Application Isolation is a network security approach that adds Zero Trust Network Access (ZTNA) controls to Virtual Private Networks (VPNs) and Next Generation Firewalls (NGFWs). This prevents hackers and malicious insiders from gaining unauthorized access to applications and data.

Remote Browser Isolation, Explained

In the ZTNA approach, Zero Trust least-privilege user authentication takes place at the application level, rather than at the network access point – in essence, adding granular controls that boost VPN and NGFW security. In short, it takes microsegmentation – a security technique which creates granular access zones in a network – to the next level, building networks for each individual user on the fly, comprised of the single-application microsegments that that user is authorized to use.

“Isolation” and “Zero Trust” are familiar terms that are commonly associated with Browser Isolation solutions, such as Ericom Remote Browser Isolation. All isolation solutions are built on the premise that isolating access can prevent network breaches, through using a “never trust, always verify” policy. This contrasts with traditional, detection-based security solutions, such as antivirus software and the like, that often rely on a list of known threats to identify existing security risks.

In the case of Remote Browser Isolation (RBI), the zero-trust concept is applied to user interactions with the web. Remote browsing capability keeps all web-based malware outside of the corporate environment. When a user browses to a site or clicks a URL, the website content is presented in a virtual browser, while any active code remains in a virtual container outside of the network. Only safe rendering information from the website in question is sent to the browser on the endpoint. This allows for a fully interactive user experience, while keeping the network safe from a variety of cyber threats.

Application Isolation uses the same zero-trust concept. However, instead of user interactions with the web, the concept is applied to user movement within the organizational network, focused on application access. This is achieved by adding Zero Trust Network Access (ZTNA) controls to the entire network, and controlling access to individual resources at the user-level.

During the 2020 COVID-19 pandemic, organizations were forced to make rapid changes in order to meet the urgent needs of a newly remote workforce. Part of these changes involved increased use of VPNs and NGFWs for remote work. These technologies were often already present in a company’s existing network architecture, and thus were readily adapted for widespread use.

However, at least partially due to these changes, the security vulnerabilities of VPNs and firewalls have become increasingly apparent and significant. Cybercrime levels rose significantly during the pandemic vis a vis previous levels, as hackers began to exploit the numerous opportunities presented by increased remote access.

Here's why: Once a virtual private network or firewall grants access to a network user, whether authorized or not, flat network structures expose every application and resource, allowing easy lateral movement throughout the network. Therefore, a hacker only needs to breach the network perimeter in order to launch a widespread attack. In addition, flat network structures enable insider attacks, as all authorized users can easily view all the resources on the network. This creates a huge security risk for any organization. Application Isolation is a tool designed to minimize this security risk.

To prevent lateral movements attacks, Application Isolation controls user access to individual resources on networks accessed via a VPN or NGFW. After the user has gained access to the organizational network, access to the available resources is limited through ZTNA controls. Even if a hacker manages to penetrate a network, these ZTNA controls ensure that all applications and resources remain invisible to them. ZTNA controls also limit access for authenticated users, granting access to only the specific applications needed by a particular user. This process reduces the risk of insider attacks.

ZTNA controls rely on ‘least-privilege access’ - by default, no resources are visible to any user. Ideally, organizations should create detailed user-level policies that determine which applications are available to each individual user. Creating such policies, however, can be highly challenging for large companies with thousands of network users.

As a result, companies generally settle for group-level policies which by definition cannot meet the requirements for ‘least-privilege access’, as there must be some level of generalization. In addition, as user functions change within an organization, they increasingly request permission exceptions, further weakening access controls.

Industry-wide, Software-Defined Perimeter (SDP) is the networking solution most associated with ZTNA. Developed by the Cloud Security Alliance (CSA), SDP brokers between users and internal resources. Broad access is prevented through granular network segmentation, which requires authentication before lateral movement to additional resources is permitted. This limits the severity of any attack, since even if a hacker manages to get in to the network, their movement is highly restricted.

As an integral element of the secure access service edge (SASE), SDP solutions are on the roadmaps of most large organizations. However, many are seeking near-term solutions that enable secure remote access without the large-scale, costly projects required for SDP implementation.

Application Isolation represents an alternative for ZTNA for that utilizes existing network VPN and NGFW infrastructure. It is ideal for companies that are not ready or able to replace their infrastructure, or are looking for a lower cost solution. When using such an approach, users are able to access the network through the existing firewall or VPN, following the regular VPN/firewall authentication process. Once a remote user is authenticated through the VPN/firewall authentication process, and network access has been granted, Application Isolation provides an extra, invisible layer of security through detailed ZTNA controls. Application Isolation also works for those users who are connecting to the network directly, while working onsite.

The following steps are an example of the Application Isolation process for remote and internal workers who are using an existing firewall or VPN equipped with an Application Isolation solution:

1. Remote workers use the existing VPN client to connect to the organizational network and authenticate as usual. Internal workers can connect to the network directly.
   
   
2. The Application Isolation solution then checks the individual access privileges for each remote or local user, as they connect to the network.
   
   
3. For each user, only the applications that they are authorized to use are made visible and available for connection, and only after authentication, reducing the possibility of insider attacks.
   
   
4. The DNS information and IP ports of all unauthorized resources remain “cloaked”. These resources are completely invisible to users who are not authorized to access them. This ensures that any hacker who manages to gain access to the network would not be able to see any available resources, and so cannot perform a cyber-attack.

The benefits of using an Application Isolation solution with Zero Trust Network Access controls can be summarized as follows:

Zero-Trust Security for Existing VPNs/NGFWs

Application isolation cloaks network applications and resources in the existing VPN/NGFW by using a zero-trust “never trust, always verify’ security concept, allowing companies to leverage existing security for a newly remote workforce, without compromising their network security.

Remote Least-Privilege Access Controls

Remote users see only the applications they are permitted to access. If a remote hacker manages to gain access to the organizational network, they do not have the ability to see the details of any resources, so they cannot move laterally in order to launch a cyber-attack.

Local Least-Privilege Access Controls

Authorized local users will only see the specific applications they are permitted to use, reducing the risk of insider attacks.

No Change in the User Access Experience

Users log in and connect via a VPN client or local network as usual, with automatic authentication. No additional security procedures are required, and no software needs to be installed on the user’s endpoint, allowing for secure remote or local access.

As remote work becomes rapidly integrated into corporate cultures around the world, securing organizational VPNs and NGFWs has become an urgent need for organizations worldwide. Application Isolation, using ZTNA controls, is a critical tool to enhance network security when relying on VPNs and NGFWs.

For organizations looking to implement a Zero Trust model, NGFWs provide many of the necessary features. Instead of recognizing threats based on signatures, NGFWs use a Zero Trust approach, analyzing the contents of every packet. Increased network visibility ensures that every aspect of the network can be monitored and analyzed. The firewall provides many application controls needed in order to implement a Zero Trust framework. However, because NGFWs rely on recognizable signatures, behavior patterns and activity, they cannot be relied upon to always stop the newest and most stealthy types of attacks.

There are a few different ways that NGFWs can be integrated.

A cloud delivered firewall is known as an FWaaS - Firewall as a Service. Cloud-based FWaaS have a number of benefits:

For more information about NGFW, see these blog posts:

Eliminate Conflicts with a Zero Trust Approach to Web Browsing

Google Report Highlights Malware Targeting Browser Vulnerabilities

Hackney Attack Confirms Public Sector Need for Zero Trust Security