In the early days of computing, and later the Internet, security was really about resource management and keeping honest people honest. Cleartext passwords were like the latch on a garden gate, really just there to keep neighbors from accidentally overstepping their bounds. As actually hostile opponents came on the scene, much stronger fences and boundaries were erected. Firewalls and access controls established a perimeter within which were your valuables and where things were safe, and outside which were the dragons. This strategy has been called “Hard and Crunchy on the outside, soft and chewy on the inside”, and has turned out to be highly ineffective against modern threats. Several trends in evidence at security conferences and in various reports point to the sources of the problem.

Malware is like vampires.
Traditionally, a vampire cannot enter your house without being invited. The same is true of most malware. The user needs to click, open, or authorize the malware before it can attack. Unfortunately malware, like vampires, has the ability to beguile us with irresistible enticements. Once invited in, the attacker is comfortably inside the secure perimeter and free to carry on at will.

There is no spoon.
When the attacker believes in the perimeter, it may be able to keep them out, but once they realize that there is no perimeter they can attack at will. Users want to work any time, and place, with any equipment. They shift quickly between company computers, personal laptops, phones, tablets, or any other convenient devices. Many of these are completely uncontrolled and unprotected, yet can access and store the stuff that is supposed to be protected. Why bother attacking the castle wall when you can simply walk around it.

Only unicorns write bug free code.
Bug and vulnerability free code is as mythical and elusive as the Unicorn. Some argue that developers who are pure of heart can produce such code, but evidence is lacking. Despite long effort, operating systems, browsers, and applications are constantly suffering from newly discovered vulnerabilities. Because these programs are constantly being improved and expanded, the supply of new vulnerabilities shows no sign of slowing.

I don’t think that word means what you think it means.
When most security vendors talk about “vulnerabilities” they are really only talking about malware and exploits. The concept needs to be extended to cover the range of activities and practices undertaken by adversaries which can lead to organizational harm. In that light, there are many other kinds of vulnerabilities that are going completely unaddressed.

Soylent Green – Our vulnerabilities are made of PEOPLE!
Despite the availability of software vulnerabilities and exploits, attacks against the humans in the system are becoming the most effective and reliable. Increasingly sophisticated spear phishing techniques have very high success rates even against well trained and savvy users. People can be convinced to run software, click links, provide passwords, share sensitive data, and more. By design, users have access to the information they need. If they can be tricked into cooperating with the attacker, technological tricks are not even needed.

We created Passages specifically to address this new threat landscape. We know that browsers are vulnerable and can be attacked and exploited so we encase them in a hardened isolated virtual machine where they can’t do any damage. We know that users will allow malware into their browsers, so we keep downloaded files isolated. We protect against far more than just malware by ensuring that your competitors and attackers can’t target or spy on your when you are out on the net.

Passages provides a unique blend of maximum security with an expansive view of the scope of vulnerabilities faced today. Learn more at