by Tova Osofsky
Posted on June 7, 2023
Want to interview Tova?Contact
By 2009, the US Federal government had grown sufficiently concerned about nefarious actors breaching the desktops of researchers working on nuclear projects, via their browsers, to take action. To distance vulnerable browsers from classified data, they shifted browsing to a different server, then used virtualization to stream images of websites to users’ desktops — creating a first, primitive version of Remote Browser Isolation (RBI).
Fast forward a decade and a half, and today RBI is a technologically advanced, cloud-based solution that is a core capability of modern Secure Access Service Edge (SASE) platforms.
Gartner estimates that 80% of enterprises will have adopted cloud-based SASE/SSE (Security Services Edge) by 2025. For those organizations, the cloud-based isolation technology that powers RBI can do much more than eliminate web-delivered threats by preventing browser attack surfaces from being exposed to the web. In this blog post, we break down the components that make up SASE/SSE and describe why, in addition to RBI being an essential capability, isolation is a valuable addition to capabilities across the full SASE security framework.
The legacy approach to cybersecurity evolved in the early days of the internet. Back in the “olden days” employees worked from an office and they mostly worked on apps and data that were hosted on the company’s own servers. Employees who needed remote access were the exception, not the rule, and it was relatively rare for employees to need to access data elsewhere. The focus naturally evolved to having a strong perimeter defense that would keep external threats locked out, while allowing employees within the perimeter to have free access to whatever they needed.
The biggest problem with the perimeter approach is that if an attacker does breach those defenses, they have access to everything. There are many additional problems, however. Today’s IT environment is very different, with many more employees working remotely, and with corporations increasingly turning to cloud computing. Perimeters have been rendered obsolete.
SSE is a new way to approach cybersecurity. No SSE solution relies on a perimeter for protection. SSE must secure users who are accessing IT resources that are internal and in the cloud, whether they are onsite or remote. And in this perimeter-less approach, no SSE solution is complete without isolation.
The SASE/SSE concept replaces perimeter-based access with cloud-native security and access services that operate on Zero Trust principles of “least privilege access,” “never trust, always verify” and “assume breach.”
For secure browsing, RBI operationalizes these principles by assuming that since no website content can be verified as safe, it cannot be trusted and should therefore be kept away from vulnerable endpoints. Browsing is therefore isolated in cloud-based containers and only safe rendering data is streamed to device browsers. Users interact with websites as usual, via their regular browsers. The user experience is indistinguishable from standard browsing.
Within the cloud-based container, granular policies can be applied to limit which sites users may visit as well as what browser-enabled actions they can take for each site. For instance, suspicious sites are opened in read-only mode to safeguard users from credential theft and browser clip-boarding and printing functions may be disabled for certain sites.
The web isolation technology that underlies RBI, however, offers functionality that extends well beyond secure browsing. Web isolation can be used to protect corporate web apps, SaaS applications and private apps from unauthorized access, as well as protecting the sensitive data these apps contain. Routing access via isolation cloaks application surfaces from threat actors seeking vulnerabilities to attack and protects apps from malware that may be present on unmanaged devices used by authorized users. Web isolation also enables policy-based access and usage controls to prevent data exposure and lateral movement, and reduce compliance risk.
Let’s dig in a bit to explore at how web isolation strengthens the secure services that are essential elements of SSE:
As Gartner noted, use of remote browser isolation has become so widespread that it is now considered to be a core SASE capability. But as they also note, the RBI provided by most SASE platforms are recently integrated, non-native solutions which in many cases, are less than optimal.
More importantly, the isolation capabilities most solutions provide are limited to secure browsing and further restricted by their inability to secure online meetings and detect malware in encrypted messaging apps such as WhatsApp Web. They do not leverage isolation, as ZTEdge does, to protect web and cloud applications from malware on unmanaged devices, or prevent over-privileged access from unmanaged 3rd party devices or users’ BYOD.
To learn more about how tight integration of isolation across SSE platforms can reduce the security burden on users while simple, secure access, download “Not Just for Safe Browsing: How Isolation Strengthens All SSE Functions” today.
Using black hat SEO to achieve high rankings for particular search terms, threat actors can sit back as victims flock to their malware-infected websites.
As one of the keys to implementing least-privilege access, microsegmentation is an essential element in the Zero Trust toolbox.
In this post, we update the layered security concept for the age of Zero Trust, cloud computing, application-based work and work-from-anywhere.