%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
Recently, the Anthropic engineering team shared their experiences and lessons learned in building secure isolation systems while developing three AI products — claude.ai, Claude Code, and Claude Cowork. These three products are targeted at general users, developers, and enterprise users respectively, each with its own unique isolation strategy and risk model, but all following the core principle of "prioritizing isolation at the environment layer."
In claude.ai, aimed at general users, Anthropic adopted a temporary container solution based on gVisor. Whenever a user initiates a session, the system generates a temporary container, which is immediately destroyed once the session ends. This design ensures that interactions between users' AI are brief and secure, limiting resource access and capabilities, so that even if a risk event occurs, the impact is limited to a single session.
For developers, Claude Code uses an operating system-level sandbox mechanism to optimize the workflow. By default, developers cannot access the network when using it, which reduces frequent permission prompts and significantly improves the user experience. According to statistics, this design reduced the frequency of permission prompts by 84%. When developers need network access, they can temporarily open it through explicit authorization.
For enterprise users who require the highest level of security, Claude Cowork uses a virtual machine-level isolation scheme to ensure complete separation from the host system. While this approach provides the best security, it also reduces integration with the host system and presents new challenges for security monitoring.
The article also mentioned several security incidents, the most notable being prompt injection through phishing attacks. In 24 tests, the success rate was as high as 96%. Additionally, there were issues such as data theft through API keys controlled by attackers. These incidents have prompted Anthropic to continuously improve its security architecture.
Anthropic summarized three key principles: first, prioritize isolation at the environment layer, guide at the model layer; second, the intensity of isolation should match the user's supervisory capability; third, be vigilant about defining components. These principles not only guide the design of Anthropic's products but also provide important warnings for the entire industry.
Key Points:
🔒 Prioritize Isolation at the Environment Layer: Different products use different isolation strategies to enhance security.
🛠️ Clear Role Definition: claude.ai, Claude Code, and Claude Cowork are designed for general users, developers, and enterprise users respectively.
⚠ Security Incident Warnings: High success rates of phishing attacks were found in practical tests, prompting continuous improvement of security measures.