Find the right approach to browser security
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Menlo Security | May 05, 2020
Share this article
In our last two posts, we talked about the unexpected acceleration of remote work resulting from the COVID-19 global pandemic and how VPNs are incapable of providing reliable, secure Internet access to all of these new remote employees. It’s clear that a new network architecture is needed, but it is too much to expect organizations to completely rip out and replace their network architecture all at once. A measured, step-by-step approach is more practical.
The first step is to segregate data center traffic from Internet traffic through split tunneling. This can reduce VPN traffic by 70 percent—a much more manageable load. The second step is to secure Internet traffic through a global cloud proxy. Once this is done, organizations may want to consider getting rid of their VPN service completely and route everything through the global cloud proxy for efficiency and consistency. But again, this should be a measured approach, and there should be no rush to completely replace your legacy VPN.
But how should your global cloud proxy be set up? What features are necessary?
We’re glad you asked, because Gartner recently published an excellent report on best practices for migrating to a secure web gateway (SWG). Not surprisingly, the guide serves as a roadmap for implementing the Menlo Security Global Cloud Proxy platform with an Isolation Core™.
According to Gartner, organizations should look for an SWG that is based in the cloud, connects users and remote sites with IPsec or GRE tunneling, authenticates users by type, deploys your TLS certificate to the cloud, uses advanced threat detection technologies, and can be rolled out to subsets of users in a step-by-step deployment.
Metered Policy Rollout: Make sure you keep the lines of communication to users open during the implementation process to alleviate any concerns and resolve issues quickly. Once you have your base policy set defined, implement it and deploy the solution to a subset of users. For example, you can start by creating a policy that sends uncategorized sites to the cloud and roll it out initially to remote users. This gives you a chance to identify, troubleshoot, and resolve bottlenecks before you scale it out to the entire organization.
Connect Sites and Remote Users to the SWG: It’s important to set up either an IPsec or GRE tunnel to connect remote sites, and the choice depends on your plan for traffic redirection and network vendor support. You should also work with endpoint management teams to deploy agents or configure proxy autoconfiguration (PAC) files for browsers.
Authenticate Users by Type: Ensure that your users can authenticate to the cloud SWG service and that your policies are blocking content based on the organization’s security policies. User attribute mapping can assist in creating granular policies allowing specific content to be passed to the intended users. If you are in the multidomain Active Directory environment and are depending on this for user and group mappings, it may add additional complexity.
Deploy TLS Certificate to the Cloud: Deploy your organization’s TLS certificate to the cloud SWG platform and ensure that it is inspecting the categories you want. You should also set appropriate privacy policies for categories that may contain sensitive personal information. This is especially critical in healthcare, banking, and other industries that deal with personally identifiable information (PII). If you can’t deploy your own certificate, you’ll need to distribute the vendor’s certificate to endpoints to avoid certificate errors and warnings. It’s important to have a proper exception process in place to provide TLS inspection bypass sites that do not support TLS inspection because of certificate pinning.
Set Up Advanced Threat Detection: It’s essential to scan files and content before they enter the organization. The largest attack vector for ransomware and malware is through attachments downloaded by users through web-based email or malicious websites. Advanced threat detection technologies include remote browser isolation (RBI) sandboxing.
The Menlo Security Global Cloud Proxy platform with an Isolation Core™ meets Gartner’s recommendations by delivering security through the cloud and enabling split tunneling. These capabilities allow Menlo to create a new cybersecurity architecture for remote workers in which traffic to the data center is secured by a VPN and all Internet traffic is secured in the cloud by Menlo Security—a crucial first step when moving all security controls to the cloud.
Menlo Security excels in delivering security with its Isolation Core™. The Isolation Core™ takes a block-or-isolate approach rather than the block-or-allow approach that is standard for most SWG solutions. Isolating all traffic in the cloud, far from the endpoint, is the only way to 100 percent protect users from web-based threats. In addition, isolation is the foundation of the Menlo Security Global Cloud Proxy platform. It provides users with 100 percent secure email and web browsing without impacting the native user experience. It also provides IT with the most granular visibility and control of users, data, and applications.
It’s clear that organizations need a new network architecture for securing today’s remote users. Delivering all security services through the cloud is a great end goal, but organizations need a measured, step-by-step adoption roadmap that is least disruptive.
Eventually, security will be delivered 100 percent in the cloud. It’s clear that’s the way we are heading. But until then, Menlo Security provides a low-risk adoption roadmap that starts with remote workers and is in lockstep with Gartner’s SWG best practices. For more information, download our Remote Workers Guide to learn how to provide your organization’s remote employees with reliable, safe Internet access.
Please do not hesitate to contact us with any questions.
Posted by Menlo Security on May 05, 2020
Tagged with Company News, SWG
To talk to a Menlo Security expert, please complete the form.