SECURITY

IGEL Preventative Security Model

IGEL enhances the security of the edge while making it more maintainable, more secure, and more recoverable.

Secure by design endpoint security
Eliminates ‘monitor, detect, remediate’
Eliminates complex endpoint security agents
Significantly reduces Ransomware risks

IGEL's preventative security model takes a different approach to endpoint security compared to the traditional reactive model.

With IGEL's operating system being read-only, no local data or user profiles are stored on the endpoint device, reducing the attack surface. The OS is also modular, only deploying necessary applications.

Everything is encrypted all the time from the hardware layer to applications. There is a full chain of trust that must be validated for the system to start.

IGEL allows for rapid recovery of endpoints to a known good state similar to virtual infrastructure, avoiding the need to reimage devices after an incident.

This preventative approach reduces risks like ransomware and makes managing secure endpoints easier and more scalable.

Listen to the overview here:

FEATURE FOCUS

IGEL OS is inherently secure due to several key features and design principles. Here are some of the features that contribute to its inherent security:

Read-only and tamper-proof firmware: IGEL OS is structured as a modular, read-only, and tamper-proof firmware base. This design ensures that the operating system remains unchanged and prevents unauthorized modifications or tampering, reducing the risk of malware infiltration.
Small attack surface: IGEL OS has an extremely small attack surface, meaning there are limited entry points for potential attackers. By minimizing the attack surface, IGEL OS reduces the vulnerabilities that can be exploited by malware.
Chain of trust: IGEL OS features a "chain of trust" for end-to-end system integrity. This chain of trust is verified during each boot-up process, starting with UEFI secure boot and extending to the digital workspace VDI host or cloud. It ensures that the firmware and software in the startup sequence have not been tampered with, providing assurance of system integrity.
Integrated security technologies: IGEL OS incorporates a range of integrated security technologies and safety mechanisms. These technologies bolster system integrity and add obstacles to deter opportunistic attackers. For example, IGEL OS supports authentication and single sign-on technologies through integrated PKCS11 libraries, enabling multi-factor authentication and access control.
Cloud-based data storage: IGEL OS is designed for cloud and digital workspaces, where the majority of data is stored in the cloud rather than on the endpoint device. This approach reduces the value of the endpoint for hackers, as there is limited valuable data stored locally.

If you were to remember only three things, I think these three would resonate the most.

NO RANSOMWARE

Ransomware keeps CISOs up at night and for good reason too. It’s becoming more common and more sophisticated. It’s an established money maker, so it’s not going anywhere anytime soon.

IGEL can help with the following facts:

IGEL is a Read-Only OS
No data kept on the point
No internal File systems to manipulate

What this means is even if the end user clicks on a malicious link. Nothing will happen. Your Data is safe, and your user's dignity is intact.

CISOs can rest a little easier now.

NO MORE PATCHING

SAY “SO LONG” TO CONSTANT PATCHING

FORGET MULTIPLE PATCHES FOR MULTIPLE MACHINES.

Deploy your patches all in one go in your secure data center or cloud workspace environment. Then immediately revert to an earlier image if you encounter problems. Roll out new apps and software quickly and securely, and bring new users into your network with ease.

IGEL OS makes maintaining endpoint security easy and smart.

All Windows updates, and patches take place in the secure data center or cloud.
Patches can be performed without the need for a VPN.
IGEL OS updates on endpoint devices are super-easy to execute via a console drag-and-drop
Many thousands of IGEL OS-powered endpoints can be updated at once or any subset.
IGEL OS verifies all IGEL OS updates at each endpoint to ensure a secure process.

NO NEED FOR A VPN

VPN’s have been an unfortunate but necessary byproduct of remote desktops. It’s not ideal for the IT admin or the end user. Not to mention a pricey component of a remote work strategy.

Thankfully with IGEL, no VPN is required. 👍

All connections between IGEL Universal Management Suite (UMS) and IGEL OS-powered endpoints run over a secure tunnel
No need for VPN: remote devices can be fully managed via the IGEL Cloud Gateway (ICG) feature
UMS console admins can use ICG to securely shadow remote user devices, taking over the device keyboard and mouse for troubleshooting

SECURING REMOTE WORK

Transitioning to remote work has been a game-changer, but it's also introduced new cybersecurity risks. Many companies are now managing a complex patchwork of devices, networks, and cloud solutions. This expanded digital footprint offers hackers more surfaces to attack.

