Web isolation has been playing a key role in cybersecurity for more than a decade. We look at its many use cases along the way and the bleeding edge in SSE.
The “age of zero trust” for online activity is changing how companies approach cybersecurity. Enterprises are intensifying efforts for security service edge (SSE), as up to 82% of their workloads are now cloud-based, as well as 60% of their data. To keep ahead of rapidly evolving cyber threats, companies are continually looking for new ways to isolate web-based activity with zero trust access.
The latest innovations use cloud-based web isolation, which provides the most secure protection for devices, networks, web applications — and an enterprise at large from any outside attacks. But many earlier solutions are still in use, and that means many organizations may be open to considerable risk.
Here we’ll take a look at isolation strategies used over the past decade and how their limitations have forced innovation toward a more flexible, yet comprehensive solution for SSE.
The evolution of web isolation
The purpose of isolation is to shield online activity from phishing, malware, ransomware and other web-based attacks. But that used to mean just web browsing. Now, as workloads have shifted heavily toward web and cloud applications, organizations need more precision and control over exactly what content and activity should be isolated.
Let’s consider how isolation has been evolving:
- Virtual desktop: A decade ago, strategies focused on isolating the whole desktop for remote browsing. But it required a complex system for both IT and end users, and the user experience was cumbersome and disrupted normal workflows.
- Web browsing isolation: In recent years, technology has matured to isolate just the browsing activity. Instead of using default software like Chrome or Safari, standalone “enterprise browsers” can be installed on a local device. These solutions often isolate the enterprise browser from other applications on the device, but still render web code locally. As a result, there’s still risk for infection of a user's device, loss of critical data and compromise of connected networks.
- Partial (cloud) isolation: This method involves cloud-based isolation, using the local browser to proxy all network traffic through an "isolation core." The system requests the web content (such as a website), modifies it to remove the risky parts, then sends that content back to the local endpoint (user’s browser). The biggest drawbacks are that it can miss zero-day issues or unknowns. And the user experience can get disrupted because sometimes the isolation core modifies web code to a point where the website no longer displays or functions correctly.
- Cloud-based web isolation: For more reliable and flexible SASE / SSE, companies can now precisely isolate all online activity and/or specific elements (e.g., email links, websites, and web- and cloud-based applications) into a secure, cloud-based sandbox environment. It removes access limitations while eliminating the time and effort to assess what is trusted or not.
With cloud-based web isolation, no web code renders on the local device or touches the network. So all email can be protected against phishing, and the enterprise can ensure zero trust access to cloud-based applications, with greater control over what users can do with data within the apps.
Why the shift toward cloud isolation for SSE?
Zero trust has become the hot thing in the last 2-3 years. The need for more secure and precise isolation has accelerated for a variety of reasons:
- Rise of remote work: The pandemic-driven shift to remote work is now standard for many companies. More users on unmanaged and untrusted devices and networks introduces more risk, and companies have less control over browsing activities and web-application access.
- Expanded reliance on third parties: To capture cost-savings or leverage outside expertise, many companies are turning to outsourcing and contractors. But again, that means potentially more risk with little control over devices, networks, and online activity.
- Threat surface has expanded: Vulnerability has evolved well beyond user devices, browsers and networks. Cyberattacks are escalating focus on web/cloud applications and business collaboration sites, and the valuable data stored within apps.
- Demand for cloud-first: Organizations want to shift away from installed point solutions (e.g., firewalls, SD-WAN) to cloud-first, remote-first security. Yet as they broaden access to more endpoints, they often have less control over the related online activity.
- Impact on productivity: Previous isolation solutions forced users into a cumbersome virtual environment, which required software installs or explicit user actions. If users did not comply, it introduced risks. And if they did, having to learn and adapt to alternative workspaces often slowed down workflows.
No single SSE solution has solved all the challenges — until now. Cloud-native web isolation is the new answer to zero trust access. It covers a broad scope of use cases from web browsing and accessing web/cloud-based applications and data, to safeguarding all email from phishing.
Cloud-first web isolation also removes critical pain points for IT and end users. An enterprise can easily deploy a secure layer over any managed or unmanaged devices, anywhere they are (with no software download required). And users can continue to work in the same familiar browser and app environments, with no need to change behaviors or take special security actions.
Organizations no longer need to restrict online access or behaviors, because there’s no longer risk if a user or device inadvertently attracts malware or zero-day exploits.
How web isolation use cases are evolving
The latest innovations in cloud-based web isolation are empowering organizations with greater flexibility and precise control. For example, an enterprise can…
- Cover more scenarios: They can isolate virtual desktop activity, email, web browsing (business and personal), and cloud app access, as well as remote workers and vendors on unmanaged devices (eliminating risk and cost of shipping devices to third parties, or requesting they download software).
- Eliminate phishing risk: IT no longer needs to assess whether email links are known or unknown, or strip out all links as a precaution. With cloud isolation, they can consider any link risky and isolate it, without blocking access. Or they can use isolation to augment block/allow lists. Beyond what is known to be bad and known to be safe, any other links can be isolated to eliminate the uncertainty and risk.
Email links can be isolated across all email clients (desktop Outlook, Office365, Gmail, etc.). And the best part is that for users, it still looks like their normal environment with no need to change behaviors. But what they’re seeing is actually a rendering that’s happening in a cloud-isolated sandbox.
- Isolate based on user context: Organizations can enforce security policies with more granular control, such as triggering the isolated environment based on the context of the user requesting access, their device and network. They can also implement data leak protection policies for certain interactions (e.g., upload/download, copy/paste, print) to extend zero-trust capabilities to data at rest.
- Protect against unusual activity from trusted users: Suppose the system detects atypical behavior or unusual contexts like an employee login at 3am. It can isolate that activity without blocking access, to avoid disrupting the user experience in case the activity is legitimate.
- Isolate parts of a SaaS experience: Cloud-first isolation can be baked into web/cloud-based applications that are delivered to B2B and B2C users. As an example, financial institutions can isolate login activity for online banking. Submitting username and password on the surface of the application is a risky scenario, so banks can isolate that part of the app. That access point is then rendered in the cloud, not on the user’s local machine.
Ensuring zero-trust security with Silo
With the Silo Web Isolation Platform, enterprises can maintain reliable zero-trust control while enabling any user, on any device, anywhere in the world access to the sites, apps and data they need for their work. Silo’s cloud-based, 100-percent isolated environment for web browsing and application access shields organizations from the unmanaged, untrusted and unknown.
Learn how the Silo Web Isolation Platform delivers zero-trust security with speed, simplicity and scalability.
See Silo in action: Request a demo
Tags Secure web access Zero-trust app access