MPA Best Practice Guidelines Name RBI as Implementation Guidance Infrastructure for Web Filtering and Usage Control

Author Avatar


Posted on August 4, 2021

Peter Fell, ZTEdge Blog Contributing Author
Ericom Software EME Group CTO

Want to interview Peter?


What Every TPN Vendor Should Know About Remote Browser Isolation

In a recent important addition to the Motion Picture Association (MPA) Content Security Program, MPA Best Practices Guidelines were updated in Version 4.09 to recommend Remote Browser Isolation (RBI) as an implementation guidance option for Data Security Best Practices including DS-2.0, DS-2.1, DS-2.2 and DS-5.0.

To protect pre-release content and prevent web-enabled attacks on the networks of both content production and content delivery company networks, previous versions of the Implementation Guidance stipulated complex, time-consuming and highly restrictive internet use policies and processes for vendor organizations supporting MPA Member Companies.

While protecting pre-release content during production, post-production, marketing and distribution is, of course, of paramount importance, the processes required to date introduced considerable inconvenience, frustration and productivity loss into the collaborative model on which so much of the entertainment industry depends today.

Adding remote browser isolation to MPA Best Practices in the Implementation Guidance for data security is a game-changer for users. When done correctly, it will go a long way to streamlining internet-enabled collaboration while maintaining the airtight content protection that both content producers and content delivery companies require.

Remote Browser Isolation was first introduced almost a decade ago and is today a fully mature technology. According to Dr. Chase Cunningham, a leading Zero Trust security advocate at Forrester Research who recently joined Ericom Software, the time has arrived for broad adoption of RBI as a security control.

Security That Works For Users, Not Against Them

For Trusted Partner Network (TPN) vendors and Consultant Assessors—and especially for users–RBI is the rare security solution that reduces risk while boosting productivity and improving the user experience for entertainment industry employees, when designed and implemented properly. Now that the MPA has joined the finance industry and government sector in recommending RBI to secure internet use, TPN vendors can enable rigorous, granular internet usage control and content protection, while simultaneously streamlining access, in full compliance with MPA Best Practices.

According to the most recent Verizon DBIR, almost 40% of breaches involved phishing, 25% involved credential theft, and malware was a factor in over 20%. 58% of CISOs identify human error as their organizations’ greatest cyber vulnerability. These threat actions, which directly impact pre-release content security, are precisely the ones that RBI effectively blocks.

Remote Browser Isolation: What It Is and How It Works

RBI blocks all website content from user devices and networks by isolating the content in a remote location yet enables users to fully use and interact with the sites in compliance with granular policy-based controls. Here’s how it’s done:

When a user opens a website, the RBI solution…

  • Generates a virtual browser in an isolated container in the cloud or on a remote server
  • Executes the website in the virtual browser
  • Sends only safe rendering information to the user’s device
  • Enables users to interact with the websites as usual, using their device browsers

Critically, when the user stops browsing, the isolated container is destroyed, along with the virtual browser and all website content within—including any malware or ransomware that may have been on the site.

Because websites do not execute on the endpoint, no content is left in the browser cache. So, if a device is stolen, lost or breached, content that has been uploaded to or downloaded from the web can’t be retrieved from the device browser cache.

Web Usage Controls and Reporting that Go Beyond the RBI Basics

For TPN vendors and Consultant Assessors, the extent to which users can upload content to websites and apps is of as great concern as malware that may be downloaded. A number of key capabilities and features make ZTEdge Web Isolation, a remote browser isolations solution, particularly relevant and valuable when applying MPA Best Practice Guidelines for Digital Security Infrastructure Implementation Guidance for DS-2.0, DS-2.1, DS-2.2 and DS 5.0.

A wide range of policy controls. ZTEdge Web Isolation enables granular, policy-based controls that simplify strict compliance with DS-2.0 and DS-2.2 Implementation Guidance. For instance, access can be fully blocked to prohibited sites such as web-based email sites, peer-to-peer, digital lockers, and known malicious sites to prevent content exfiltration and theft.

