Gartner Research recently released its “Magic Quadrant for Cloud Access Security Brokers” report. Like all Gartner Magic Quadrant reports, it assesses vendors based on the completeness of their vision and their ability to execute.
As intermediaries between users and cloud service providers, Cloud Access Security Brokers (CASBs) enable enterprises to extend their security protocols to cloud-based applications and allow companies to create cloud-specific policies. CASBs are primarily implemented as a cloud service, but some offer an option to deploy as on-premises software.
RBI as a Part of CASB
In this post, we’ll focus on Gartner’s view of Remote Browser Isolation (RBI) as a technology that is complementary to CASB and which, in some cases, enables CASBs to be more effective in their primary mission – keeping use of cloud applications safe and secure..
In the report, Gartner notes that Ericom Shield Remote Browser Isolation is integrated with both Forcepoint’s and Netskope’s CASB solutions. With RBI, web and cloud application traffic is run in a disposable cloud-based isolated container. Only safe rendering information is sent to a user, so if any malware is present on the pages or apps accessed by a user’s local browser, it is blocked from getting onto the user’s device. We call this approach “Protect vs. Detect”.
In this case, RBI serves as an “airgap” between the user and the website or cloud application. While RBI is most often used to isolate endpoints from potentially malicious content from websites, there are two other use cases that Gartner highlights. The first is the role the technology can play in isolating web and cloud apps from malicious content that might be streamed from user devices (either a hacker or a compromised corporate endpoint). The other is how RBI can help CASB vendors enforce cloud security policies in a particularly challenging area – employees accessing cloud applications like Salesforce or ServiceNow using BYOD or unmanaged devices.
Let’s take a quick look at each of these:
- Preventing Malware/Ransomware Attacks and Securing Data: RBI complements CASB security controls by enhancing threat prevention for organizations and users, keeping all web-based malware off endpoints and networks. It also keeps sensitive data out of browser caches on user devices, so if an unmanaged device is compromised or stolen, outsiders will not be able to view sensitive information.
- Enforcing CASB Controls on Unmanaged Devices: One of the primary challenges that CASB addresses is securing cloud application access for users regardless of where they are located. As a cloud deployed service, CASB can support secure access wherever users are. With the widespread transition to remote work during the pandemic, one thing has become very clear – the use of personal and unmanaged devices is on the rise. CASBs have historically attempted to support the unmanaged device use case using a technology known as a “Reverse Proxy”. Those who have worked with reverse proxies are aware of their well-earned reputation of being brittle (e.g. SaaS providers occasionally have to update their URLs for technical reasons, and when that happens the re-written reverse proxy link that allows for unmanaged devised to be controlled can be broken). In addition, they can support only a few dozen cloud applications – nowhere near the thousands of cloud apps that sell into enterprises. RBI provides a better approach to enforce CASB policies on unmanaged devices. No URL rewriting, no limited cloud app support, just a great user experience and an IT team that no longer has to worry about unmanaged device security for their sanctioned cloud applications.
- Protecting Web and Cloud Applications from Attacks: For private cloud and web apps that your organization offers, routing access via RBI effectively hides the front-end web code and any exposed public APIs from the view of hackers (or any corporate device that may have been previously compromised). This technique, known as Web Application Isolation, greatly reduces an application’s web-exposed attack surface: If an attacker opens the page source tool for the front end of an application in Google Chrome, for example, they will see none of the page’s source code. They cannot explore it for vulnerabilities or unpatched issues, because web application isolation renders the page in an isolated container and sends only safe rendering information to the local browser. The page is rendered perfectly, but a hacker cannot see any information that would be useful for reconnaissance.
The Future of Network and Cloud Security
The Magic Quadrant also highlights that CASB is an important part of a larger security construct called the Secure Access Service Edge (SASE). And while CASB is an important security control, it needs to be surrounded by a broader integrated stack or platform, with capabilities such as Secure Web Gateways (SWGs), Remote Browser Isolation (RBI), Firewall as a Service (FWaaS), Zero Trust Network Access (ZTNA), and more.
SASE is positioned as the future of securing all corporate resources, regardless of where they are located. SASE takes as a starting point that most organizations are increasingly operating in a complex environment where users may be physically located on the company’s premises or in remote locations, and computing resources may be hosted on a company’s own servers or in public or private clouds. SASE provides a unified approach to securing access to resources regardless of where they or the users are located.
The Ericom Global Cloud provides services that are key parts of many organizations’ SASE architectures. The high-availability multitenant global cloud service is built using the latest cloud technologies, and hosts Ericom’s security services, including the Ericom Shield Remote Browser Isolation service, and the Ericom Connect Service, our remote application and desktop access service. Hosted on tier-1 IaaS providers around the world, the Ericom Global Cloud supports our customers’ anywhere-anytime-any-device access as they push forward with ambitious digital transformation initiatives.