Not Just Web Browsing Security: Isolation Strengthens all SSE Functions

Over a decade ago, the National Nuclear Security Administration began using “remote-managed hosted virtualization” to isolate risky web interactions from laboratory desktops used in nuclear research labs. This early version of remote browser isolation streamed website images from browsers located on remote servers to non-persistent virtual desktops located on users’ actual desktop devices.

In 2018, the Defense Information Security Agency (DISA) issued an RFI for cloud-based internet isolation (CBII) to secure the endpoints of many defense department users. By then, remote browser isolation (RBI) was leveraging purpose-built technologies that were lightyears ahead of virtualization and a number of solutions were beginning to pull ahead of the pack in the race to cloud-based isolation.

That same year, a Gartner Innovation Insight for Remote Browser Isolation report warned against assuming that “detect and respond” approaches to malware could keep enterprises safe from all – or even most – internet-based threats. Neil MacDonald, the analyst who authored the report, recommended RBI as an ideal way to reduce the exposure of internet-facing attack surfaces.

Many technology improvements later, the market has proved both MacDonald and DISA correct: In its 2022 Strategic Roadmap for SASE Convergence, Gartner names RBI as a “core” capability since it “has become widespread for certain key use cases” – a key revision of its earlier characterization of RBI as a “recommended” component of cloud-based secure access service edge (SASE) implementations.

But an interesting thing happened while RBI was gradually navigating past the trough of disillusionment, up the slope of enlightenment, and into SASE platforms: When properly integrated with identity and access management (IAM) and SASE policy engines, the cloud-based web isolation technologies that power RBI for its initial use case of protecting devices from web-based malware began to super-charge the effectiveness of other SASE functions. What enabled this to occur was innovative isolation architectures that harness the massive scale and reach of the cloud.

Web-Based Risk is no Longer Only About Browsing

Today, the corporate resources that are most threatened by web–enabled risk are not the browsers, endpoints and internal networks that RBI was initially designed to protect, but rather resources residing on the web itself or accessed via the web: That is, the web/cloud applications, private apps, SaaS applications and collaboration sites like Microsoft Teams that are central to almost all operations. Plus, of course, the data used by, stored in and accessible via those apps.

Use of digital, internet-based assets like these skyrocketed during COVID-19-spurred remote work, and despite the significant return to on-site work, the digitization clock won’t be turned back. As the use of these cloud-based assets accelerates to support mainstreamed distributed work environments, threats to them will continue to come from two primary sources.

First, from threat actors. Threat actors generally start an attack by probing apps and internet-facing surfaces to find vulnerabilities. In a recent survey of IT security decision-makers, 73% of respondents expressed concern about the size of their digital attack surfaces and 43% described the attack surface as “spiraling out of control.”

Alarmingly, the number and severity of reported common vulnerabilities and exposures (CVEs) have both been increasing, with advisories up 23% from 1H2021 to 1H2022 and the percentage of vulnerabilities classified as medium or high increasing as well. Almost 74% of vulnerabilities found are remote vulnerabilities that can be exploited over a network.  Attackers frequently seek recently disclosed vulnerabilities in an attempt to exploit them before patches are issued or applied.

The second type of threat to organizations’ web-exposed assets is from the unmanaged devices from which authorized users access those apps. These may be personal devices used by employees when working from home, or devices used by third-party contractors, which may (or may not) be managed by their employers but are certainly not managed by the contracting organization.

This type of risk has grown exponentially in recent years, with the increase in both remote work and third-party contracting. With no control over devices, organizations cannot ensure that they are free of malicious content, know whether they’ve been compromised to enable threat agents to access corporate applications, or compromise, exfiltrate or expose the often sensitive data contained by SaaS apps.

Isolation Branches Out

But what if RBI could be “flipped,” so that instead of protecting browsers from the dangers on websites, websites were isolated from dangerous devices and malicious visitors. By routing access to corporate web apps, SaaS apps and private apps via cloud-based isolation, policy-based restrictions could be enforced to restrict access, limit user activity such as data downloads, clipboarding and printing, and prevent breaches, data exposure and compliance risk.

Without any special on-device agents or software required on user devices, app surfaces would be protected from any malware present on users’ unmanaged devices, since all active web code would remain in the web-based container without “touching” the source app. And threat actors seeking vulnerabilities to exploit would see only the minimal, generic code of the isolation solution, not potentially vulnerable app surface code.

Integrating this “flipped” application isolation with critical SASE capabilities, such as SWGs, ZTNA, CASB enables policy-based, least-privilege protections to be added to already-powerful SASE technologies, for true zero-trust secure access that doesn’t impose undue onerous restrictions on users.

Conclusion

In today’s web app-enabled work-from–anywhere-on-any–device work environment, securing user access and activity and restricting them in accordance with least privilege access principles is more crucial than ever. By “never trusting” unverifiable web content to be safe, browser isolation has proven to be the sole zero-trust-compliant way to securely access the web, earning “core” SASE status. Application isolation will likewise, with time, prove to be the most secure and effective way to protect corporate resources from web-enabled attacks.