Nearly every organization is pursuing or perfecting zero-trust architecture. Web isolation can be a fast win in this sizable undertaking. Here are 5 questions we get asked frequently about how the two concepts work together.
The zero-trust approach to security is built on an assumption that no user, device or network can be trusted. Organizations that follow this policy implement rigorous authentication protocols to protect internal technology infrastructure and data from unauthorized access. But how can corporations and government agencies maintain zero-trust security environments at a time when BYOD, cloud infrastructure and remote work are the new normal? The challenge is to find a compromise between allowing access for unmanaged devices and networks and controlling and mitigating any potential avenues of compromise that this may introduce.
Web isolation is a core component of zero-trust architecture. It allows IT to completely isolate devices from all web-borne threats by using a cloud-based browser which ensures that no web code executes on the device. The users still enjoy a familiar browsing environment, while the organization’s information and employees’ identities are never exposed to the web. Web isolation is a layer that sits between the infrastructure and information that organizations care about and the things they cannot trust and adds a virtual “perimeter” whenever users access cloud services.
At Authentic8, we receive many questions about how web isolation fits within the zero trust maturity model. Below are the answers to some of the common questions.
Q: When using web isolation to access cloud apps, can IT still log and audit user actions?
A: Yes. Among the core functionality of web isolation solutions are built-in IT controls to define and manage access permissions, web use and data policies on a granular level. For example, some roles may be permitted to upload and download information or copy and paste data, while others are restricted from these actions.
All user activity is logged, which adds a layer or transparency — even when users access cloud-based applications from a personal device, IT has full visibility and control over their actions. All logged data is securely stored and encrypted, so only authorized IT personnel can retrieve it. Security teams can then put this data into their analytical tools to discern patterns and trends and refine security policies.
Q: How does using a VPN compare to web isolation for securing access?
A: When remote users need access to an internal resource that’s not delivered via the browser, they must tunnel into the corporate network — and that’s where a VPN is a good resource. However, for securing access to cloud services, routing traffic through a VPN may prove less than effective. VPN only addresses the issue of providing an encrypted point-to-point connection, leaving many gaps for unauthorized access.
A web isolation solution offers an encrypted direct-to-cloud connection, in addition to a full isolated workspace that’s enabled with policy controls. This doesn’t come with a VPN. Accessing the cloud through a VPN is ensuring that employees have a secure pipe, but it’s still delivering sensitive corporate data to an unmanaged device where that data is in danger of being compromised or mishandled.
Q: How difficult is it to implement a zero-trust framework?
A: Depending on the organization, building a zero-trust architecture could be a multi-year undertaking, especially in heavily regulated industries. A complete zero-trust architecture is a great vision, but the scale and magnitude of a project like that may be daunting for people who are just at the start of their journey.
Experts recommend identifying your organization’s current maturity level and setting achievable goals and milestones, rather than trying to solve every problem and compliance requirement at once. Focusing on the most valuable data and most at-risk users and implementing security controls around that is a good first step. For example, organizations that engage many outside contractors may choose to focus on securing their access first. Companies who elected not to call their employees back to the office after COVID lockdowns may want to re-examine how these workers access their apps and data and ensure that there are no potential points where sensitive data could be compromised. Quick wins, like implementing security controls through web isolation can go a long way toward securing high-risk scenarios and getting your organization a step higher on the zero-trust maturity model.
Cloud-native web isolation is perhaps the easiest component of the zero-trust framework to implement and get up and running. With no hardware to install, security-sensitive organizations can start protecting their valuable data and sensitive connections through isolation in no time, easily scaling the number of users up or down, as needed.
Q: Does anything need to be installed on unmanaged devices to use web isolation?
A: No. The local browser on the user’s unmanaged device becomes the container where users get secure access to the isolated workspace. Any user, anywhere, on any device can launch the isolated workspace and have full security and control applied to accessing cloud services.
Q: Is web isolation still useful for managed devices?
A: Absolutely! Managed devices are vulnerable and not immune to exploits just because they are managed. Web isolation is adding a buffer between the device and any potential web-borne threats. Many organizations use it to secure their infrastructure against phishing and other malware, while allowing users to browse the web and access any sites — even personal webmail — without restriction.
Plus, there’s also the policy and control and the visibility that IT gets around their users’ access to a web service and their online behaviors. Security teams can use it to control human risk and behaviors such as removing files from a cloud application or to monitor activity to mitigate insider threats and promote compliance.