The security industry has been talking about the need for new security architectures for years. Are organizations finally listening?

 

The security industry has been writing about the death of the traditional perimeter and the need for organizations to consider new security architectures for a number of years. The story has become a familiar one:

Users and devices are increasingly untethered from the corporate network, and apps and data are living in cloud services. Traditional network-based remote access tools like VPNs have become outmoded in this new cloud-first world — especially when users are not only employees but consultants, contractors, franchisees and other more loosely affiliated workers using devices that IT cannot touch or manage.

There is no doubt that we are going through a fundamental transformation in IT architecture. While the COVID-19 crisis has rapidly forced businesses into a telework mode, this shift has been years in the making. According to Global Workplace Analytics, regular work-at-home has grown 173% since 2005, and will continue to increase as business becomes more global, flexible and decentralized.

“Never trust, always verify”

A new crop of direct-to-cloud secure access solutions are rising to meet this transformation. Termed Zero Trust or SASE (Secure Access Service Edge) architectures, they rethink the traditional ideas of internal versus external users and shift the focus to protecting resources rather than network segments with a “never trust, always verify” access model.

The ZT/SASE model is based on certain core principles: identifying and authenticating the user and device, looking up application authorization policies, granting least privilege access rights, delivering data over an encrypted channel and shielding app(s) from direct internet access.

More complete solutions include in-line enforcement of user behavior analytics and activity logging. Google’s BeyondCorp and Netflix LISA are two showcase examples of these concepts in action.

Zero trust, the Silo way

Our approach to ZT/SASE addresses several of these core principles but we designed the Silo Web Isolation platform with one major difference.

When granting access we maintain a zero-trust posture towards the user’s device and browser -- which is particularly germane with the increase in unmanaged devices being used to access business applications.

If the sanctity of data is the ultimate objective, jumping the standard ZT/SASE hurdles to authenticate, authorize and access corporate data is necessary but insufficient to fully secure the environment. The risk boundary needs to include data exposure at all tiers; server, network and client.

Critically, IT is exposed and blind as users work from unmanaged devices where the machine’s integrity cannot be verified using endpoint management tools, and network traffic cannot be governed using a VPN.

In a complete ZT/SASE architecture, security and control should be maintained regardless of the accessing device. We designed Silo assuming a user is accessing sensitive data from a compromised device. With this as our center of gravity, our ZT/SASE approach casts a broader net over the end-to-end risks that organizations are facing.

To make this more specific, let’s take a look at how accessing applications through Silo meets and then extends the standard definition of the ZT/SASE architecture.

Using Silo to implement a device and location-independent security architecture

zero-trust-boundary-silo-web-isolation-authentic8

Reading the diagram from left to right, let’s consider a user accessing web-based applications (either SaaS or homegrown) from an untrusted location/network and an unmanaged device using the Silo Web Isolation Platform. The following capabilities are applied to achieve secure access:

Device identification and user authentication:
Users are required to perform authentication explicitly or via federation with the customer’s identity provider (IdP), and can be augmented with multi-factor methods by policy. Silo performs device identification to differentiate trusted from unmanaged machines and adjusts policy accordingly.

Isolated workspace:
When accessing a cloud service through Silo, all content is executed within an isolated environment in the cloud, air-gapped from untrusted devices, browsers and third-party web content that could compromise sensitive data.

Role-based provisioning:
Silo’s configuration flexibility allows narrow aperture access to only administrator-provisioned cloud services within the isolated workspace. Services and authentication credentials are provisioned directly, or via federation with the customer’s IdP.

Segmented access:
Silo eliminates the need for full access to the internal environment and network to deliver corporate applications externally. Unlike a VPN, Silo operates at the app layer and reduces the possibility of accessing internal systems over other ports and protocols.

Application shielding:
1st party services sitting on-premise or within IaaS environments are not directly discoverable or accessible over the public internet. Access is restricted to only the Silo platform which eliminates direct attacks on the server, as well as client-based attacks from untrusted browsers.

Policy enforcement:
Silo sits in-line with the data path and can enforce policies to control user actions, including file transfer, clipboard actions, printing and more. These policies can be tied to device identity to flex based on a trusted versus an unmanaged machine.

End-to-end encryption:
Silo delivers all content using end-to-end encryption that can be configured to be resilient to man-in-the-middle attempts if users are accessing from hostile networks. What’s more, the traffic between the user and the isolated workspace is flattened to a simple non-web display protocol. Silo’s log data provides IT with full visibility without the need to perform SSL break/inspect across different traffic types.

Visibility and audit:
Silo captures and logs user actions against sensitive data to provide full audit records for security and compliance. Logs can be encrypted with customer-supplied keys and are retrievable via API to ensure full chain of custody.

As traditional perimeters dissolve and VPNs go the way of the dinosaur, organizations are increasingly considering ZT/SASE architectures to secure direct-to-cloud work. As you make this transition, incorporate workspace isolation into your decision criteria to ensure your security boundary spans the risk of compromised devices accessing your data. Omitting this component undermines your data security goals.

Silo can be deployed in a standalone manner, or it can be integrated with existing IT tools such as directory systems, IdPs, content inspection gateways and SIEM platforms. In my next post, I’ll look at how Silo can be paired with your IdP investment to deliver security through isolation in high-risk access scenarios.

