everything is broken out into multiple containers, Qubes OS still aims to provide a unified desktop environment. Users can copy and paste between different qubes through a four-step process that deletes your clipboard after each use to prevent accidentally pasting into the wrong qube later. You can create a policy for copy/paste to further reduce data exfiltration.

In addition to the baked-in security features, Qubes OS offers some optional security integrations. Users can add Whonix, Anti Evil Maid, and two-factor authentication. Whonix, based on Debian and Tor, provides additional privacy and anonymity by routing web traffic through Tor. Anti Evil Maid adds a Trusted Platform Module-based static trusted boot. Lastly, users can enable U2F for browsers with the Qubes U2F Proxy.

Qubes OS isn’t perfect. In addition to not being super user friendly, it also has a couple other shortcomings. Games and applications requiring 3-D support won’t work since Qubes OS lacks OpenGL virtualization. It can handle accelerated graphics for desktop effects through Window Manager, however. Another issue is that users shouldn't go into it expecting a multi-user system, as it's really only meant for one; that said, Qubes OS 4.x does have some management functionality added in.

While Qubes OS might have a learning curve, the GUI does keeps improving, making it easier and easier for more users to try it out. A lot of the processes and troubleshooting will require using command line to properly operate but there's plenty of documentation available for those interested in trying this OS out.

I’ve noticed that Linux is a popular choice to build an OS on top of, with examples like Citrix’s Workspace Hub and Chrome OS. It’s not all that surprising why it’s often used; Linux is open source and easy to keep secure. It will be interesting to see if more companies embrace Linux in the enterprise as a secure alternative to Windows or macOS. (It's not a likely outcome, given legacy Windows applications, but we'll see.)

Security through compartmentalization

Neither Hysolate nor Qubes OS are mainstream (yet?), but definitely each have their place. The former is an option for more regulated industries looking for an enterprise option, while the latter is an OS for more technical users desiring additional security. Increased protection through compartmentalization is definitely attractive given the constant threats plaguing the enterprise--and it's something I've seen emphasized at a couple conferences. We’ll have to keep our eye on this developing area and on whether more companies opt for this security method.

Dig Deeper on Virtual and remote desktop strategies