Hardsec as a concept
“Hardsec” is a marketing term coined by a number of UK security vendors including Garrison and Deep Secure which emerged in 2017 and manifested itself as hardsec.org.
Replacing or reducing software to minimize attack surface
The punchline is that through replacing or reducing of software (which represents an attack surface and may be exploitable) on the path between ‘trusted’ and ‘untrusted’ with hardware we can achieve greater resilience.
This concept is by no means new having been used in high security situations for decades, but it was the start of its commoditisation.
Two devices glued back to back
The cartoon I provide of the Garrison browsing solution is two devices back-to-back with the video output of one connected to the camera input of the other and a IO link for keyboard and mouse.
What they did effectively was take two devices glue them back-to-back, add multiple per chassis and make an enterprise play for “secure” browsing.
Virtual desktops an affordable and credible alternative
With the advent of cloud and on demand desktops we can arguably achieve a similar-ish level of resilience through protocol breaks without the need to maintain hardware infrastructure. Be it Amazon Workspaces or Azure Virtual Desktops.
I’ve seen companies seamlessly provide their users with their main terminal (laptop/desktop or whatever) but browsing of the Internet occurs in a separate cloud provisioned virtual desktop and similarly Outlook in another.
The reality is for all but the 1% this approach provides far more isolation and resilience against breach and lateral movement than traditional monolithic desktop usage scenarios. All for a reasonable price without impinging productivity or user experience too much.
But what if we really do want hardware separation?
If we really do however want to embrace the “hardsec” world then there is an alternative and it won’t cost the earth.
I’ve been watching with glee for a while the open source PiKVM project at pikvm.org. KVM meaning keyboard-video-mouse and the concept being you can build a Raspberry Pi with network connectivity to remotely control a remote physical host via HDMI and USB.
You can quickly see that we’ve hit a parallel to a “hardsec” solution for a fraction of the cost. Two Raspberry Pis back-to-back using a PiKVM hat allows us to have a non-persistent browsing host isolated controlled with via another via a minimal attack surface of HDMI and USB.
If we don’t want to solder they’ve just released a Kickstarter where for $145 we can pickup a PiKVM v3 HAT for the Raspberry Pi.
So our bill of materials ends up costing approximately £305 or $420 for our “hardsec” solution.
Ollie