Why No SASE/SSE Architecture is Complete Without Isolation

By 2009, the US Federal government had grown sufficiently concerned about nefarious actors breaching the desktops of researchers working on nuclear projects, via their browsers, to take action. To distance vulnerable browsers from classified data, they shifted browsing to a different server, then used virtualization to stream images of websites to users’ desktops — creating a first, primitive version of Remote Browser Isolation (RBI).

Fast forward a decade and a half, and today RBI is a technologically advanced, cloud-based solution that is a core capability of modern Secure Access Service Edge (SASE) platforms.

Gartner estimates that 80% of enterprises will have adopted cloud-based SASE/SSE (Security Services Edge) by 2025. For those organizations, the cloud-based isolation technology that powers RBI can do much more than eliminate web-delivered threats by preventing browser attack surfaces from being exposed to the web. In this blog post, we break down the components that make up SASE/SSE and describe why, in addition to RBI being an essential capability, isolation is a valuable addition to capabilities across the full SASE security framework.

Why SSE?

The legacy approach to cybersecurity evolved in the early days of the internet. Back in the “olden days” employees worked from an office and they mostly worked on apps and data that were hosted on the company’s own servers. Employees who needed remote access were the exception, not the rule, and it was relatively rare for employees to need to access data elsewhere. The focus naturally evolved to having a strong perimeter defense that would keep external threats locked out, while allowing employees within the perimeter to have free access to whatever they needed.

The biggest problem with the perimeter approach is that if an attacker does breach those defenses, they have access to everything. There are many additional problems, however. Today’s IT environment is very different, with many more employees working remotely, and with corporations increasingly turning to cloud computing. Perimeters have been rendered obsolete.

SSE is a new way to approach cybersecurity. No SSE solution relies on a perimeter for protection. SSE must secure users who are accessing IT resources that are internal and in the cloud, whether they are onsite or remote. And in this perimeter-less approach, no SSE solution is complete without isolation.

How Isolation Powers Zero Trust Access

The SASE/SSE concept replaces perimeter-based access with cloud-native security and access services that operate on Zero Trust principles of “least privilege access,” “never trust, always verify” and “assume breach.”

For secure browsing, RBI operationalizes these principles by assuming that since no website content can be verified as safe, it cannot be trusted and should therefore be kept away from vulnerable endpoints. Browsing is therefore isolated in cloud-based containers and only safe rendering data is streamed to device browsers. Users interact with websites as usual, via their regular browsers. The user experience is indistinguishable from standard browsing.

Within the cloud-based container, granular policies can be applied to limit which sites users may visit as well as what browser-enabled actions they can take for each site. For instance, suspicious sites are opened in read-only mode to safeguard users from credential theft and browser clip-boarding and printing functions may be disabled for certain sites.

The web isolation technology that underlies RBI, however, offers functionality that extends well beyond secure browsing. Web isolation can be used to protect corporate web apps, SaaS applications and private apps from unauthorized access, as well as protecting the sensitive data these apps contain. Routing access via isolation cloaks application surfaces from threat actors seeking vulnerabilities to attack and protects apps from malware that may be present on unmanaged devices used by authorized users. Web isolation also enables policy-based access and usage controls to prevent data exposure and lateral movement, and reduce compliance risk.

How Isolation Enhances SSE and SASE

Let’s dig in a bit to explore at how web isolation strengthens the secure services that are essential elements of SSE:

• SWG (Secure Web Gateway) – SWGs enforce access policies and include malware prevention tools, but are powerless against zero-day malware and phishing sites that are newly spun up. By keeping all web content off endpoints, RBI strengthens SWG function.
• CASB (Cloud Access Security Broker) – Web application isolation enhances CASB performance by providing highly granular control of user activity, even for virtual meeting solutions like Zoom and collaboration platforms such as O365. Cloud-based isolation of web applications eliminates the need for brittle reverse proxies, enabling clientless secure access from unmanaged devices and protecting sensitive data from loss, without the myriad false positives associated with WAFs.
• ZTNA (Zero Trust Network Access) – ZTNA enables remote users to securely access corporate networks, while limiting each user’s access to only the resources they need for their work. Web Application Isolation simplifies and secures that access, even from unmanaged devices, enabling granular policy-based control of interactions with internal resources.
• CDR (Content Disarm and Reconstruct) – Applying CDR within isolated cloud-based containers protects endpoints and networks from new types of malware. RBI enables CDR to identify malicious content within end-to-end encrypted traffic, such as document sent via instant messengers such as WhatsApp, as well as enabling DLP to ensure that no PII or other confidential data is exposed.

Isolation that’s Built In, Not Tacked On

As Gartner noted, use of remote browser isolation has become so widespread that it is now considered to be a core SASE capability. But as they also note, the RBI provided by most SASE platforms are recently integrated, non-native solutions which in many cases, are less than optimal.

More importantly, the isolation capabilities most solutions provide are limited to secure browsing and further restricted by their inability to secure online meetings and detect malware in encrypted messaging apps such as WhatsApp Web. They do not leverage isolation, as ZTEdge does, to protect web and cloud applications from malware on unmanaged devices, or prevent over-privileged access from unmanaged 3rd party devices or users’ BYOD.

To learn more about how tight integration of isolation across SSE platforms can reduce the security burden on users while simple, secure access, download “Not Just for Safe Browsing: How Isolation Strengthens All SSE Functions” today.

---

Share this on:

---

About Tova Osofsky

Tova Osofsky, Ericom Director of Content Marketing, has extensive experience in marketing strategy, content marketing and product marketing for technology companies in areas including cybersecurity, cloud computing, fintech, compliance solutions and telecom, as well as for consumer product companies. She previously held marketing positions at Clicktale, GreenRoad and Kraft Foods, and served as an independent consultant to tens of technology startups.