Zero Trust Network Access (ZTNA)

Reducing Compliance Risk with WAI

The move to cloud infrastructure and the growing use of SaaS applications have accelerated business agility and product scalability. During Covid-19 closures, the cloud was one of the most important enablers of remote work, a function that has continued with the ongoing trend toward working from home. The “from-anywhere” accessibility of cloud infrastructure and SaaS applications, however, also exposes organizations to security risks, if proper controls are not put in place. Given the public-facing nature of the cloud, threat actors now have a much larger attack surface to exploit.

In regulated industries, like healthcare and financial services, the stakes are even higher. The need to protect highly sensitive data, along with additional regulatory requirements, might impede digital transformation initiatives in these organizations. However, these industries also need to incorporate agility into their standard practices to meet the evolving needs of their customers and users.

This is where advanced security technologies, built with the protections required for regulatory compliance, come in.

Web Application Isolation (WAI)

WAI (Web Application Isolation) is a cutting-edge clientless cloud application security broker (CASB) and Zero Trust Network Access (ZTNA) solution for distributed organizations that leverages reverse remote browser isolation to restrict access to SaaS, web-based and on-premises applications – in effect, a way more effective, next-generation web application firewall (WAF).

Within the ZTEdge global cloud infrastructure, WAI applies policy-based controls to secure apps from malware as well as preventing illicit and over-privileged access, and protecting sensitive data from exposure. For authorized users, WAI provides an excellent, very low latency clientless user experience.

How do these capabilities and protections play out in the organization’s day-to-day? In this blog post we discuss three common security use cases that impact compliance and how WAI addresses each one:

  1. Controlling user access to apps
  2. Governing user activity within apps
  3. Protecting corporate SaaS and web apps from attack

Use Case #1: Controlling User Access to SaaS Apps

SaaS applications are designed to be accessible from anywhere, at any time. This is a huge business advantage, enabling remote work, business flexibility and cross-geography collaboration.

However, it also means that an attacker who has obtained a user’s credentials could access the SaaS app and gain access to customer data, internal business processes and mission-critical workloads. This could easily result in a data breach, ransomware attack or even a full-out operational outage – as well as costly regulatory violations and loss of customer trust.

The Solution: Restricting App Access via the WAI Cloud

WAI allows organizations to enable access to SaaS apps and web applications only for users logging in from a specific IP address. Normally, that would mean that users could only use the app from the enterprise network – that is, when they are on site, working from the office. WAI, however, provides each organization with unique, permanent IP addresses on the ZTEdge Global Cloud.

Restricting users to accessing SaaS via EAI accomplishes a number of goals. First, it protects sensitive corporate data by preventing cybercriminals from logging in using stolen credentials, even in cases where a hacker bypasses MFA (as accomplished, for instance, by adversary-in-the-middle phishing campaigns described in a recent Microsoft report.)

In addition, if an employee or 3rd party contractor (one who has been granted app access) is using an unmanaged device, WAI cloud-based protections isolate the app, so malware that might be present on the user’s device cannot get in and encrypt, corrupt, delete or exfiltrate data. To learn more about how WAI supports regulatory compliance for organizations whose 3rd-party and internal users work on unmanaged devices, see our article on “Data Security Compliance in the Age of Work from Anywhere, on Any Device.”

WAI also prevents data, reports and other app content from being cached in the device browser. Even if the device is lost, stolen or hacked, no data from a recently accessed application can be exposed.

Use Case #2: Controlling User Privileges within Apps

“Least privilege access” is a key Zero Trust security concept. Put into practice, it affords each authorized user or app only the minimal level of access to the resources, systems and applications required to enable them to accomplish the tasks required for their jobs. This reduces the blast radius of a breach via stolen or brute-forced credentials as well as limiting insider attacks or accidental disclosure.

But least privilege access means more than just limiting which applications a user can access. It also means restricting the actions an authorized user can take within each application. This includes determining which permissions are necessary, setting and enforcing policies, and monitoring and auditing the actual actions a user takes.

For example, in one major data breach, an attacker executed a server-side request forgery (SSRF) attack on a misconfigured element of a financial services organization’s security stack. This afforded them over-privileged access to a cloud server, which they exploited by downloading sensitive data, in violation of regulatory restrictions. Strict limitations on user privileges, proper configuration and close monitoring of user activity could have all vastly reduced the scope and impact of this attack.

The Solution: WAI Access Control

WAI makes it easy to specify and enforce granular per-user or role-based policies to control in-app activity according to regulatory restrictions. For instance, a user may be permitted to view, but not edit or print, Salesforce data or be permitted to upload files only to one specific Office365 library.

To safeguard against excessive user privilege, WAI combines CASB controls with remote browser isolation (RBI), enabling policy-based control of browser functions such as printing, copy and paste, downloading data, and more. An automated policy builder simplifies policy creation and updating. Monitoring and reporting capabilities enables internal and compliance audit reporting.

Use Case #3: Cloaking Web App Code from Attackers

Despite best efforts, misconfigurations and other vulnerabilities inevitably creep into application development and updating processes. Organizations count on WAFs to protect their apps from threats, but in recent studies, WAFs stopped less than 50% of application layer attacks, while issuing overwhelming numbers of false positive alerts. As a result, many organizations set their WAFs to alert-only mode, leaving apps exposed to vulnerability scanning, unauthorized access and attacks.

The Solution: Protecting Webapps from OWASP Top 10 Risks

WAI leverages reverse remote browser isolation to render web apps in isolated containers in the ZTEdge Global Cloud. Only safe rendering data is sent to the user device, using minimal, standard ZTEdge-generated HTML code. All original app code, including information about internal servers, open ports, web app URLs, APIs and app services, is resolved by a virtual browser located in the cloud-based container. Website details that are generally visible with scanning and reconnaissance tools are hidden from view of threat actors seeking to locate vulnerabilities to exploit or ports through which they can gain illicit, non-compliant access to corporate systems.

WAI’s isolation-based approach of air-gapping applications from the risks of malicious actors, unmanaged devices and other internet-related threats is indisputably superior to the traditional “hopefully detect then try to defend” WAF approach. For more information about how WAI can secure your applications, from the threats deemed most prevalent – and dangerous – by OWASP, the globally recognized framework for web application security, see WAI and the OWASP Top 10.

Next Steps

WAI empowers organizations to safeguard, control and govern their applications, systems and data, per common regulatory standards, without burdening users with onerous access restrictions. Routing access via the ZTEdge Global Cloud enables even users on unmanaged devices to work from anywhere, without exposing corporate applications or data to threats, and without exposing the organization to compliance risk.

To learn more about WAI and see it in action, request a demo.

Nick Kael

Nick Kael

CTO | Ericom
A cybersecurity expert with over 20 years of experience in web technologies, architecture, infrastructure, networking and dev environments, Nick is responsible for solution management, technology strategy and technology partnerships. Nick was previously Symantec Group CTO for Global Service Providers, following his tenure as Director of the Chief Architect Team for Channel and Service Providers at Zscaler and an earlier position in the Symantec CTO organization. His certifications include CEH7, CCSK, BCCPP, Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5 and VTSP5.