So how can organizations lock things down? Experts recommend starting with employee endpoints. Switching to a lightweight yet secure Linux-based operating system can help bulletproof devices against malware and unauthorized changes.

Just as important is keeping sensitive data off local devices entirely. Migrating to the cloud allows centralized security and ensures access if endpoints get compromised.

Finally, using multi-factor authentication and least privilege controls for all logins limits exposure if credentials are stolen.

As cyber threats continue evolving, IT teams must stay agile and keep fortifying endpoint, cloud, network, and access security. But with the right solutions in place, companies can confidently embrace flexible work while keeping their data safe.

The key is using technology judiciously to simplify rather than complicate security in the hybrid world.

Link to an article in Cyber Defense Magazine:

TOP REASONS

Top reasons to choose IGEL as part of your Endpoint Strategy.

Secure OS

IGEL OS is secure by design with built-in security capabilities to protect your endpoints.

A read-only OS
Modular control
A lightweight, minimal-attack surface
IGEL Chain of Trust verified boot
End-to-end system integrity

Management

Unify and Control All Your Endpoints

Secure TLS tunnels
File transport encryption
No VPNs necessary
Secure shadowing
Centralize updates
Streamline patches
USB port control

Evolving Ecosystem

Multi-layer approach to endpoint security with integrated technologies

IGEL Ready partners
Integrated PKCS11 libraries
Multi-factor authentication
Single sign-on technologies
Biometric solutions

Trusted Partner

Proactive security checks by the IGEL security team protect your endpoints and your business.

Frequent vulnerability assessments
Secure Software Development Lifecycle (SDLC)
Security bulletins for customers
Regular independent Pen testing

REDUCE THE ATTACK SURFACE

NEED SOME MORE DATA ON SECURITY?

This section delves a lot deeper into the how! If you need something else, please feel free to reach out:

Mike Broadwood

Comprehensive Endpoint Protection for the Secure Enterprise

Many organizations that adopt remote desktop session hosts, virtual desktops, and desktop-as-a-service models do so in part to reduce security exposure at the endpoint.

Moving Windows OS execution from endpoints to a centralized data center or cloud environment supports this goal in numerous ways. However, an OS footprint on the endpoint is still required to deliver remote application and desktop access and support local connectivity, display, and peripheral requirements.

IGEL OS is the next-generation edge OS for cloud and digital workspaces that was created with this specific purpose in mind. Based on Linux and structured as a modular, read-only, and tamper-proof firmware base, IGEL OS has an extremely small attack surface and a broad array of security-focused features designed to minimize exposure and prevent attackers from infiltrating your organization through the most popular entry point: the network edge.

Security is central to the design and ongoing development of IGEL OS, and the following tables summarize its integrated security capabilities.

‣

PRE-INSTALLED SECURITY

PRE-INSTALLED SECURITY	CAPABILITY
MODULAR PARTITIONS	Allows for specific features (e.g., Citrix Workspace, browser, ThinPrint, etc.) to be turned on or off on a per endpoint basis. Sensitive partitions are encrypted to further secure critical data and other features. IGEL OS 11.06.100 and subsequent versions offer an AES XTS-plain 64encryption option. This requires users to enter a passphrase after booting. This modularization helps to decrease the endpoint’s attack surface further.
Auto log-off	By combining a session type with an automatic log-off command, the device can log the user out of the last session. A username and password are required to log in again.
Pre-installed security features	Pure Kerberos-Ticket-Handling, based on username and password, with sophisticated “Two-Factor-Smartcard-Solutions“ (smartcard and PIN) through a “three-party-constellation“ • IGEL OS-powered endpoint devices • Active Directory infrastructure • Kerberos enabled service (s.a., Citrix XenApp or XenDesktop) Sophisticated rules and rights rollout management across the network on the application level and for services. No local “Fake-Active-Directory. “
VNC Secure Mode	Enables adherence with company compliance standards, including the following controls: • Log the shadowing • Distribute different shadowing permissions • Define shadowing groups and security levels • Ban VNC sessions between client to client (if it is integrated into the client desktop) • Allow only the IGEL shadowing or a 3rd party VNC client to communicate with the UMS console • Ban external/unknown 3rd party VNC clients in the whole network • Encrypted with TLSv1.2
Recycle bin	Deleted objects are moved to the recycle bin, where you can restore objects to the original point or delete objects permanently. Objects deleted by mistake can be restored.
High availability extension	The high availability extension enables new settings to be rolled out to several hundred devices simultaneously in large environments. An upstream UMS load balancer takes over load distribution and ensures that each device can receive new settings anytime without overloading network capacity. More details on Knowledge Base.
USB management	USB management provides essential protection from security risks. USB devices such as pen drives, wireless controllers, or printers can be used to steal data or execute unauthorized software or even malware. To minimize the attack surface on an IGEL OS-powered endpoint, the USB ports can be deactivated. In IGEL Setup, you can configure rules to block access to undesired USB devices. A step-by-step guide is available on USB Access Control in Knowledge Base IGEL USB-Management (basic function) is based on USB class, vendor/ product-ID, or by device UUID, with a very simplified access and denial mechanism. FabulaTech (extended function, requires optional server components from a third-party vendor) is based on protocols (RDP, Horizon, Citrix), and features depend on the used protocol. DriveLock Thin Client Suite is based on virtual protocols, across each protocol with user-dependent USB management enabling a very high safety standard