In addition, browser capabilities such as printing, downloading and copy/pasting content from websites that may be exploited by malicious (or simply careless) insiders may also be restricted via policy-based controls, in keeping with DS-2.0 Implementation Guidance to block “local drives, USB mass storage, mapping of printers, copy and paste functions, and download/upload to the Internet gateway system from the production network.”

Reporting and auditing. The centralized ZTEdge Web Isolation administration console provides full audit trail and reporting capabilities, including historical web access data, upload and download activities, user activity reports, risk analysis, security events, and more. Security admins can drill down into report data to reveal patterns and define custom reports to get maximum insight from historical organizational data. Data can also be automatically exported to an external SIEM for archiving and further analysis.

End user experience. Unlike remote desktop alternatives, which involve numerous steps to first launch a remote desktop, and only then open a protected browser, ZTEdge RBI works with standard browsers on users’ regular device or desktop. While other RBI solutions may limit which browsers are used by requiring browser-specific configuration, or utilize cludgy, confusing and often imprecise browser-in-browser technology, ZTEdge Web Isolation fully protects users, on any browser they choose, at any time. It provides an excellent end user browsing experience–even HD video plays smoothly and on-page navigation is extremely precise.

Integrates easily with current (and planned) security stacks. Leading security solution providers partner with ZTEdge Web Isolation. In addition to integrating simply with a wide range of the firewalls and secure web gateways in use today, ZTEdge Web Isolation is compatible with new generation SASE platforms and security solutions as well. So even clients who are considering updates to their security stacks can adopt RBI now, without locking themselves in to any specific security vendor.

Protection from phishing emails and sites, and infected attachments. ZTEdge Web Isolation protects against phishing by opening URLs in emails in isolated containers in the cloud, away from endpoints. Moreover, as required by DS-2.1 but by no means standard in most browser isolation solutions, it opens new, uncategorized sites in read-only mode to protect users who might be lured into entering credentials on a phishing site. ZTEdge RBI also integrates content disarm and reconstruction (CDR) capabilities which examine attachments and remove any malware embedded within before downloading to endpoints. Of course, policies may be set to restrict downloads based on user, site or type of attachment – or block all attachments.

Virtual Meeting Isolation. Like all other websites, web portals of virtual meeting solutions are vulnerable to infection with malware, which can then be passed to meeting participants via their browsers. In addition, malware has been identified which can take control of user cameras and expose private chats via virtual meeting solutions.

ZTEdge Web Isolation is the sole browser isolation solution in the market that secures virtual meetings conducted via Zoom, Microsoft Teams, Google Meet, WebEx and similar browser portals. Patent-pending proprietary ZTEdge technology supports key collaboration elements, like screen sharing, microphone use, and video-camera.

Security That Eases MPA Implementation Guidance Compliance for Users

For content creators and distributors, security is of paramount importance. After all, content is your product. MPA Best Practice Guideline compliance is likewise essential—but not always easy.

The new Implementation Guidance that recommends RBI for DS-2.0, and the fact that RBI capabilities enable the controls recommended in DS-2.1, DS-2.2 and DS-5.0, allows TPN Vendors to lighten the security burden on their clients’ employees while ensuring that valuable content is fully air-gapped and protected from the dangers of the web.

To learn more about choosing the right RBI solution for your clients, read “Close the Security-Usability Gap with the Right RBI Solution” today. And of course, we are happy to address any questions you have!

Share this on:

Author Avatar

About Peter Fell

Peter Fell, Group CTO - EME, is a solutions architect and information security expert, specializing in data protection, cybersecurity, data privacy and compliance. He has 20+ years experience in Information Security, specializing in Data Protection, Cybersecurity, Data Privacy and Compliance, SaaS, Identity and Access Management.

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.