by Nick Kael
Posted on August 9, 2022
Want to interview Nick?Contact
The move to cloud infrastructure and the growing use of SaaS applications have accelerated business agility and product scalability. During Covid-19 closures, the cloud was one of the most important enablers of remote work, a function that has continued with the ongoing trend toward working from home. The “from-anywhere” accessibility of cloud infrastructure and SaaS applications, however, also exposes organizations to security risks, if proper controls are not put in place. Given the public-facing nature of the cloud, threat actors now have a much larger attack surface to exploit.
In regulated industries, like healthcare and financial services, the stakes are even higher. The need to protect highly sensitive data, along with additional regulatory requirements, might impede digital transformation initiatives in these organizations. However, these industries also need to incorporate agility into their standard practices to meet the evolving needs of their customers and users.
This is where advanced security technologies, built with the protections required for regulatory compliance, come in.
WAI (Web Application Isolation) is a cutting-edge clientless cloud application security broker (CASB) and Zero Trust Network Access (ZTNA) solution for distributed organizations that leverages reverse remote browser isolation to restrict access to SaaS, web-based and on-premises applications – in effect, a way more effective, next-generation web application firewall (WAF).
Within the ZTEdge global cloud infrastructure, WAI applies policy-based controls to secure apps from malware as well as preventing illicit and over-privileged access, and protecting sensitive data from exposure. For authorized users, WAI provides an excellent, very low latency clientless user experience.
How do these capabilities and protections play out in the organization’s day-to-day? In this blog post we discuss three common security use cases that impact compliance and how WAI addresses each one:
SaaS applications are designed to be accessible from anywhere, at any time. This is a huge business advantage, enabling remote work, business flexibility and cross-geography collaboration.
However, it also means that an attacker who has obtained a user’s credentials could access the SaaS app and gain access to customer data, internal business processes and mission-critical workloads. This could easily result in a data breach, ransomware attack or even a full-out operational outage – as well as costly regulatory violations and loss of customer trust.
WAI allows organizations to enable access to SaaS apps and web applications only for users logging in from a specific IP address. Normally, that would mean that users could only use the app from the enterprise network – that is, when they are on site, working from the office. WAI, however, provides each organization with unique, permanent IP addresses on the ZTEdge Global Cloud.
Restricting users to accessing SaaS via EAI accomplishes a number of goals. First, it protects sensitive corporate data by preventing cybercriminals from logging in using stolen credentials, even in cases where a hacker bypasses MFA (as accomplished, for instance, by adversary-in-the-middle phishing campaigns described in a recent Microsoft report.)
In addition, if an employee or 3rd party contractor (one who has been granted app access) is using an unmanaged device, WAI cloud-based protections isolate the app, so malware that might be present on the user’s device cannot get in and encrypt, corrupt, delete or exfiltrate data. To learn more about how WAI supports regulatory compliance for organizations whose 3rd-party and internal users work on unmanaged devices, see our article on “Data Security Compliance in the Age of Work from Anywhere, on Any Device.”
WAI also prevents data, reports and other app content from being cached in the device browser. Even if the device is lost, stolen or hacked, no data from a recently accessed application can be exposed.
“Least privilege access” is a key Zero Trust security concept. Put into practice, it affords each authorized user or app only the minimal level of access to the resources, systems and applications required to enable them to accomplish the tasks required for their jobs. This reduces the blast radius of a breach via stolen or brute-forced credentials as well as limiting insider attacks or accidental disclosure.
But least privilege access means more than just limiting which applications a user can access. It also means restricting the actions an authorized user can take within each application. This includes determining which permissions are necessary, setting and enforcing policies, and monitoring and auditing the actual actions a user takes.
For example, in one major data breach, an attacker executed a server-side request forgery (SSRF) attack on a misconfigured element of a financial services organization’s security stack. This afforded them over-privileged access to a cloud server, which they exploited by downloading sensitive data, in violation of regulatory restrictions. Strict limitations on user privileges, proper configuration and close monitoring of user activity could have all vastly reduced the scope and impact of this attack.
WAI makes it easy to specify and enforce granular per-user or role-based policies to control in-app activity according to regulatory restrictions. For instance, a user may be permitted to view, but not edit or print, Salesforce data or be permitted to upload files only to one specific Office365 library.
To safeguard against excessive user privilege, WAI combines CASB controls with remote browser isolation (RBI), enabling policy-based control of browser functions such as printing, copy and paste, downloading data, and more. An automated policy builder simplifies policy creation and updating. Monitoring and reporting capabilities enables internal and compliance audit reporting.
Despite best efforts, misconfigurations and other vulnerabilities inevitably creep into application development and updating processes. Organizations count on WAFs to protect their apps from threats, but in recent studies, WAFs stopped less than 50% of application layer attacks, while issuing overwhelming numbers of false positive alerts. As a result, many organizations set their WAFs to alert-only mode, leaving apps exposed to vulnerability scanning, unauthorized access and attacks.
WAI leverages reverse remote browser isolation to render web apps in isolated containers in the ZTEdge Global Cloud. Only safe rendering data is sent to the user device, using minimal, standard ZTEdge-generated HTML code. All original app code, including information about internal servers, open ports, web app URLs, APIs and app services, is resolved by a virtual browser located in the cloud-based container. Website details that are generally visible with scanning and reconnaissance tools are hidden from view of threat actors seeking to locate vulnerabilities to exploit or ports through which they can gain illicit, non-compliant access to corporate systems.
WAI’s isolation-based approach of air-gapping applications from the risks of malicious actors, unmanaged devices and other internet-related threats is indisputably superior to the traditional “hopefully detect then try to defend” WAF approach. For more information about how WAI can secure your applications, from the threats deemed most prevalent – and dangerous – by OWASP, the globally recognized framework for web application security, see WAI and the OWASP Top 10.
WAI empowers organizations to safeguard, control and govern their applications, systems and data, per common regulatory standards, without burdening users with onerous access restrictions. Routing access via the ZTEdge Global Cloud enables even users on unmanaged devices to work from anywhere, without exposing corporate applications or data to threats, and without exposing the organization to compliance risk.
To learn more about WAI and see it in action, request a demo.
In a recent report, ransomware and BECs take the prize as most-favored types of cyberattacks. A flourishing ransomware-as-a-service market makes attacks easier than ever, and offers a large menu of encryption options.
The recently exposed Microsoft Teams GIFShell technique demonstrates why Zero Trust protection for app surfaces is essential for even the most trusted enterprise apps.
In recently reported Adversary-in-the-Middle attacks, hackers bypass MFA by using session cookies that they illicitly extract from HTTPs requests, via reverse proxies.