Protect your apps and data from third Party and unmanaged device access risks. Cloud-based ZTEdge Web Application Isolation (WAI) secures access from unmanaged devices, without the need to install special software or browsers.
What was once touted as “Bring Your Own Device” (BYOD) now goes without saying
Both third-party contractors and employees are increasingly using personal devices to access corporate networks, data and applications, as well as cloud and web apps.
This trend, which was dramatically accelerated by pandemic-triggered remote work, is one that many IT organisations are working to support since it brings convenience and productivity benefits to their business unit partners as well as the growing number of third-party consultants and contractors they work.
BYOD and providing SaaS software brings security risks
Access to private corporate applications via unmanaged devices, however, poses a number of very real risks for organisations. The same risks apply to companies whose business model is providing Software as a Service (SaaS).
Devices may be compromised by malware, which could be uploaded to applications and spread across the corporate networks, leading to downtime or worse yet, stolen or corrupted data. In addition, sensitive data and files that are downloaded or copy-pasted onto unmanaged user devices for legitimate use, or cached in a device’s web browser, may be at risk of exposure, either intentionally or inadvertently.
While many organisations rely on reverse proxies to authenticate users on unmanaged devices for network access, this solution provides little – if any — control once these users have successfully logged in. Unfortunately, third party users are able to move laterally throughout the network, and view, download and upload data which they have no need to see. Some newer solutions require users to install software or dedicated browsers on their unmanaged devices. Gig workers as well as employees may be reluctant to load up personal devices with organisation-specific software, and equally annoyed to be restricted to an unfamiliar browser.
Organisations face similar concerns regarding public SaaS cloud and web apps. For instance, a third party user with Office 365 credentials may be able to log in from any device, exposing the organisation to possible uploads of infected files or breaches, in the case of credential theft or misuse
ZTEdge Web Application Isolation (WAI) provides a Secure Solution
ZTEdge Web Application Isolation enables organisations to provide simple, secure access, via unmanaged devices, to the private and public cloud or web-based corporate applications and data users need for their work, regardless of whether they are third party contractors or employees. The cloud-based solution does not require any software or clients to be installed on the unmanaged device, and users are free to browse via their usual browser.
How you can set and enforce granular app access and data use policies
ZTEdge Web Application Isolation (WAI) renders your public or private web and cloud apps in an isolated, secure cloud environment when contractors on unmanaged devices or employees on BYODs attempt to access them, giving you the ability to set and enforce granular app access and data use policies.
You don’t need to install applications
There’s no need for installation not to make any configuration changes on contractors’ devices. They simply use their standard web browser and log in as normal. They get the access they need to stay productive while your IT team ensures your organisation’s apps and data stay protected.
- Block file uploads/downloads
- Sanitise uploads to prevent the injection of malware
- Scan downloads with DLP to prevent data exfiltration
- Limit/disable cut and paste functions (clip-boarding) to protect data
- Present apps in “read-only” mode (no free-form text updates)
- Prevent apps data from entering an unmanaged device browser’s cache
- Enforce IP-based access control (only permit access through WAI)
- Turn web applications “dark” to attackers and unauthorised users
A simple, yet clever innovation
ZTEdge WAI is a simple, innovative way to protect BYOD employees and onboard third party contractors in minutes while ensuring the correct data and access security controls are in place for them regardless of which SaaS or Web Apps they need to access.
ZTEdge Web Application Isolation can be used to secure exposed surfaces of web apps, protecting them from compromised devices and bad actors, while ensuring your legitimate users have full access. Hackers or infected machines that attempt to probe web apps, seeking vulnerabilities to exploit, have no visibility to page source code, developer tools or APIs. Instead, they will only see a few lines of ZTEdge Remote Browser Isolation HTML.
ZTEdge Web Application Isolation allows you to enforce important data sharing controls on unmanaged devices that access your applications. You can limit data sharing (upload/download, screen printing, clip-boarding, etc.) within your apps by users, groups, device types, locations, and more. Data loss prevention built into the solution protects enterprise assets from leaking to untrusted devices. These controls can be enforced on private corporate web apps, or on access to public SaaS applications like Salesforce, ServiceNow, Box, or Office 365.
Additionally, ZTEdge Web Application Isolation can be used to secure exposed surfaces of web apps, protecting them from compromised devices and bad actors, while ensuring your legitimate users have full access. Hackers or infected machines that attempt to probe web apps, seeking vulnerabilities to exploit, have no visibility to page source code, developer tools or APIs. Instead, they will only see a few lines of ZTEdge Web Application Isolation HTML.
Using remote browser isolation (RBI) and easy-to-set granular, user-level policies, ZTEdge Web Application Isolation controls which applications the user can access, how they can access each one, and which actions each individual is permitted for each resource. For instance, an employee may be allowed to edit a file in place in Office 365, but not to download it onto their unmanaged device, while a contractor may be limited solely to viewing the data.
Policies also control what content – if any — can be uploaded to organisation networks or web or cloud apps, and by whom. Content disarm and reconstruct (CDR) is applied prior to upload to ensure that all content and files from unmanaged devices are free of malware and threats. Data loss protection (DLP) can be applied to downloads to safeguard against exposure of confidential material and PII. To protect against credential misuse or theft, SaaS and web application access may be restricted to logins originating from the Web Application Isolation tenant dedicated IP address. Built-in Identity and Access Management enables quick on-boarding of employees and contractors — and makes it equally simple to cancel access privileges when contracts end or employees leave.
Web Application Isolation Security Controls and Functionality
Cloud-based security controls enforce least-privilege access from unmanaged devices and restrict permitted activities to prevent threats, breaches, and exposure of resources to attack.
ZTEdge Web Application Isolation controls and functionality include:
- User identification and authentication (IAM/MFA)
- Blocking or restricting file uploads and downloads
- Sanitising documents OK’d for upload of malware and/or scanning with DLP to prevent data exfiltration
- Sanitising documents OK’d for download of malware and/or scanning with DLP to prevent data exfiltration
- Disabling cut & paste (clip-boarding) or restricting based on
- Quantity of info
- Paste destinations (i.e., specific apps)
- DLP inspection
- Time in clipboard
- “Read-only” mode for app access (no text updating)
- No application data is cached in unmanaged device browsers
App access from unmanaged devices is permitted only from IP address of organisation’s Web Application Isolation tenant
