Can An Enterprise Access Browser Be Used To Secure Remote Access

Eliminate the ability to access resources and you eliminate all threats. In a digitally transformed world eliminating access also means eliminating the ability to conduct business. How about requiring everyone to access resources in a closed environment? The access often originates at  untrusted networks and devices that might not be managed by the organization.  

Digitally connected supply chains and remote employees require access to resources from everywhere. A closed system is not an option either. Strike two. Because providing access is critical and the notion of a traditional “closed” environment is obsolete we must control and secure access. 

 A few months ago, the keynote at BlackHat was titled – Where Do We Go from Here?  Interestingly that is a conversation that I constantly have with our customers, prospects and partners. The goal: figure out what they will do next, what they prioritize and the area of focus for secure access. 

Let’s start with the dynamics that are guiding their journey and priorities. 

1. The pandemic changed everything forever and yet nothing has changed

There is growing adoption of work from everywhere, applications are moving to the cloud plus SaaS, and we are becoming increasingly digital. A bigger shift is the drive to remove friction in every interaction between the user and the target. Organizations want to make sure that the user experience for their workforce, ecosystem of partners and customers is easy and seamless. They sometimes compromise security to achieve this goal. 

 To be clear, the technology shifts were happening before the pandemic. It is the permanent shift that the pandemic catalyzed. A shift in the way people work and access resources has made user adoption and ease of use front and center.  

The pandemic required that users, tech savvy or not, learn how to navigate the digital universe and do it every day. Whether it required figuring out the location of the mute button or learning how to deploy a cloud service overnight. The learning curve might have been steep, but it was navigated. 

 What was not navigated as effectively was considering security risks of enabling remote work and securing access. The application of prevailing network-centric and office-centric solutions to the changed cloud and remote-first world creates security gaps. The key among them being visibility into every interaction between the user and resources. Limited visibility results in limited control hampering the ability to restrict access only to what is needed (applications and data). 

 What has not changed is security being seen as at odds with user experience. What has remained constant: the use of network-centric solutions, built for an in person, in office, and server centric world. We would all agree that for a remote-first, cloud-centric world, where majority of access goes through a browser, security must address access security at the source – the browser. 

2. Threats exploit complexity and risk management approaches of existing solutions. Making the case for the browser.

 Destruction, disruption, and economic gain continue to be motivations for threat actors. Threat actors are constantly exploiting vulnerabilities and need to find only one to be successful. It is both amazing and shocking that vulnerabilities seem obvious (in retrospect). From shared accounts and systems that have not been decommissioned.  

According to Osterman Research, 60% of respondents were infected with malware through a browser and 30% suffered data loss through browsers. 

 While that trend continues, the cloud access service broker (CASB) market has grown at about a 16% CAGR. The secure web gateway market has grown at about 20% CAGR. ZTNA adoption has grown at 15% CAGR. VPN adoption was strong and continues to remain robust. VDI solutions accounted for about $12B in security spending. 

 The wide array of solutions requires sophisticated deployments and are complex to manage. Further, security teams that implement these solutions must develop the skillset and organizations to manage these solutions effectively. Of course, the incredible growth in adoption of the solutions indicates that they provide a certain level of security.  

But the sophistication and veracity of the threats continues to grow. The only logical explanation for both the statements being true is that the solutions are effective for a narrow use case and leave security gaps. And since the malicious activity seems to exploit the browser, it makes sense to secure access at the browser – the source.   

3. Security starts at visibility.  But what do you need to see?

 At Blackhat, Chris Krebs talked about “data exhaust”. Yes, every interaction (including physical interactions) generates streams of data. Since data is the new currency, protecting this data has to be the ultimate goal for most organizations. And as Chris Krebs describes it – this data is everywhere. If the data needs to be protected – it must be protected where it resides.  

Protecting data though requires understanding the who, what and where. This context required to protect the data includes who – the identity of the user trying to access the data. It requires – what – the actual data being accessed. It also requires the where – where is the data located and where is the access request coming from. The visibility into complete context gives organizations the ability to control how the data gets accessed.  

For example, Savannah’s access to payroll data, while on a managed network and trusted device might be allowed. Access to the data, if the access request is from Venezuela might need to be restricted. Putting the controls in place to restrict access requires visibility into context. In addition, certain compliance mandates require access to critical resources be controlled by using this rich context. 

 The rich context about access is also a critical part of compliance audits and reporting. Detailed reporting about who is allowed access to sensitive resources, when access occurred, and resources accessed are critical parts of compliance reporting.  The rich context is also needed by analytics tools and SIEMs for incident response and root cause analysis. 

 The challenge is that prevailing tools do not provide the visibility described above. And without that granular visibility they fail to provide the fine-grained control into access to applications and data. 

Where Do We Go From Here? 

 Access controls have been applied at different layers with different tools. The best way to close security gaps, reduce risk and complexity is to move enforcement to the source. In a cloud-first and remote-first world that “source” is the browser. It is no longer just a question - can an enterprise access browser be used to secure remote access. It’s the only way to secure access. 

 The question is will the browser be built to make the transition and what core capabilities will it provide? The solution that enables such control must provide the following benefits 

1. Remove friction from adoption The solution must remove friction in deployment and minimize impact on the users’ experience. The enterprise browser should not force the user to relearn the application or impact application behavior.
2. Provide visibility into who, what and when. It must deliver the visibility needed (as described above) for every platform, application and type of user and device.
3. Ensure secure access that is agnostic to the device: if the control and security is moved to the browser, it must provide the same level of protection whether the device is managed by the organization, is unmanaged or part of the bring your own device (BYOD) flexibility organizations provide.
4. Protect data and identity. The granular context must be used to only allow authorized users access only to data they need – or enforcing principles of least privileged access.
5. Prevent the spread of malware and zero-day attacks. Since most malware originates or propagates through the browser, the browser must isolate the rest of the infrastructure from the malware. This might not sanitize the device, but it will prevent the lateral movement of malware and limit risk.  
6. Enforce Zero-trust least privileged access: if organizations can get the detailed visibility described above they can use granular controls to enforce policies that ensure that access is granted only to users that need access and only to resources absolutely needed. These are the core tenants of zero-trust – never trust always verify. And an outcome of that approach is the ability to protect data and prevent the spread of malware.

 To answer the question – where you go from here – is the path forward goes through the browser. The question can an enterprise access browser be used to secure remote access – has a simple answer, yes! You can read more about the Appaegis approach to securing remote access with an enterprise access browser.