‣

IGEL CHAIN OF TRUST

The chain of trust ensures that all components of your VDI/cloud workspace scenario are secure and trustworthy. A controlled boot sequence is initiated upon switching on the device. Each component checks the cryptographic signature of the next and only starts it if it is signed by a trusted party such as IGEL or the UEFI Forum. The IGEL chain of trust runs with IGEL OS on any compatible x86-64 device.

On IGEL OS-powered devices, the chain starts at the UEFI, which checks the bootloader for a UEFI Secure Boot signature. The loader, in turn, checks the Linux kernel of IGEL OS. If the signatures of the OS partitions on the hard disk are correct, IGEL OS is started, and the partitions are mounted.

If users connect to a VDI or Cloud environment, access software such as Citrix Workspace App or VMware Horizon checks the certificate of the server they are connecting to.

This chain ensures system integrity as it makes sure that none of the components in your environment have been tampered with – a great foundation for secure end-user computing.

‣

SYSTEM INTEGRITY

SYSTEM INTEGRITY	CAPABILITY
Partition confirmation checks	Signature checks on both update and boot processes for both system and user partitions detect tampering. If positive, the system will not boot. If any other partition is impacted, the system will boot with impacted modules deactivated.
Flash media cannot be mounted on any other device	IGEL uses its own partitioning system with compressed partitions that obfuscate data. Checksums of IGEL partitions avoid loading of modified code.
Protected configuration	Configuration is written to a dedicated and encrypted partition. IGEL OS 11.06.100 and newer, offers an AES XTS-plain 64 encryption option. This requires users to enter a pass phrase after booting.
Fail-safe firmware update	Firmware updates always finish completely while the device remains running and stays bootable. Critical updates are always processed in two phases to ensure success.
UEFI secure boot	IGEL OS bootloader signed by Microsoft (on behalf of UEFI Forum) on IGEL boots on systems with UEFI Secure Boot enabled. Only boot loaders signed with keys designated by IGEL or Microsoft keys approved by IGEL can load the operating system • IGEL generates and manages the cryptographic platform exchange keys, which are included in the corresponding UEFI versions • On IGEL OS11, “secure boot” mode is activated as the default value in the UEFI (BIOS)
Secure browser via AppArmor.	Secure browser with restricted access to sensitive data with the following characteristics: • SSH key can’t be read or new keys added • IGEL configuration and firmware update scripts are not accessible • No view of configuration files • Java is completely disabled • No downloads • Access Yubikey: two-factor authentication
Ericom Shield	This tool executes web content in an isolated container on a virtual browser and renders webpages as a safe, interactive media stream for secure browsing.
Center of Internet Security (CIS) verification	Passed benchmarks for suite of CIS tests pertaining to safeguarding against cyber threats.

