Zero Trust for Web and Application Access: Developing a cybersecurity playbook for BYOD and beyond

A single compromised browser session on a remote device connected to an organization’s network can bring down an entire company. As one CISO confided to VentureBeat in a recent interview, “Recessions make the revenue risk aspects of a zero confidence business case real, which shows why securing browsers is urgent.” More than anything, CISOs from the banking, financial services, and insurance industries fear inbound attacks aimed at exploiting browser vulnerabilities to launch sophisticated phishing and social engineering attacks.

Attackers can quickly identify and hack even security administrators’ browsers – every CISO’s worst nightmare. Many CISOs remember the CNA Financial Society infringement that started with a phishing email browser update. Once an attacker gains administrative privileges, they can quickly take control of the identity access control (IAM) systems and create new administrative credentials to lock out anyone who tries to stop them.

CISOs’ top priority: Securing how work gets done

Protecting BYOD (bring-your-own-device) environments and unmanaged devices is one of the biggest challenges facing CISOs and CIOs in 2023. Virtual workers and remote contractors are using personal devices for work at a record rate. Gartner predicts that up to 70% of enterprise software interactions will be on mobile devices this year.

Ponemon Institute and Mastercard’s RiskRecon found that only 34% of organizations are confident that their suppliers will notify them of a data breach. This was also evident from their research 54% of organizations have been hacked by third parties in the past 12 months. A recent study by Company Strategy Group (ESG) found that more than three-quarters of organizations reported at least one (43%) or several (34%) cyber attacks allowed by unknown, unmanaged, or poorly managed endpoint devices. As they use more third-party resources, 35% of companies say they struggle to secure non-company devices.

A playbook for dealing with browser attacks

CISOs urgently need a playbook that addresses the risk of compromised browsing sessions on remote devices connected to their organization’s network. Not having a plan ready can disrupt operations and cost millions of dollars in operating costs and revenue.

A roadmap describes the company’s workflows, policies and roles. It is a comprehensive guide that ensures smooth operation and a coordinated response to threats. Microsoft offers examples incident response scenarios that can be adapted to the specific needs of an organization.

A well-written roadmap outlines the roles and responsibilities of the IT team; implements strict access controls; and educates employees on phishing and social engineering best practices to manage these risks.

The script should also emphasize zero confidence cybersecurity approach, where no user or device is trusted by default, regardless of location or state in the organization.

CISA provides a helpful guide to creating playbooks in its Cyber ​​security Incident and Vulnerability Response Playbooks document. The document describes a standardized cybersecurity incident response process based on NIST Special Publication (SP) 800-61 Rev. 2. The process includes preparation, detection and analysis, containment, eradication, recovery and post-incident activities.

Secure where work gets done without trust

Zero trust tries to eliminate trusted relationships across an enterprise’s entire technology stack, because any trust gap is a significant liability. Clientless Zeroto trust network access (ZTNA) takes a zero-trust approach to connecting devices, both managed and unmanaged, to enterprise applications and corporate data. And when it uses isolation-based technologies to enable these connections, it offers the added benefit of protecting critical applications from anything that could be malicious on unmanaged endpoints of third-party contractors or employee BYOD devices.

For example, clientless ZTNA based on browser isolation is a core component of Ericom’s ZTEdge Secure Services Edge (SSE) platform. The platform combines network, cloud and secure application access controls into one cloud-based system.

This type of ZTNA uses a network-level isolation technique that does not require an agent to be deployed and managed on a user’s device. That greatly simplifies the challenging task of providing secure access to distributed teams.

Ericom’s platform also includes a secure web gateway (SWG) with built-in Remote Browser Isolation (RBI) to provide zero-trust security for web browsing. RBI believes that all websites can contain malicious code and isolates all content from endpoints to prevent this malware, ransomware and malicious scripts or code cannot affect an organization’s systems. All sessions run in a secure, isolated cloud environment, enforcing least privileged application access at the browser session level.

A reseller’s perspective on clientless ZTNA and isolation-based web security

Rob Chapman, director of sales, managed services at Flywheel IT services limiteda reseller of cybersecurity services in the UK, told VentureBeat of a CISO who “even says he has to use remote browser isolation because the only safe alternative would be to chop off every user’s fingers!”

Chapman sees RBI as where the market is going when it comes to protecting end users. He said Ericom’s approach to securing browsers is useful for the consulting firm’s clients from banking, financial services and education industries, among others.

When asked what sets Ericom apart from other vendors offering zero trust-based solutions, he said Ericom’s approach “effectively removes risk because you put the user in a container.”

Proper scalability is essential for an SSE provider to remain competitive in a rapidly changing cybersecurity market. Building an underlying architecture that supports the high-speed access business users need can make or break an implementation opportunity, especially for resellers.

On the subject, Chapman told VentureBeat that a global client “decided to go along [browser isolation] because they have a set of 600 users and 20 different sites all over the world, and it’s just really, really hard to know if you’re protecting them the best you can with historical…or outdated solutions. Moving to advanced web security, including browser isolation, gives people confidence that their users won’t go out and be exposed to malicious code attacks on the web.

Configure zero trust protection in the browser — without agent sprawl

When using browser isolation to deliver clientless ZTNA, IT teams can set policies for a number of configurable security controls.

In addition to allowing or denying application-level access based on identity, a team can control whether a user can upload or download content, copy data, enter data, or even print information.

Data Loss Prevention (DLP) can scan files to ensure compliance with information security policies. They can also be analyzed by Content Disarm and Reconstruction (CDR) — a kind of next-generation sandboxing — to ensure no malware is delivered to endpoints or uploaded into applications.

CISOs tell VentureBeat about the cost, speed, and zero-trust security benefits of implementing these types of solutions for a distributed, virtual workforce.

Cybersecurity vendors offer solutions that vary based on underlying technologies, user experience, and other factors. Broadcom/Symantec, Cloud Flame, Ericom, Power point, The boss, Menlo Security, McAfee, NetScope And Zscaler are the leading providers.

The bottom line: Set up zero trust to secure how and where work gets done

The proliferation of remote devices used by virtual workers and the heavy reliance on third-party contractors accentuate the need for more efficient, agentless approaches to achieving zero trust at the browser level.

CISOs need to think about how their teams might respond to a browser-based breach, and a good place to start is to create a playbook specifically targeting compromised browser sessions.

Clientless ZTNA strategies, such as those used in Ericom’s ZTEdge SSE platform, isolate applications and enterprise data from the risks associated with unmanaged devices.

Security teams already overworked and facing chronic time constraints need a more efficient way to secure every device and browser. Clientless ZTNA secures web apps at the browser and session level, eliminating the need for agents on any device, while SWGs with built-in isolation help protect organizations against advanced web threats, even zero-days.

These approaches can help IT teams provide zero-trust protection for some of the biggest risk areas they face: general web/internet access and connecting users to business apps and data.