Zero Trust Network Access (ZTNA)

Why No SSE/SASE Architecture is Complete Without Isolation

By 2009, the US Federal government had grown sufficiently concerned about nefarious actors breaching the desktops of researchers working on nuclear projects, via their browsers, to take action. To distance vulnerable browsers from classified data, they shifted browsing to a different server, then used virtualization to stream images of website to users’ desktops — creating a first, primitive version of Remote Browser Isolation (RBI).

Fast forward a decade and a half, and today RBI is a technologically advanced, cloud-based solution that is a core capability of modern Secure Access Service Edge (SASE) platforms.

Gartner estimates that 80% of enterprises will have adopted cloud-based SASE/SSE (Security Services Edge) by 2025. For those organizations, the cloud-based isolation technology that powers RBI can do much more than eliminate web-delivered threats by preventing browser attack surfaces from being exposed to the web. In this blog post, we break down the components that make up SASE/SSE and describe why, in addition to RBI being an essential capability, isolation is a valuable addition to capabilities across the full SASE security framework.

How Isolation Powers Zero Trust Access

The SASE/SSE concept replaces perimeter-based access with cloud-native security and access services that operate on Zero Trust principles of “least privilege access,” “never trust, always verify” and “assume breach.”

For secure browsing, RBI operationalizes these principles by assuming that since no website content can be verified as safe, it cannot be trusted and should therefore be kept away from vulnerable endpoints. Browsing is therefore isolated in cloud-based containers and only safe rendering data is streamed to device browsers. Users interact with websites as usual, via their regular browsers. The user experience is indistinguishable from standard browsing.

Within the cloud-based container, granular policies can be applied to limit which sites users may visit as well as what browser-enabled actions they can take for each site. For instance, suspicious sites are opened in read-only mode to safeguard users from credential theft and browser clip-boarding and printing functions may be disabled for certain sites.

The web isolation technology that underlies RBI, however, offers functionality that extends well beyond secure browsing. Web Application Isolation (WAI) can be used to protect corporate web apps, SaaS applications and private apps from unauthorized access, as well as protecting the sensitive data these apps contain. Isolating applications cloaks their surfaces from threat actors seeking vulnerabilities to attack and protects apps from malware that may be present on unmanaged devices used by authorized users. WAI also enables policy-based access and usage controls to prevent data exposure and lateral movement, and reduce compliance risk.

How Isolation Enhances SSE and SASE

Let’s dig in a bit to explore at how web isolation strengthens the secure services that are essential elements of SSE:

  • SWG (Secure Web Gateway) – SWGs enforce access policies and include malware prevention tools, but are powerless against zero-day malware and phishing sites that are newly spun up. By keeping all web content off endpoints, RBI strengthens SWG function.
  • CASB (Cloud Access Security Broker) – WAI enhances CASB performance by providing highly granular control of user activity, even for virtual meeting solutions like Zoom and collaboration platforms such as O365. Cloud-based WAI eliminates the need for brittle reverse proxies, enabling clientless secure access from unmanaged devices and protecting sensitive data from loss, without the myriad false positives associated with WAFs.
  • ZTNA (Zero Trust Network Access) – ZTNA enables remote users to securely access corporate networks, while limiting each user’s access to only the resources they need for their work. WAI simplifies and secures that access, even from unmanaged devices, enabling granular policy-based control of interactions with internal resources.
  • CDR (Content Disarm and Reconstruct) – Applying CDR within isolated cloud-based containers protects endpoints and networks from new types of malware. RBI enables CDR to identify malicious content within end-to-end encrypted traffic, such as document sent via instant messengers such as WhatsApp, as well as enabling DLP to ensure that no PII or other confidential data is exposed.

Isolation that’s Built In, Not Tacked On

As Gartner noted, use of remote browser isolation has become so widespread that it is now considered to be a core SASE capability. But as they also note, the RBI provided by most SASE platforms are recently integrated, non-native solutions which in many cases, are less than optimal.

More importantly, the isolation capabilities most solutions provide are limited to secure browsing and further restricted by their inability to secure online meetings and detect malware in encrypted messaging apps such as WhatsApp Web. They do not leverage isolation, as ZTEdge does, to protect web and cloud applications from malware on unmanaged devices, or prevent over-privileged access from unmanaged 3rd party devices or users’ BYOD.

To learn more about how tight integration of isolation across SSE platforms can reduce the security burden on users while enabling simple, secure access, download our Not Just for Safe Browsing: How Isolation Strengthens All SSE Functions white paper today.

Tova Osofsky

Tova Osofsky

Content Marketing | Ericom Software
Tova Osofsky, Content Marketing, has focused on strategic marketing for cybersecurity and software companies for over 25 years. As a content specialist with background in programming as well as consumer product marketing, she relishes working at the intersection of technology, behavioral economics and creative writing.