In the pursuit of improved operational efficiency, rapid time to market, and tight adherence to customer expectations, digital transformation is driving the Fourth Industrial Revolution.
While organizations and their consumers reap the benefits, digital transformation has seen a fundamental shift within industries and workforces. Today’s increasingly hybrid workforce and large-scale cloud integration have pushed the browser into a position of primary importance – what was once merely a mechanism for displaying text on-screen is now the media-rich gateway between end-users and the depths of the world wide web.
From the early days of digital transformation, it swiftly became evident that a new form of cybersecurity was required since organizations were battling the sudden bursting of a traditional perimeter. This demise of the perimeter has paved the way for a new form of security. Instead of assuming the trustworthiness of entire networks, zero trust employs a blanket ethos of never trust – always verify. This approach is supposed to sit at every layer of end-user interaction, eliminating any form of implicit trust that cybercriminals can otherwise hijack.
However, despite widespread adoption of the zero trust model throughout digitally-driven enterprises, a key weakness has arisen in its implementation. The pervasive oversight of the browser’s crucial role in the modern workspace has led to a threat landscape that has far outpaced traditional browser security.
The browser is a wholly unique interaction point between on-premises environments, enterprise resources and completely unverified third-party servers. With inadequate browser protection, end-users are forced to assume third-party web servers are entirely safe. When this browser requests a web page, the hosting server is simply trusted to be benign – this single oversight has helped drive cybercrime profits far past that of the global drug trade.
Traditional browser protection places users in a lose-lose position. Rather than employ security as simple as the ‘zero trust’ philosophy, organizations are left relying on complex, twisting stacks of tools that impede user experience and slow down security teams.
A zero trust browser champions dynamic, contextual risk assessment – allowing users and security teams to reap the benefits of higher productivity with lower risk.
Learn about the LayerX browser protection platform
Principles of Zero Trust Security
Zero trust is in its heyday. IAM solution provider Okta’s most recent ‘State of Zero Trust Security’ report details how over half of market leaders are currently undergoing a major push toward zero trust. This represents a major jump from the mere 24% in the previous report only a year earlier, and significant progress from its very beginnings.
In 2004, the perimeter-based approach to security was already showing cracks; what was once the default security stance had already begun to creak under the weight of cloud technology. Almost two decades later, organizations are beginning to define their security by the concept initially dubbed ‘deperimeterization’. The initial idea was defined by its multiple levels of security controls, which included authentication and encryption. Today, this has evolved into 5 key zero trust security principles:
#1. Least Privilege
The first and most defining component to zero trust is the principle of least privilege. User access is limited to a just-enough-access model, where employees are given only as much access as they need in day-to-day operations. Following this is just-in-time access, which provisions access when needed then swiftly de-provisions it soon thereafter. Together, this minimizes the exposure of users to sensitive parts of a network.
#2. Device Access Control
While least privilege defines user access, zero trust network security demands a tight degree of visibility over its connected devices. In a nutshell, device access control seeks to monitor the number of devices connected, the legitimacy thereof, and their state of authentication.
#3. Terminating Every Connection
Every individual connection represents another chance for attackers to slip in undetected. Zero trust solutions not only adhere to a lean approach toward outgoing connections, but further focus on the granular components of every outgoing and incoming link. Inline architecture allows for the inspection and verification of even encrypted traffic in real time – keeping end-users safe from hijacked internal accounts.
#4. Context-Based Policies
When assessing malicious intent in real life, a large part of the judicial process is combing through the fine details. Old School policies worked off a ‘Most Wanted’ system, with established threats being identified via signatures – new cybercriminals were left unchecked. Reliably identifying and preventing an attack demands a thoroughly contextual view. Zero trust aims to establish this via adaptive policies: user identity, location and device are all measured against the content or application being requested.
#5. Reducing the Attack Surface
Following a zero trust approach, users connect directly to apps and resources, rather than larger networks. This direct architecture helps reduce the surface through which attackers could move laterally, while also preventing malware from gaining a foothold in other resources.
The cumulative total of all 5 principles aids in a drastically streamlined attack surface.
Why is Zero Trust Browsing Important?
Zero trust solutions have made huge strides in securing the architecture of apps, APIs and authentication processes. However, one of the most important cornerstones of today’s employee productivity is the web browser. Employees spend most of their working time researching and sharing ideas via web browsers, yet this often remains overlooked by wider zero-trust initiatives. The driving mechanism of web browsing is inherently risky, as the end-user communicates and shares information with an entirely unverified external server.
Internet browsing has become such a productivity staple primarily thanks to the recent large scale shifts in employee habits. With enterprises becoming increasingly global, teams have rapidly changed in number and geographical locations. While this allows for unprecedented innovation and the sharing of ideas with fewer boundaries, it has stretched the security perimeter to complete breaking point.