‣

INTEGRATED TECHNOLOGIES

INTEGRATED TECHNOLOGIES	CAPABILITY
Pre-installed VPN solutions	OpenVPN is supported via VPN-based IGEL client management by IGEL UMS. NCP-e VPN client (optional NCP-e licensing) uses the universal IPsec client. Genua GenuCard support includes full management through the IGEL UMS with connection buildup through the IGEL managed client and support for ADSL, LAN, EDGE, 3G, and 4G connections. VS-NfD, NATO RESTRICTED, and RESTREINT UE are authorized and certified.
Keyboard encryption	Keyboard encryption via the Cherry Secure Board guarantees immediate encryption of keystrokes.
IP-based cryptosystem	IGEL OS supports SINA workstations from secunet that are approved for processing classified information up to and including SECRET, NATO SECRET, and SECRET UE/EU SECRET.
Pre-installed SSO solutions	Smartcard support is individually adaptable using IGEL Partitions. The following are tested with IGEL OS. • IGEL Smartcard • SecMaker NetID • SafeNet Aladdin eToken • Gemalto SafeNet middleware for Gemalto/SafeNet eToken, IDPrime smart cards and token • cryptovision sc/interface middleware for cryptovision smart cards • Gemalto IDPrime smart cards • Athena IDProtect middleware for Athena IDProtect smart cards • A.E.T. SafeSign middleware for SafeSign smart cards • Secmaker Net iD middleware for Net iD smart cards • Coolkey middleware Coolkey • OpenSC middleware OpenSC • 90meter middleware Smartcard reader support is individually adaptable via IGEL Partitions. The following are compatible with IGEL OS. • Elatec TWN4 CCID • PC/SC Lite • M.U.S.C.L.E. • HID OMNIKEY • REINER SCT cyberjack Authorization software integrated into IGEL OS • Imprivata OneSign ProveID Embedded • Evidian AuthMgr
Contextualizing	IGEL OS supports DeviceTrust, which considers various contextual information (IP, geolocation, network, etc.) when controlling access to data and applications. This makes it easy to implement fine-grained, compliant access control.
Pre-installed biometric solutions	IGEL OS supports biometric peripherals like • Crossmatch fingerprint readers • Fujitsu palm vein scanner

QUESTIONS TO ASK

Are you accessing any cloud-based workloads?
Do you have people who need to work from home or remotely?
How do you ensure system integrity from the endpoint to the cloud?
How do you currently ensure that all of your user endpoints are secure from viruses and running the correct versions of software?
How are you ensuring compliance with HIPAA, GDPR, PCI DSS, and other people's privacy/security requirements?
What solutions are you using for single sign-on and multi-factor authentication? How do you ensure staying current with the latest SSO/MFA products?
Is remote device patching time-consuming and error-prone?

EMAIL TEMPLATE

Title: Manage and secure your cloud-connected Devices with Lenovo and IGEL

Hi NAME,

I hope this email finds you well. Lenovo is excited to introduce you to a powerful partnership that can significantly bolster your organization's security posture.

By combining Lenovo's industry-leading hardware with IGEL's advanced endpoint OS, we offer a comprehensive offering that ensures robust security and streamlined management of your endpoints.

Tamper-resistant security,
Simplified endpoint management, and
Enhanced data protection.

Our partnership enables you to leverage your existing hardware investments while maximizing endpoint selection flexibility. We would be delighted to discuss how our Lenovo-IGEL offering can address your specific security needs and provide a tailored solution for your organization. Please let us know a convenient time for a call or meeting.

Thank you for considering Lenovo and IGEL as your trusted security partners.

Best regards,

EMAIL TEMPLATE

Title: Updating to a Preventative Security Model

Dear [Name],

I hope this email finds you well. I wanted to introduce you to a solution to revolutionize your organization's security approach.

We understand the challenges of managing and securing endpoints at the network edge while protecting your core infrastructure. That's why we're excited to introduce the IGEL enterprise OS and its proactive, preventative security model.

Unlike traditional operating systems, the IGEL OS is designed from the ground up with security in mind. By eliminating the need for reactive measures and relying on a secure-by-design approach, we can shift your focus from constantly monitoring, detecting, and remediating threats on the endpoint to reallocating those resources toward protecting your infrastructure.

With the IGEL OS, we've taken innovative steps to enhance security while ensuring ease of manageability and scalability. Here are some key features of our preventative security model:

Read-only Operating System: No local data is stored on the endpoint device, ensuring enhanced security and privacy.
Modular Design: Deploy only necessary applications and capabilities, reducing the attack surface and vulnerabilities.
End-to-End Encryption: From hardware to software, there's a full chain of trust, ensuring the highest level of data protection.
Rapid Recovery: In the event of a disaster, endpoints can be restored to a known good state within minutes, minimizing downtime and reducing administrative efforts.

By leveraging centralized management, we simplify the process of configuring devices with the right applications, policies, and workflows. This trusted application platform integrates authentication and SSO seamlessly, providing a secure user experience.

We believe that the IGEL OS can transform your organization's security posture while making it more maintainable, securable, and recoverable. We would love to discuss how our solution can benefit your specific needs further.

Would you be available for a brief call next week? I would be happy to provide more information and address any questions you may have.

Looking forward to the possibility of working together.