Extending zero trust to unmanaged devices was the subject of a recent webinar between Chase Cunningham, Vice President and Chief Analyst at Forrester Research, and Ramesh Rajagopal, co-founder and president of Authentic8.
According to Chase Cunningham, the changes brought about by the COWID 19 pandemic are clear. There is no more discussion about the fact that BYOD and unattended devices are the future of work.
According to the speaker, the challenge now will be to find out what these things do in our network, how they jump and what compromises are made. The webinar is now available here on request.
How does the zero-trust approach of cyber security tackle these threats? Forrester analysts have defined it as strategically focused on solving the problem of the lateral movement of threats within the network through microsegmentation and granular application based on the user context, data access control, site application and device location.
Ramesh Rajagopal of Authentic8 emphasized the role of web-based isolation as an essential element of a zero-trust architecture when users have access to data, but especially when users have access to data from unmanaged devices.
Authentic8’s Web Silo isolation platform, he explains, falls between the things you’re interested in and the things you can’t trust, and allows you to add perimeter as a feature where users can access cloud services.
In his part of the presentation, the co-founder and president of Authentic8 described seven ways to isolate the workspace with a silo that complements Zero Trust’s security architecture. For more information and to learn how companies use the Silo in addition to their Zero Trust structure, please visit the Zero Trust website,
Follow the complete webinar here.
QUESTION AND ANSWER: Unattended devices and web isolation
The questions and answers of the audience after the webinar have been revised for the sake of clarity and readability:
Question: Where do you think the web-based isolation described by Ramesh fits into the zero maturity model described by Chase?
Chase Cunningham: I think that when you can get your users off the internet, and when you can post valuable data in a way that is not available in [random] applications, it’s a win-win situation. Sooner or later it makes sense to isolate yourself.
Question: If you use Silo to access cloud applications, how can you still log in and control what users do?
Ramesh Rajagopal: That’s an excellent question. The silo, an insulated workspace, contains a rich logging element. User activities that would otherwise be opaque to IT – for example, services that access users directly from a personal device – are now visible again because they are accessed through Silo’s isolated workspace.
This means that we can register this data, store it securely on our site and encrypt it with the customer’s key so that only the customer can obtain it. They then have access to this log information, which they can extract and paste into all the analysis tools they use on their site.
You could say that with a centralized and isolated workspace like Silo, there is actually more visibility and control over what users do, rather than accessing cloud applications from any device, any location and any browser.
Question: How about a VPN for secure access compared to a web-based isolation solution?
Ramesh Rajagopal: One: When users need remote access to an internal resource that is not provided by a browser, they need to tunnel to the corporate network, and the VPN makes sense here.
Protecting access to cloud services, on the other hand, requires not only expensive and inefficient routing of traffic over the VPN, but also efforts to provide an encrypted point-to-point connection.
With a solution like Silo you get an encrypted connection directly to the cloud, but gradually you also get a fully isolated workspace, made possible by policy management. And it’s not from a VPN. Access to the cloud via a virtual private network (VPN) provides you with a secure channel, but still allows you to send your sensitive data to an unattended device where it can be compromised or misused.
Question: The studies contained in these White Papers set out a multi-annual strategy for the gradual implementation of ongoing activities. Could you describe some of the considerations and steps in this phased implementation?
Chase Cunningham: If you are a more regulated and compliant organization, the focus will be on fighting cyberspace for a long time to come. You’re probably further along this maturity curve than you thought, so you’re probably in a similar phase cycle of three to five to seven years of entering a zero confidence space.
If, like many other organizations, you are new to the security industry, you can stay on this timeline. The steps are therefore based on your current maturity level and the compliance requirements you set.
If you’re looking for a milestone, the big question is: As soon as you start solving a certain problem, you stop it. This will take you to the next step. Don’t take on five, six or seven problems and you end up with five, six or seven half-finished tasks.
Question: How does Silas fit into these steps?
Ramesh Rajagopal: I think the architecture of Zero Trust is a great vision for an organization, but maybe the breadth of that vision scares people starting this journey.
I would say that you should first focus on the most valuable data and the most risky users and think about how to quickly activate the progressive security and control of this workflow.
These can be your employees, but also consultants and contractors. This can be the outsourcing of business processes to which you have transferred the function.
It doesn’t have to be a large, monolithic, centralized global computing infrastructure if you look at it from the perspective of the data that is most valuable to me and where I take the greatest risk from the perspective of the users and devices that have access to that data.
You can take certain short-term measures to provide extra safety and control in these high-risk situations.
Question: Do I need to install software on unattended devices?
Ramesh Rajagopal: The answer is no. The local browser on the user’s unattended device can be a container where users can safely access the isolated workspace. Any user, any device, anywhere can manage an isolated workspace and provide complete security and access control for these cloud services.
Question: Are there advantages to isolating the web-managed device?
Chase Cunningham: I think the isolation and buffering between the device and the internet, or the user and the internet, is very useful in any context. If it was my infrastructure, I would use it, because frankly, it makes more sense than an old antivirus approach.
Ramesh Rajagopal: Yeah, I’d say managed devices are vulnerable, they’re not protected from exploitation just because they’re managed. Of course there is the advantage of isolation, but gradually there are policies and control and visibility that bypass user access to the web service.
You will be able to control risks and human behavior, for example by deleting files from a cloud application, etc. And then, from an IT perspective, an additional element is understanding what users are doing, whether it’s monitoring security, managing internal threats, or simply complying with regulations.
For all these reasons, accessing cloud services from a managed device is as convincing an argument as from an unmanaged device.
*** This is a syndicated blog from a network of Authentic8 security bloggers created by the A8 team. The original message can be found at the following address: https://blog.authentic8.com/zero-trust-unmanaged-devices-webinar-q-a/.