Despite having a defense-in-depth approach, it’s often an organization’s end users who unwittingly introduce havoc into the network by opening an email or clicking a link. In this Q&A, Tommy Gardner, Chief Technology Officer, HP Federal, provides a brief introduction to micro virtualization and its role in providing greater immunity against cyberattacks.
What is micro virtualization?
With micro virtualization, when users click a link, a virtual environment that is isolated from the network is created, and the link is opened there. The link is not opened or downloaded onto the user’s network. If the link has malware embedded in it, the malware is activated within this virtual space and when it’s done executing, the virtual machine disappears and the malware goes with it. One advantage of HP’s implementation is that there is no noticeable delay or latency with this process.
Why is micro virtualization important in state and local governments?
Despite training and testing in good cyber hygiene practices, people still make mistakes. Micro virtualization provides an additional layer of protection when somebody inevitably clicks a bad link or an advanced persistent threat overcomes other protections. Even if something slips through, it is immediately contained and eliminated. This is especially critical in environments where a cyberattack could injure people or disrupt essential services.
Why should agencies consider spending Infrastructure Investment and Jobs Act (IIJA) funding on technologies like micro virtualization?
IIJA funding is a one-time deal and if agencies don’t take advantage of it now, they’re going to wish they had next year and the year after. Whether purchasing a printer, a laptop, a workstation or network equipment, you want cybersecurity to be an integral part of the product’s design. As far as cost, someone might think it’s a big win to save $5 a unit by purchasing product X versus product Y. But at the end of the day, if you’re paying a $50 million ransom for an attack that likely could have been prevented by product Y, you may have ultimately cost the organization millions of dollars — and potentially compromised the privacy or well-being of residents.
How can agencies get started on taking advantage of technologies like micro virtualization? How can they learn more?
The first place I would go to learn more is NIST Special Publication 800-204 on security strategies for microservices. Agency technology leaders need to take the lead on learning more about these kinds of emerging technologies. I recommend that technology leaders carve out 10 percent of their work week to keep up with next-generation technologies — whether it’s micro virtualization, quantum technologies or other advances that will have a major impact on our industry. Once they educate themselves, they must then educate the executive-level decision-makers, including the governor. This can happen in routine meetings, where you just spend two minutes to say, “I’m looking into quantum technologies, and here’s what I’ve learned.” That lays the groundwork for the senior level to start thinking about how new technology might be planned for and funded in the future.
