Ensuring zero-trust application access for BYOD users with web isolation

Many companies now face greater cybersecurity risks with a remote workforce accessing web and cloud-based business apps on untrusted devices and networks. Here we look at the pitfalls of inflexible SSE solutions, and how cutting-edge web isolation is solving zero trust challenges.

The “new normal” of a remote workforce has introduced new cybersecurity challenges for many companies. Now, more employees, contractors and outsourcing partners may be using a “bring your own device” (BYOD) approach to access work-related online applications. This BYOD access can amplify risk if the organization has little or no control over the devices, networks, and online activity.

Supplying managed devices to all enterprise users is still the preferred standard, but it can be costly, time-consuming and logistically difficult across a widely distributed workforce; also, managed devices may be overkill for teams (like help desks) that only require access to one or two apps. 

To overcome the burden of supplying managed devices to all employees, many companies may allow BYOD access to business applications — which may make life easier for end users, but it can be a nightmare for IT security teams.

BYOD app access can increase the risk of exposure to cyberattacks like malware, ransomware, phishing and threat actors that can compromise users, devices, networks and the enterprise.

Despite an organization’s best efforts, why is there so much BYOD use? And why are many of the common security approaches losing effectiveness? Here we’ll unpack it, and look at how the next generation of web isolation is a game-changer for zero trust application access.

More BYOD, more risk

Today’s remote workers may be accessing corporate web and cloud-based applications and data from anywhere, and any device. It’s already a huge challenge for companies to ensure zero trust security, and control which apps, which data and which tasks are allowed for each user. And it’s gotten tougher with so much BYOD use.

BYOD usage happens for a variety of reasons, both planned and unplanned, and in a variety of use cases:

• Users don’t have managed devices: Enterprises may prefer to avoid the cost and hassle of shipping devices to remote employees and contractors. So even fully vetted workers may be using their own computers — devices that may be unsecured, shared with others and used for non-work online activity.
• Users have managed devices they cannot use: Employees on business travel or vacation may not be allowed to use their corporate device off premise. Or maybe their laptop is broken or being serviced. In these cases, if work-related needs come up, people often turn to the most immediate solution: using their personal laptop.
• Users have managed devices but are using untrusted networks: While not a BYOD situation, it creates similar risks. Remote workers might be using their company laptop to access business applications from their home network, at client companies or over public Wi-Fi at a local coffeeshop or airport.
• Users float between managed and BYOD devices: Often which device people use depends on their context. For instance, they might be on vacation and only have their personal laptop and smartphone with them. If they unexpectedly need to handle work-related tasks, they’ll use those personal devices.

Whatever the reason, the potential for BYOD use means organizations are rarely certain that every remote worker has the right security controls in place for safe access to business applications and data. All too often, companies have little or no visibility and management over the context of where, when and how users are accessing online corporate resources.

Security risks can rapidly get out of hand — particularly if unmanaged devices are tapping into sensitive corporate data. Business applications and critical data may be exposed to potentially “last mile” compromised BYOD devices (from malware or man-in-the-middle eavesdropping, to unsafe browsing by other family members using the device, and so on). 

Common solutions to secure cloud application access — and the pitfalls

To tackle the challenge of enterprise access coming from unmanaged devices and untrusted networks, companies have typically been limited to rigid SSE strategies to control endpoints (though more flexible options are now available). Security policies have often relied on a “block or allow” approach, and technologies to isolate online activity have been cumbersome for users, plus create more work for IT.

Restrictive actions are not the answer. They often hinder productivity and create frustration for users, whether they’re on managed or unmanaged devices. And many BYOD users, especially third parties like contractors and vendors, are skeptical about having an endpoint agent on their personal device.

But companies need to control endpoints somehow, so they use a variety of tactics, most of which have drawbacks. Consider some common examples:

• Block device usage: Users are not allowed to travel with their managed device. That leaves a coverage gap if workers need to access corporate apps and data away from the office.
• All or nothing access for unmanaged devices: IT often has to choose between blocking all app login access for unmanaged devices on untrusted networks (which stalls out users) or allowing all access and taking on the risks, with little or no control and visibility over those devices. 
• Block access from unsecured Wi-Fi hotspots: For example, BYOD users cannot access business applications while using free Wi-Fi in public places or a local Wi-Fi hotspot from another device.
• Force use of virtual desktop: To avoid blocking access, some companies insist that workers use a remote display system to access enterprise data and applications from wherever they are. While it’s less restrictive, it has many downsides. Users need to install and access special software on their device, and IT needs to ensure all of their standard security controls are in place. And as a workspace, a virtual desktop environment can be clunky and disrupt workflow. It requires isolating the whole desktop, which may restrict a range of work-related activities, as well as blocking any personal online use.
• Force use of corporate VPN: Perhaps the most common approach these days is to require remote workers to log into a VPN before they can access enterprise cloud apps using their own device or an untrusted network. VPN protects a user’s internet traffic on unsecured networks like public Wi-Fi. Malware or threat actors trying to invade a user’s application and data access would need to break through a layer of encryption. Like virtual desktop, however, working over a VPN can be a hassle. It requires special software and login, often has latency problems that can slow down work, and sometimes keeps auto-connecting, making it hard for users to exit back to their local network environment.

From an SSE perspective, a key concern with VPN is that users may have too much access, as opposed to just the resources they need for their work. Over VPN, users can potentially browse anywhere and access anything, and the organization has no control over it — and that still invites risk.

The net effect is that existing solutions simply do not meet the new demands of many cloud-centric organizations. With increasing pressure to ensure zero trust application access, enterprises are seeking out the latest innovations in web isolation.

Why cloud-based web isolation is the zero trust solution

Next-generation, cloud-based web isolation is changing the game in app access. Now, companies can seize granular control over who and what gets isolated — and when — while empowering end users to seamlessly continue working as usual. It’s the ideal combination of iron-clad security and flexibility.

With a web isolation solution, like Zero Trust Application, companies can lock down access to critical web and cloud-based applications — without restricting workflows. Using any managed or unmanaged device, any browser, and any network (trusted or not), workers can access the important applications and data they need, just as if they were in the office. In the background, isolation technology segregates their activity in the cloud, so devices, networks and the enterprise cannot be identified or touched by any outside threats. On the flipside, if any devices or connections were already compromised without the user knowing, conducting their work in web isolation shields cloud apps and data from exposure to “last mile” cyberattacks.

Perhaps best of all is the simplicity built into a complex technology. Cloud-based web isolation can be deployed quickly, controlled precisely and deliver a seamless and transparent experience to an enterprise workforce. Users don’t need to change a thing about their normal workflow. There’s no need to download and install client software or endpoint agents on their device; launch a separate secure solution (like VPN or virtual desktop); or worry about inadvertently clicking a phishing link. Full, secure and anonymous protection for their online activity is invoked automatically via a web isolation API.
 
Companies can take it a step further, with precise controls for context-specific access. For example, an organization can control who and how sensitive data can be accessed and used, with security policies for isolation that apply to the user regardless of their device, network or location. And data loss prevention policies can vary between corporate applications, user groups and device posture.

Ensuring secure application access for BYOD users with Silo

With Zero Trust Application Access, enterprises can maintain reliable, zero trust control while enabling any corporate user, on any device, from any location frictionless access to the web/cloud applications and data they need for their work. 

Silo’s cloud-isolated environment for web browsing and application access helps eliminate the guesswork and risk of dealing with unmanaged devices and untrusted networks. Learn how the Silo Web Isolation Platform delivers zero trust security with speed, simplicity and scalability. 

See Silo in action: Request a demo