Can zero trust browsing protect your organization from itself?
A ransomware attack in Baltimore recently shut down city departments and cost the city US$18 Million. Cybersecurity has become big business, and the market is growing increasingly crowded.
There are now hundreds of solutions from a variety of vendors for firms to choose from. But have we been looking in the wrong places for the most significant threats?
Traditionally, our approach to cybersecurity begins with the assumption that everything on an internal network is entirely safe and distrust anything coming in. For example, employees are typically inside the circle of trust. External workers that have the ability to remote access into the organization will need to be verified and authenticated before they are permitted to access to certain assets within the business.
In both of these cases, whether you are internal or external, you are allowed to enter onto the corporate network. This is a data security model often referred to as a castle and moat because it assumes everything inside doesn’t pose a threat. As attacks increase in sophistication, that’s no longer the case.
The cybersecurity industry is no stranger to buzzwords. Many leaders have been increasing their focus on identity and access management. But we are also seeing a relatively new model called zero trust security capturing the attention of security experts too.
Zero trust browsing & security
Zero trust does exactly what it says on the tin. It never trusts anything and will always verify. By not trusting any website, email, or web application it becomes much easier to isolate systems so that the malware cannot infect the user, the device and the network.
There is also an increasing awareness that the free web browser installed on every device could be the biggest threat to cyber defenses. The reality is that we’re still using the very same browser and accessing internet resources over the same protocols that were built in the 1980s. Most worryingly of all, the traditional web browser runs on blind trust.
We all live in the web browser. Whether we are sat at our computer or browsing the web from our smartphone, it’s the one application that we use for anything we’re trying to do. Whether it’s our work, paying bills, wasting time looking at YouTube videos or engaging on social media.
I recently spoke with Ericom Software’s, President and CEO, David Canellos. He told me why it has become impossible for businesses to know which websites are safe. “Every single day, thousands of URLs show up and shut down. Sometimes they last for mere hours and bypass traditional security systems that would have reputations on these particular websites.”
The other reality is that careless end-users are typically an organization’s biggest security threat. There will always be a handful of individuals that will unwittingly invite phishing and spear-phishing attacks onto the corporate network. All by simply clicking on something they shouldn’t have.
Isolating the user
Remote Browser Isolation (RBI) is enabling zero trust browsing, and the market is predicted to explode over the next five years. RBI is also allowing organizations to think differently about how its staff browse the web. By isolating the browser away from the endpoint, the user’s system is protected even if the browser becomes affected. All this happens in an environment that’s isolated outside of the organizational infrastructure.
New cloud-based browsers such as Silo by Authentic8 is providing businesses with a fresh approach to cybersecurity that consists of trusting nothing until proven otherwise. Everything must be verified, and there are no exceptions.
Businesses of all sizes are trying to find a way to reduce security risks from the myriad of interactions between users, data, applications, and systems on their networks. Will a zero trust model be that silver bullet? In theory, yes but in terms of implementation, many are still debating the challenges around costs and fitting it into their existing environments.
However, the arrival of 5G and IoT sensors will only exacerbate the concerns around users having access to a phenomenal amount of data from any location, device, and in any way that they can.
These challenges will undoubtedly pave the way for conversations around cybersecurity to evolve. The costs of doing nothing and blindly trusting the free web browser open to security vulnerabilities on every device within an organization could make it the most expensive software across your application estate.
Zero trust networking already enables businesses to bolster its cyber defenses without redesigning existing IT security infrastructure. The required changes ahead are much more about mindset and corporate culture. A “never trust, and always verify approach” regardless of where the request came from is looking like a step in the right direction.
It might even finally protect every company from its biggest threat, themselves.
3 April 2020