Zero Trust is becoming a standard approach to securing access to enterprise applications (both cloud and on-prem). With Zero Trust, access is granted based primarily on user authentication and risk level, and not on the user’s presence in the corporate network. Based on the user’s credentials, the enterprise can grant access to a subset of enterprise resources and employees can work from any network without relying on a VPN connection. The architecture is called “Zero Trust” because the enterprise shouldn’t automatically trust endpoints within the corporate perimeter. Instead, it should verify all users and endpoints.

Learn how enterprise IT and security teams can protect sensitive assets from endpoint attacks. Click here. 

Why do “Zero Trust” approaches blindly trust endpoints?

While being a great step in the right direction, common Zero Trust approaches have a fundamental design flaw that is the result of a wrong assumption. The wrong underlying assumption is that the Zero Trust broker can check the health of user endpoints and then trust them with access to enterprise resources. This might be true for some extremely locked-down endpoints. However, most enterprise user endpoints run operating systems like Windows and have a very large and potentially vulnerable code base, a wide variety of legacy applications/middleware, and access to risky malicious networks or internet resources. These endpoints can easily be compromised by determined attackers. Once a device is compromised, the operating system can no longer be trusted as malware resides in the same operating system kernel and can tamper with operating system health checks.

This means that many enterprises that adopt Zero Trust may still mistakenly trust user endpoints. This is a critical flaw as it allows attackers to breach a user’s device and then ride the user’s authenticated session to do harm. Gartner recommends granting access only after getting strong attestation of device identity. Gartner also suggests leveraging 3rd party products that ensure deeper device security and can isolate access on both the endpoint side and on the network side.

Without this missing link of strong device identity, Zero Trust creates a false sense of security as it encourages enterprises to allow access to corporate resources from personal/unmanaged/BYOD endpoints, relying on basic (and easily forgeable) health checks to prevent malware from getting in. This makes things worse, as personal/unmanaged endpoints have a higher probability of getting infected.

Some enterprises try to close this gap by deploying a slew of endpoint detection/protection agents on the user’s device, but this ends up being a cat-and-mouse game with endpoint malware. Furthermore, such agents and restrictions often limit what users can do and can lead to issues with user privacy.

With COVID-19 and the remote-first era we live in, things get worse as more and more employees work remotely and mix both legacy corporate apps and brand new collaboration tools on the same endpoint, opening it up to new types of threats (not to mention the increasing personal usage of endpoints in unmanaged home network environments).To make Zero Trust a true end-to-end security solution, organizations must design their endpoints to be trusted. However, IT cannot just extremely lock down their endpoints to achieve that level of trust – IT must make sure end-users get a great user experience and can get their jobs done in an efficient, easy, way. Solutions that limit which apps users can use or remove local admin rights will not fly for today’s knowledge workers. Users need a way to use the latest tools and apps, without having IT whitelist every app, website, and service.

 

New call-to-action

Zero Trust with Perception Point

The good news is that you can eat the cake and have it too. With Perception Point’s Advanced Browser Security, you can have endpoints that make end-to-end “Zero Trust” a reality, while allowing users to productively use their endpoints. 

Here’s a few examples of how:

  • Zero Trust, IAM, PAM – by adding a reliable indication for OS health via OS isolation, Perception Point  lets identity, privilege, and access management systems make better decisions and enforce access to enterprise assets exclusively through a trusted OS. This can also apply to legacy VPN gateways that can run host health checks to verify endpoints.
  • Secure Web Gateways – switch from blocking risky traffic to securely allowing it, enabling full user productivity. The gateway redirects untrusted content (website / document), into the risky OS. Perception Point  seamlessly integrates with existing gateways to do this redirection, without needing any additional data center/cloud infrastructure.
  • VDI – Perception Point can offload some of the heavy web apps that are currently hosted on VDI. For example, browsers that require lots of IOPS/CPU/GPU resources can now run locally in the isolated browser instead of hogging the VDI infrastructure. Web apps that require a lot of cloud traffic no longer need to go through the corporate network and can go directly from the endpoint to the cloud, via the secure browser.
  • MDM/UEM – instead of asking users to enroll their personal laptops and desktops into your MDM/UEM solution, you can manage a separate disposable VM on their endpoints, without violating their privacy or requiring them to install multiple intrusive agents.

Perception Point  Boosts the Entire Enterprise Security Stack

Perception Point complements many of the existing enterprise security investments, not just Zero Trust. 

Perception Point Advanced Browser Security adds enterprise-grade security to native Chrome and Edge browsers. The managed solution fuses patented web isolation technology with multi-layer advanced threat detection engines which delivers the unprecedented ability to isolate, detect and remediate all malicious threats from the web, including phishing, ransomware, malware, APTs, and more.

Untrusted, risky websites and applications are automatically opened and used in the secured browser which is isolated from corporate data and applications. Access to sensitive corporate apps is secured via an isolated, trusted Chrome or Edge browser. This prevents data loss (DLP) from both managed and unmanaged endpoints. 

The behavior of the secured browser is managed in the cloud, while all of the computing resources run locally on user endpoints. This eliminates the need to invest in a large and costly infrastructure, and provides a better local user experience in terms of speed, along with offline availability.

We add advanced security to native Chrome and Edge  browsers to protect your organization against all malicious threats from the web and protect access to sensitive corporate apps.

  • Reduce the time and money spent on whitelisting applications.
  • Your team can access untrusted websites and SaaS apps, without security concerns and without added latency.
  • Untrusted web content is deeply scanned and opened in the secured Chrome or Edge browser, reducing the risks from viruses and other downloadable threats.
  • Reduces risks from USBs and printer applications by automatically redirecting usage to Advanced Browser Security.
  • A seamless user experience as users are working in their native Chrome or Edge browser which is now secured
  • Security without slowing down the user
  • Secure access to IT, DevOps, and other privileged web apps in their everyday environment
  • Access to enterprise web apps  from 3rd party/unmanaged devices

Contact us for a demo or download the free version of our Advanced Browser Security here.

CISO's guide 2022