Menu
Here's how Microsoft is using containerization to protect Edge users

Here's how Microsoft is using containerization to protect Edge users

Windows Defender Application Guard locks untrusted browsing sessions away from the rest of the OS

One of the biggest security risks for computer users is their web browser. According to Microsoft, 90 percent of phishing emails use the browser to initiate attacks, which can then be used to help attackers establish a beachhead inside a company.

Microsoft is aiming to better protect users and organizations from the threats that they face with a new feature called Windows Defender Application Guard. It's designed to isolate Microsoft Edge from the rest of the files and processes running on a user's computer and prevent computer exploits from taking hold.

This is a move that could drive greater adoption of Microsoft's browser in the enterprise, at a time when the company is fiercely competing with Google in that space. Security of company assets is a big problem for enterprises, and Microsoft is offering them another way to help protect their users without requiring those users to be security experts.

Here's how it works: when users navigate to untrusted websites in Edge with the feature enabled, Microsoft’s browser launches new sessions that run in virtualized containers on their Windows 10 PCs and tablets.

In the event there’s malicious code on those sites that tries to deploy on users’ machines, it gets deployed into the container, isolated from the operating system and everything else.

When users quit their Edge sessions, the container is destroyed, and the malicious code is supposed to go along with it, thereby protecting users from whatever payload they may have been exposed to.

According to Rob Lefferts, Microsoft's director of program management for Windows Enterprise and Security, the other key thing about the feature is that the container’s isolation is enforced using a secure root of trust that runs on the computer’s processor itself.  

While Application Guard is a powerful capability, that comes at a cost. Because the container is destroyed whenever a user quits Edge, any cookies or cached items accumulated during that time go with it. In other words, even if users check the "Remember Me" button on a website, they'll have to log back in next time they open Edge. Virtualizing Microsoft's browser will also lead to some loss of performance.

IT administrators will be able to set the service up to whitelist certain trusted sites which will run in a traditional, non-containerized form, so users can get the same sort of browsing experience they're used to from those sites.

Lefferts cautioned that the feature won't be right for every organization, or even every employee.

"It is really [for] environments that want to run locked-down browsers," he said in an interview. "Finance organizations, healthcare organizations, a whole slew of military organizations that I talk to."

Microsoft is still in the process of building the feature, and will be rolling it out to Windows Insiders in the coming months. The company expects Windows Defender Application Guard to be generally available some time in 2017, for organizations that are subscribed to the Windows 10 Enterprise E3 and E5 plans.

That means there are still some questions left unanswered about what Windows 10 Application Guard will mean for users. For example, the company isn't saying yet what sort of impact running Edge in a container will have on its performance.

Lefferts said that the company is still working on getting the performance right, and wants to make both the Edge startup experience and the browsing experience feel good to users.

Looking forward, Microsoft may make the same containerization technology available to other applications, Matt Barlow, the corporate vice president for Windows Marketing, said during a press conference. But right now, the company is working to ship the first version of the feature.

Windows Defender Application Guard is one of a number of security-focused announcements that the company made at its Ignite conference in Atlanta, Georgia on Monday. It also announced that Windows Defender Advanced Threat Protection and Office 365 Advanced Threat Protection will share intelligence across both services to provide IT administrators with an easier way to manage threats.  

The company is also releasing a new Secure Productive Enterprise service, which gives companies an easy way to buy a suite of its advanced security capabilities across Office, Windows and its Enterprise Mobility + Security suite.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags MicrosoftWindows 10

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Show Comments