In the new era of working-from-home learning to protect your sensitive data from the dangers of the internet is a challenge the majority of IT teams are facing today. You don’t have to be a cyber security expert to know that you need to be careful when accessing the internet in order to reduce cybersecurity threats. The majority of cyber attacks originate from the internet, whether from a malicious website, link, or email attachment.
This is especially true in organizations where the stakes are high and the potential rewards to an attacker are extensive. Just imagine that a single click on a malicious link inside an email can compromise an entire organization, leading to stolen data, multi-million dollar ransomware recoveries, and a lot of bad PR for your organization.
With that said, there is not much we can do today to avoid the need to open up to the internet, so the least an organization can do is allow employees access in a controlled manner. Collaboration with customers and partners – combined with the reality of working remotely – results in organizations needing to open up and move a lot of their services to the cloud. Internet access is a must but, it must be done in a secure manner.
Of course, if there is a need, there is a way – dozens of technologies exist to control and isolate access to the internet. These include:
- Traditional internet proxies
- Secure web gateways
- Web isolation services
- Application isolation
- OS isolation technologies
This is the first blog in a two-part series that will provide a guided tour of the different technologies available to organizations, and outline the pros and cons of each technology.
The first part will discuss the traditional ways internet access is controlled and protected.
In the second installment, we will focus on newer technologies – mainly on isolating internet access into a separate environment.
Traditional Internet Proxies
Most organizations with a perimeter-based security model have internet proxies. These are the most common solutions used to securely access the internet.
They are most commonly physical or virtual appliances sitting in the DMZ, and they control all the traffic flowing to and from the internet. Any server or endpoint within the corporate perimeter (or connected to it via a VPN connection) passes through the proxy, which enforces any rules pertaining to internet access.
Proxies filter internet traffic flowing into the organization and control the accessible websites. The proxies prevent access to suspicious locations, monitor the way employees use the internet, and more.
Being the most common and oldest service available for the organization with perimeter-based security means they have been evolving. However, they were not created for the modern employee. Today, employees frequently work remotely, and need to use more and more cloud applications, making the traditional web proxy less and less relevant to control the access of employees who never connect to the organization. Using proxies would force employees to always stay connected to a VPN server which might not be feasible or cost effective in modern companies.
Moreover, organizations are quickly transitioning from perimeter-based security to zero trust architectures where no perimeter exists, and access to the internet is much more complicated to control. Proxies usually control access via standard internet ports and protocols (HTTP and HTTPS) and may cause compatibility issues for other software.
Secure Web Gateways
Secure web gateways are the modern replacement for the traditional, on-premise web proxy. Organizations force all corporate endpoints to communicate with the internet through a cloud-based web gateway. These gateways control, filter, and protect endpoints from malware. They utilize the power of the cloud to provide these services at scale, wherever users are, without forcing them to be connected from within the organization perimeter.
These gateways are easy to deploy and configure on endpoints at scale, and can provide immediate value.
However, having protected access to the internet might not be enough, no matter how good the gateway is. A compromise on a single device may be enough to compromise an entire organization, potentially causing immense damage.
It is a best practice to segregate internet access from corporate data and assets. Access to potentially malicious sites, email attachments, and links is better done from an isolated container, even if protected by a secure web gateway. When an attacker or malware utilizes a zero day vulnerability, a gateway will usually not be enough to contain the threat, while access from an isolated location will isolate the threat.
In most cases, only a handful of the most popular protocols are covered by the gateway (HTTP,HTTPS,SSH,RDP, etc.). Software not specifically thought of by the vendors is not covered by the gateways.
To protect users, secure web gateways usually decrypt HTTPS traffic in order to be able to properly inspect it. This is a potential privacy issue, and even a data security issue, for many organizations and individuals.
With all their advantages, secure web gateways may not fit every kind of user. Advanced users, such as researchers and developers, may need to access locations not normally sanctioned by the organization to successfully perform their jobs, while the limitations on their OS might hurt their productivity.
Contractors, and other BYOD (bring your own device) users might not be keen on limiting and letting their organization control their internet access by configuring a web proxy on their machine.
We have covered the basics of the technologies available to control internet traffic in organizations – from traditional web proxies to the modern cloud secure web gateway.
Stay tuned for the next part to learn about the newest cutting edge technologies used by modern organizations to isolate themselves from the dangers of the internet now that the corporate perimeter is less relevant.