“Extending the Zero Trust Framework to Unmanaged Devices” was the topic of a recent webinar discussion between Chase Cunningham, VP and Principal Analyst with Forrester Research, and Ramesh Rajagopal, Co-Founder and President of Authentic8.
According to Chase Cunningham, the change brought about by the COVID-19 pandemic is obvious. “There's no arguing anymore about BYOD and unmanaged devices being the future of work.”
The challenge now, the presenter pointed out, would be “to figure out what these things are doing on our network and how they're bouncing around, and what avenues of compromise are introduced there.” The webinar is now available on demand.
How does the Zero Trust approach to cybersecurity address these threats? The Forrester analyst defined it “as strategically focused on addressing lateral threat movement within the network by leveraging micro-segmentation and granular enforcement based on user context, data access control, location application, and the device posture.”
Authentic8’s Ramesh Rajagopal stressed the role of web isolation as a core component of a Zero Trust architecture “whenever users are accessing data, but particularly when users are accessing data from unmanaged devices.”
Authentic8’s Silo Web Isolation Platform, he explained, “sits between the things that you care about and the things you cannot trust, and it allows a ‘perimeter’ to be inserted as a capability wherever users are accessing cloud services.”
In his part of the presentation, Authentic8’s Co-Founder and President laid out seven capabilities of workspace isolation with Silo that round out a Zero Trust security architecture. To get the details and find out how companies use Silo to augment their Zero Trust framework,
The questions and answers from the audience Q&A following the webinar were edited for clarity and readability:
Question: Where do you see web isolation, as outlined by Ramesh, fit within the Zero Trust maturity model, as outlined by Chase?
Chase Cunningham: I think that any time that you can get your users off the internet, and whenever you can silo valuable data so that they aren’t accessible by [random] applications, is a win. It makes sense to get into isolation sooner rather than later.
Question: When using Silo to access cloud apps, how can you still log and audit what users are doing?
Ramesh Rajagopal: That’s a great question. Silo, the isolated workspace, contains a rich logging framework as a component. So user actions, which would otherwise be opaque to IT - let’s say services that users are accessing directly from a personal device - are now made visible again, because access happens through the isolated workspace of Silo.
That means we’re able to log that data, store it securely on our side, and encrypt it with the customer’s key, so only they can retrieve it. Then they have that log information available to them to extract and put into whatever analytical tools they run on their side.
One could say there’s actually an increase in the visibility and governance around what users are doing via a centralized, isolated workspace like Silo, versus having users access cloud apps from any device, anywhere, any browser.
Question: How should one think about VPN for secure up access versus a web isolation solution?
Ramesh Rajagopal: First off, if remote users need access to an internal resource that’s not delivered via the browser, then they have to tunnel into the corporate network, and that’s where a VPN makes sense.
For securing access to cloud services, on the other hand, not only is routing traffic through a VPN costly and inefficient, but it also only addresses the job of providing an encrypted point-to-point connection.
With a solution like Silo, you get an encrypted direct-to-cloud connection, but incrementally you also get the full isolated workspace that’s enabled with policy controls. And that doesn’t come with a VPN. Accessing the cloud through a VPN is ensuring you have a secure pipe, but it’s still delivering your sensitive data to an unmanaged device where that data is subject to compromise or mishandling.
Question: The studies in the white papers that were mentioned describe a multi-year phase strategy for lead implementation. Can you describe some of the considerations and milestones for this phased rollout?
Chase Cunningham: If you are an organization that is more heavily regulated, heavily compliant, the focus has been on fighting the cyber fight for longer. You probably are further along that maturity curve than you would have thought, so you might be in that sort of three to five to seven-year phase cycle of getting into the Zero Trust space.
Whereas if you are kind of new to security, as many organizations are, you might be further towards the left side of that timeline. So the milestones are going to be based on your current maturity level and the compliance requirements you have to solve for.
When looking for a milestone, the main point is: Once you start solving a particular problem, finish it. That gets you towards that next step. Don’t take on five or six or seven problems and wind up with five or six or seven half-completed tasks.
Question: How could Silo fit in with these milestones?
Ramesh Rajagopal: I think Zero Trust architecture is a great vision for an organization, but maybe the size of that vision is daunting for people who start on that journey.
I’d say focus on your most valuable data and your most at-risk users first, and think about how you can rapidly enable incremental security and control around that workflow.
That focus area might be your employees, but it could also be consultants or contractors. It could be a business process outsourcer that you’ve outsourced a function to.
You can do some things in a pretty short-term way to put extra security and controls around those high-risk situations.
Question: Do I need to install any software on unmanaged devices?
Ramesh Rajagopal: The answer is no. The local browser on the user’s unmanaged device can be the container where users get secure access to the isolated workspace. Any user, any device, anywhere, can launch the isolated workspace and have full security and control applied to accessing those cloud services.
Question: Is there any benefit of a web isolation approach on a managed device?
Chase Cunningham: I think web isolation and keeping a buffer between the device and the internet, or the user and the internet, is very useful in any context. If it was my infrastructure, that would be something that I would have deployed, because it honestly makes more sense than legacy sort of anti-viral approaches.
Ramesh Rajagopal: Yeah, I’d say managed devices are vulnerable, they’re not immune to exploits just because they’re managed. Certainly, there’s the isolation benefit, but incrementally, there’s also the policy and control and the visibility you get around users’ access to a web service.
You’ll be able to control human risk and behaviors such as removing files from a cloud application, etcetera. And then, from an IT standpoint, understanding what users have done in that context, whether it be for security monitoring, insider threat mitigation, or just compliance, that’s also an incremental component.
For all those reasons, accessing cloud services through a managed device is just as compelling a use case as from an unmanaged device.