 

About the Author

Ramesh Rajagopal
Ramesh Rajagopal

Ramesh is Co-Founder and President of Authentic8. Before, he was VP Corporate Development at Postini, heading up strategic planning and business development until its acquisition by Google in 2007.

Related Resources

Video
Video

Extending the zero trust framework to unmanaged devices

Forrester Analyst Chase Cunningham and Authentic8's Ramesh Rajagopal offer advice for building a Zero Trust framework in the context of unmanaged devices

Data Sheet
Data Sheet

Secure web access

Take control of the web access. Securely enable browsing and email link access through an isolated, cloud-delivered web browsing environment that gives IT centralized visibility and fine-tuned policy control.

blog
blog

Identity gateways ❤️ web isolation: The perfect marriage for Zero Trust access

In my previous post, I discussed the adoption of Zero Trust/SASE architectures to address the new risks associated with a decentralized world where direct-to-cloud access renders perimeter gateways and VPN tools obsolete. Specifically, I discussed the critical need to bolster a ZT access strategy with web isolation capabilities when users, devices, browsers, and networks are beyond the reach of IT control. Since then, we published a webinar with Chase Cunningham at Forrester, where we expanded on these topics and highlighted a key customer (US Navy) who has standardized on Silo to enable work-from-home access in rapid response to COVID-19. You can hear the full webinar and Q&A here. In this post, I’ll be moving on from the “why” to consider the “how” web isolation can be combined with an identity & access management gateway or identity provider (IdP) to create a flexible and secure data delivery channel. To implement a secure data delivery channel requires an understanding of the security context when applications are accessed, coupled with a method for conditionally invoking isolation based on that context. The context refers to the specifics of the access scenario: who is the user?; where are they located?; what device/platform are they using?; is that platform compliant?; what app/data is being accessed? More sophisticated context definitions could include; what is the time of day or what behavioral patterns are observed. Based on this context, the goal of zero trust/SASE solutions is to apply access control policies conditionally. This is where the combination of an identity provider (IdP) and Silo can significantly expand the range of access controls and data security options that organizations can enforce. IdPs are a logical control point -- they are always in-line regardless of device or location, and most modern solutions have support for context-based access controls. IdP access controls: reach and limitations Many identity and access management providers offer a variety of contextual hooks on which to tie access controls. For example: Location: IP rules allow the IdP to differentiate between access attempts originating from different places; corporate network vs. specific regions vs. unknown locations (e.g. the user’s home network). Device identity: Certificate and device fingerprinting rules allow the IdP to differentiate between access attempts originating from IT managed devices and unmanaged (personal) computers. Device posture: Either directly or through integration with end-point agents, IdPs can determine if devices meet a threshold in terms of software version, security patches, and other characteristics. An example of a composite policy resulting from these controls might say: Grant access from IT managed devices that satisfy device posture and are within the corporate network. Require multi-factor auth if these same devices are accessing from off-network. Block access from unmanaged devices and non-compliant devices regardless of location. We can even consider applying these rules for specific users, groups, and applications to add further granularity. But as powerful as these rules are, they remain limited in scope when overlaid on specific real-world access scenarios. Consider organizations with some portion of loosely connected users for whom device identity, posture, and location are not applicable control hooks. Franchisee networks, contractor-heavy businesses, companies that leverage BPOs, or industries with highly remote/mobile workforces. In these situations, blocking access breaks business workflows, while allowing access can add unacceptable data risks. What’s needed is a finer-edged instrument to carve out these higher risk access scenarios and enforce a higher security access method. Interlace web isolation to achieve greater access flexibility As discussed in the last post, Silo’s web isolation platform brings holistic security to zero-trust access scenarios through full data isolation, policy control, and audit/visibility. Leveraging existing IdP control points, we can quickly stitch together both solutions to come up with a much more flexible access model. Let’s re-consider the composite policy example from above, summarized in this table:   Source: Authentic8 Blocking access from unmanaged devices can start to look too restrictive when considering more arm's-length relationships with partners, suppliers, loosely coupled workforces, and even employees working from home. Similarly, for controlled users on managed devices, the device posture restriction might rub up against remote users who aren't always on VPN to receive real-time distributions of software updates and patches. All of these situations may require granting access for business reasons, but in a way that elevates security and control. This is where web isolation through Silo can thread the needle. Configuring the identity gateway to include the Silo cloud in the list of trusted networks creates a secure access point regardless of other context details. Once this is in place, the organization is free to block direct access in different situations as needed (for example, from unknown networks, unmanaged or out-of-compliance devices). This blended configuration seamlessly combines direct access in high-trust scenarios, with isolated/controlled access in low-trust scenarios. In these low-trust scenarios, Silo ensures that data is entirely air-gapped from local device and browser vulnerabilities, is governed by policies to prevent data leak and misuse, and is wrapped with logging analytics to oversee and audit user actions against the data. Source: Authentic8 Wrapping Up Security-aware organizations are embracing ZT/SASE models for a reason. Diversity in users, devices, locations, apps, and data types are no longer exotic. And traditional access controls in the market are too blunt to meet this reality. Extending your identity gateway with secure delivery through web isolation allows companies to implement a much more dynamic service edge that flexes to fit real-world scenarios.

Close
Close