This became immediately apparent within cybercrime statistics, with phishing attacks skyrocketing. During the various lockdowns and Covid scares, a total of 61% of large organizations, and 42% of all smaller ones, would experience a noticeable increase thereof. The FBI Internet Crime Complaint Center (IC3) experienced double the number of reported phishing crimes than the year before, suddenly making social engineering attacks one of the most common – and profitable – of its kind. The web browser is a particularly useful tool for phishing attacks thanks to the myriad of opportunities to dupe an unsuspecting employee. For example, 2022 saw the rise of the Browser-in-the-Browser attack. Here, a web page is used to mimic the website and content of a legitimate login or payment screen. By merely simulating a genuine site, even security-minded employees can be duped into sharing enterprise secrets.
In attempting to cobble together adequate work from home productivity tools, many companies overlooked some of the core pillars of zero-trust. For instance, some remote access tools allow a compromised device unprecedented access to the corporate network, violating the policy of least privilege. This attack vector allowed for an incident that halted half of the Eastern US’ fuel supplies, where a single compromised VPN account let ransomware to rip through operations. Traditional security tech stacks – already straining at the seams before the pandemic – were suddenly rendered largely unfit for purpose, as isolated employees no longer had the protection of the organization’s local network.
Safe Browser Solutions
Current attempts to declaw the risks of browsing the public internet can be broadly categorized into three different approaches.
Browser Security Extension
Unlike some browsing isolation techniques, browser extensions boast full compatibility with both the web and enterprise ecosystem. By utilizing the existing browser, users are also afforded a browsing experience with almost no negative impact on loading times. In the broader landscape of security solution complexity, managing dozens of plugins in order to establish uniform protection can be a headache. Not all extensions are made to the same standards, and a small percentage risk poor design that further bloats the attack surface.
It’s only recently that browser security extensions have begun to unlock their full potential. Cohesive security extensions recognize that, by placing authentication and access restrictions closer to the end-user’s device, it becomes possible for organizations to add another layer of security. By only allowing approved browsers and applications access to internal resources, compromised credentials become a far weaker threat. Furthermore, extension-based threat analysis can delve deeper into every site component, with browser-based analysis providing latency-free protection. Finally, a focus on rapid onboarding and offboarding allows for browser security that keeps up with your overall organization, supporting a security stance that never stumbles.
Browser Isolation
Browser isolation protects the end-user and their device by abstracting the browsing process away. For instance, remote browser isolation offers a secure third-party cloud server for the actual execution of webpage content. This is then beamed back to the user’s own device as a graphical interface. This physical isolation allows the user to still browse the internet as they usually would, while actively preventing malware and stealthy download processes from hitting the device itself.
Similar to a virtual browser, remote browsing isolation contains any threat within a third-party cloud infrastructure. A significant drawback of this process is the latency introduced throughout the browsing process. Slow loading times are a powerful deterrent, even leading to groups of end-users choosing to forgo protection altogether.
Enterprise Browser
Enterprise browsers are dedicated tools for browsing the web; instead of the free browsers offered by Google, Mozilla, and Microsoft, these browsers are controlled and managed entirely by the organization itself. These solutions offer near-perfect visibility into each employees’ device and browsing habits, offering vital real-time intel into actions taken pre- and post-breach. Authentication can be implemented closer to the browsing process, with tighter degrees of security available.
While an enterprise browser appears promising, they often are not as secure as commercial browsers, which benefit from automated update and patching processes. Enterprise browsers, on the other hand, suffer from a longer vulnerability patching process. Another concern faced by organizations is the rampant vendor lock. This creates an enterprise-wide dependency on one vendor and as such makes it difficult to maintain the full scope of all requirements from a secure browser. As such, data loss and complexity can represent significant concerns when transitioning between vendors.
Protect Your Browsing with LayerX
The reason for the consistently inadequate scope of current solutions is the teetering tower of security approaches that browser security is balanced upon. Concepts of zero-trust were introduced to the broader security landscape far before the browser became the dominant force of productivity and innovation. Sealing the importance of a truly seamless security solution is the reality of today’s perimeterless, hybrid workspaces. This has placed enterprise information and resources out of the direct control of any inhouse IT and security team. As a result, enterprises today are left needing comprehensive and purpose-built browser protection.
In an industry first, LayerX has placed the user at the forefront of browser protection. Without damaging the user experience, LayerX’s multilayered approach to browser protection offers real-time, uber-granular visibility into user activities and risk. With the extension deployed on each instance of the browser, all non-corporate site destinations are granted complete transparency; it also allows for unmanaged devices to be granted fully secure access to corporate data. Sensors on the extension gather all browsing events, features, user behavior and webpage activity. At the same time, an enforcer function sits just below the sensor. This initiates and terminates browser actions, injecting code into an active web page in order to determine the risk therein. This has no discernable impact on either the end-user’s experience or legitimate browsing activity, while offering dynamic protection close to the end point.
While the browser extension sits closest to the end-user, the Plexus Engine drives the deep session analysis. Both in-browser and cloud-based, Plexus takes every contextual feature into account when determining the risk of phishing, malware insertion, and more. Monitoring browser modifications, user actions, and page behavior, all of this data is combined with the LayerX Threat Intel database. The full risk context of each browsing event is now made discoverable – and enforceable.
From there, all data is streamed to the management console. This user interface allows for the management and tracking of policies. It’s this granular-to-macro thoroughness that allows LayerX to protect even in the event of account breaches and cookie theft.