Zero Trust? Not if you’re Surfing the Web

Reshaping the Security Landscape

by Daniel Miller, Senior Director Product Marketing, Ericom Software

Though it may come off as a bit dramatic, the idea of not placing your faith in anyone or anything has become the new paradigm in security. In the past, we’d look at internal traffic as trusted and external traffic as untrusted. With the proliferation of insider threats and highly sophisticated malware, this notion is not only long outdated but downright dangerous.

Zero Trust

The Zero Trust concept transforms the way modern security strategy is planned and executed. No security barrier, whether it’s a physical appliance, a software product, or a cloud service, is regarded as safe enough on its own. No enterprise can be viewed as a fortress, protected by its own perimeter defenses. No traffic is automatically “okay.” Point-blank, organizations must stop trusting anything or anyone, inside or outside their network.

In the years since the Zero  Trust concept was formulated, an explosion of new micro-segmentation solutions has been introduced to bring it from theory to practice. The thought behind micro-segmenting applications and environments is that to enforce security policies, organizations must be able to control

what communication should – or should not – be allowed between various points on the network. To accomplish this goal, activities are broken down to the smallest processes and each one of those processes can be individually secured. Under the Zero Trust paradigm, machines, networks, and IP addresses are all segmented and access to each component, and between components, is restricted according to rigorously applied security policies and authentication.

Micro-segmentation is quite demanding. Within a true micro-segmented network, an IT team must manage large amounts of data processes across people, networks, devices, and workloads. One small misconfiguration can set organizations back a day’s worth of productivity. Moreover, nuanced access and authentication processes can create a poor user experience and can further hinder productivity.

More significantly, while micro-segmentation and related solutions go a long way toward securing networks and data from everyone and everything, gaps still remain in truly locking down all traffic both within the network and from the outside.

What about Web Browsing?

One of the main areas of risk not covered by micro-segmentation is web browsing. While essential in today’s business environment, browsing remains a wide-open loophole through which malware can penetrate organizations. You can micro-segment to your heart’s content, but it can’t prevent browser-based malware, like many ransomware variants, cross-site scripting attacks and drive-by downloads from gaining a foothold in your network. Once malware bypasses that interface, it can make its way on to your endpoints and then onto your network.

Zero Trust advocates often cite whitelisting trusted sites as the solution, while denying access to all others. But time after time, it has been demonstrated that limiting access to all but known-to-be-needed sites kills productivity. This limited access creates hurdles for IT staff and end-users alike; users are forced to request and wait for access and IT staff must divert their attention from more strategic priorities to manage and grant access to such requests.

Moreover, even if organizations could whitelist every site their employees need, they would still be vulnerable to malware that infiltrates via legitimate sites. There is no way to know with certainty what’s taking place behind the scenes on any given website, even one that has been whitelisted. There is always the chance that the site may have been infected with malware via “malvertising” campaigns

— so although it’s technically “trusted,” it may still deliver malware to visitors. Even methods like URL filtering, anti-phishing lists, web gateways, and other types of filtering and screening solutions cannot hermetically block threats that originate from the web. Thus, the current Zero Trust model leaves room for browser-borne malware to infiltrate networks.

Remote Browser Isolation is Zero Trust for the Web For complete security, the Zero Trust concept must be extended to web browsers, too.

With Remote Browser Isolation, nothing from the web is trusted. Every website, each piece of content, and all downloads are treated with the same extreme suspicion. There is no need for whitelisting or access requests and users can interact as normal with whatever sites they need.

All browsing takes place away from vulnerable assets, in a virtual disposable container which is located in a DMZ or in the cloud. Users get real-time access to websites and applications, free of any browser-based threats. When that tab is closed, the container and all its contents are destroyed. Nothing untrusted can make its way onto endpoints and there is no interruption to normal workflow. Remote browser isolation means that the whole of the web is no longer a threat to your organization.

As it is, the Zero Trust concept still leaves organizations at risk of browser-borne malware. While trusting “no one and nothing” is the smart way forward in today’s ever-changing and highly complex threat landscape, if this is to be the new paradigm there is little point in only adopting it part way. Remote browser isolation is the answer to taking Zero Trust to the next level in order to create a truly secure organization.

About the Author

Daniel Miller is the Senior Director of Product Marketing at Ericom Software. He has more than 15 years of industry experience in corporate and product marketing,  business development, and product management, supporting an array of technology services,  hardware and software solutions—with a strong focus on cybersecurity in recent years. He frequently shares his insights on cybersecurity at industry conferences and podcasts, and regularly contributes articles to enterprise security publications. Daniel holds graduate degrees in Behavioral Sciences and Business Administration.