Tried-and-true security solutions like URL filtering, anti-phishing software, firewalls, and other detection and signature-based solutions are able to mitigate most cybersecurity attacks. But they operate on the erroneous assumption that anyone and anything already inside of an organization network perimeter is safe and can be trusted. This line of thinking has long been proven incorrect, much to the dismay of IT departments and executive teams whose networks have been compromised by insiders, both intentionally and through simple human error.
The proliferation of cyberthreats has numerous drivers: sophisticated phishing schemes, social engineering, application vulnerabilities, and everchanging strains of malware. The dynamic cyberthreat landscape continues to present one of the most pressing challenges that confronts even the most progressive and forward-thinking IT departments.
It is essential for organization leaders to grasp the potential risks and the full business impact of even a “minor” security breach. According to the Ninth Annual Cost of Cybercrime Study conducted on behalf of Ponemon Institute and Accenture, security breaches have increased by 67% in the last five years. Yet many managers are unaware of the fact that current approaches are inadequate and fail to proactively defend against numerous threats.
Today, organizations whose users need the web for their work, or even just browse from their workplace, must make the decision to not trust anyone or anything, from outside of the network or from within, to access their network without authorization. Every network access request must be authorized to ensure its legitimacy.
Zero Trust is More than Just a Buzzword
The Zero Trust concept negates the notion of a trusted network inside of a defined corporate perimeter. Instead, it demands development and implementation of granular security policies and mechanisms that empower organizations to manage the access permissions of each individual – user, contractor or partner. Without proper authorization and validation for each individual resource, no individual can access any application, data or system. Under the Zero Trust approach, all devices, networks, and IP addresses are micro-segmented and individual access is restricted to comply with security and user authentication policies. When users, devices, or applications are added to the fold or removed, policies and permissions must be updated and controlled accordingly. Thus, Zero Trust requires ongoing updates, adjustment, and fine-tuning.
This approach is rapidly becoming the gold standard and we are starting to see it being adopted by IT teams aiming to upgrade their organizations’ cybersecurity framework. It is supported by a myriad of micro-segmentation solutions that aim to enable implementation and maintenance of complex and dynamic authorization frameworks.
Zero Trust Organizations Trust No One
The one area that is not covered by the Zero Trust toolkit is, shockingly, the most virulent threat vector of them all. It’s fair to say that your business could not succeed without use of the internet. However, the web, together with malicious email, represents the most prevalent vector through which malware infiltrates organizations. You can micro-segment your network, apps and users until you’ve created any number of networks-of-one, but it will not prevent browser-based malware such as ransomware variants, cross-site scripting attacks, and drive-by downloads from invading and establishing a foothold in your systems.
Those who advocate for Zero Trust solutions recommend whitelisting trusted sites, while rejecting access to all other sites, as the solution to this issue. However, limiting access to trusted sites and denying access to all the others negatively impacts productivity and frustrates employees. Users must request access and then wait for permission to be granted. And IT staff must dedicate time to managing these requests. Even if organizations could accurately whitelist every site that might at some point be necessary for users to access (which is, of course, impossible), there is no guarantee that these whitelisted sites are in fact secure. For businesses to run efficiently, users must be able to effortlessly access the sites that they need. Yet to guarantee absolute impenetrable security, no website should automatically be trusted.
Applying Zero Trust Browsing
Remote Browser Isolation (RBI) enables Zero Trust Browsing — the baseline assumption that while nothing from the web is to be trusted, users must be able to browse a wide and largely unpredictable range of sites. RBI enables organizations to assume that every download, website, and piece of content is suspicious until proven otherwise – without shutting down internet access. With RBI, all browsing activity takes place remotely, on a virtual browser in a disposable container located in the cloud. A clean content stream is sent from the remote virtual browser to the user’s browser of choice on the endpoint for a completely natural browsing experience. When the user is finished browsing, the isolated container and all its content are discarded. No website content ever touches user devices or the networks with which they are associated.
RBI enables Zero Trust browsing, ensuring that no website reaches organizational devices or networks. RBI prevents browser-borne executable code from making its way to user devices and organizational systems so that all threats, known and unknown, can do no harm.
David Canellos, CEO, Ericom Software