Should Browser Isolation be part of a Zero Trust solution?

By Henry Harrison, Co-founder and Chief Scientist at Garrison.

  • 1 year ago Posted in

The move to a Zero Trust model of cyber security is gaining momentum. Enterprises across sectors are recognising the shortcomings of existing security approaches, and are looking to Zero Trust as a way to create peace of mind against a backdrop of increasingly sophisticated and dangerous cyber attacks.

So what is Zero Trust? Essentially, this is a security approach that does away with the assumption that everything within an organisation’s networks is trustworthy, and instead takes a ‘never trust, always verify’ standpoint. In short, the Zero Trust model trusts nothing and no one.

Cyber attacks increased by over a third (38%) in 2022 compared to the previous year, and the cost of cybercrime is expected to rocket from $8.44 trillion in 2022 to $23.84 trillion by 2027. If these numbers tell us anything, it’s that the security tools relied on by private and public sector organisations alike simply aren’t working.

The limitations of perimeter security

Traditional IT security has typically focused on defending an organisation’s perimeters. This model tries to prevent bad actors from gaining access from outside of the corporate network, and then assumes that everyone inside the perimeter should be trusted by default.

These methods are not failsafe, and the rise in successful cyber attacks is proof. One reason is that these security tools are powerless to stop attacks that use social engineering – for example, as with ransomware attacks, which manipulate employees to get past security measures and give malware a foothold in the organisation.

In short – detection-focused security tools can be circumvented, and this leaves enterprises vulnerable to attack. What’s more, most security strategies don’t recognise this vulnerability, and therefore mistakenly allow bad actors full access to company data and systems once they are inside the organisational network.

Zero Trust is different because it distrusts everything inside an organisation’s network, as well as everything outside – meaning that if a threat actor is able to penetrate external security, they will not automatically be given access to sensitive data and documents.

Identity management alone is not enough

When talking about a Zero Trust architecture, it is important to understand that it is not made up of one solution; rather, as the name suggests, this is a holistic, all encompassing security environment.

But when some companies think about Zero Trust, they may focus exclusively on one area – identity management. This is how users are authenticated before being given access. However, while this might seem to solve the security risk posed by threat actors breaching an organisation’s perimeter, in reality, these only offer a partial solution.

Looking at online banking as an example, the shortcomings of identity verification tools such as biometrics and multi-factor authentication (MFA) are clear. Despite online banking users being both authorised and authenticated, it is still common for them to be the victim of a cyber attack. If user verification on its own was sufficient, this surely wouldn’t be the case.

The vulnerability that's being exploited here is the user’s device. This is crucial because if the endpoint is compromised – for example through an MFA bypass or a man-in-the-browser attack – the financial data is not only accessible to the verified user, but also the threat actors behind the attack. In a business setting, this has the potential to open up sensitive data, critical documents and core networks, and put them all in the hands of cyber criminals. Breaches of this nature not only put an organisation’s ability to operate at risk, but can also irreparably damage its reputation.

The complexity of endpoint security

When considering endpoint security, it is important to recognise that context is key. In other words, it is the task in hand that determines whether or not an endpoint has adequate security in place – the same device may be considered to have adequate security to access one resource, but not to access another, more sensitive, resource.

The challenge of endpoint security is complicated by the growth of hybrid work, which has in turn led to the rise of the bring your own device (BYOD) trend – where employees use their personal computers and devices to access company networks. The security status of these personal devices means that IT teams are unable to implement universal security measures for those endpoints accessing company networks.

The problem of endpoint security is amplified further by the continued move of business applications and data storage into the cloud. Many cloud providers focus exclusively on user identity verification and do not offer endpoint security support, which as we’ve already seen, does not adequately address the security gap.

The cloud providers that do consider the issue of endpoint security tackle the problem by making access conditional on the source IP address. But this simply doesn’t work for companies whose workers have adopted hybrid working patterns.

Browser Isolation – the move to Zero Trust

Growing numbers of enterprises are turning to Browser Isolation as a Zero Trust solution that enables uniform endpoint security, regardless of where an employee is located, or the security

status of the device they are using. What’s more, it does this without having to resort to limiting users’ access to the internet.

So how does it work? Browser Isolation creates a barrier between the endpoint and the internet, meaning that the employee’s machine – be it a personal device or company property – never comes into contact with the internet. This therefore removes the risk of users coming into contact with web-based malware. It does this through a process known as ‘Pixel Pushing’ – which converts the browsed web content into a video representation of the web. While the online experience remains the same for the user, in reality, they are seeing an interactive video rather than the web page itself. This important difference completely removes the possibility of all web-based malware attacks

Zero Trust is the core principle underpinning Browser Isolation – the technique assumes that all internet content is untrustworthy, and in doing so provides strong endpoint security.

A holistic approach to Zero Trust

There is no silver bullet when it comes to Zero Trust. Instead, companies need to take a holistic approach that is led by the need to protect and secure critical data and networks, while also giving employees the freedom and mobility they require.

Endpoints present a significant security risk that leave organisations vulnerable to cyber attacks. User devices therefore need to be front-and-centre of any Zero Trust architecture development and maintenance.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.