Adopting an identity-based approach to browser security

Business use of consumer web browsers can lead to security and privacy breaches. Combining enterprise browsers with an identity-based security approach is an effective riposte.

Johannesburg, 28 Mar 2024
Archit Lohokare, GM: Workforce Solutions, CyberArk.
Archit Lohokare, GM: Workforce Solutions, CyberArk.

The explosion of new identities and proliferation of their entitlements, the continual evolution of the enterprise cloud and hybrid environment, and the advent of new attack vectors – accelerated by AI – have made the cyber security threat landscape today more complex than it has ever been. It is clear that the compromise of identities is a large – and lucrative – focus for innovative, well-funded cyber attackers seeking an effective vector to access critical data and assets. However, even as security teams look to harden identity security to help bolster enterprise resilience to these threats, there is a significant point of ingress that has hitherto gone relatively under the radar.

This hole in an enterprise’s security can be found in what is possibly the single most-used application within any business: the web browser.

According to CyberArk’s GM for Workforce Solutions, Archit Lohokare, the modern, cloud-first world of 21st century business requires the web browser to act as the gateway to the environment. The browser has cemented its place as the first mile of user access to applications, infrastructure and other such resources in the cloud, and the last mile of information consumption from the cloud. And the cloud today houses a company’s most critical assets and highly sensitive information – such as user credentials and cookie data – which is a prime target for attackers.

“Ironically, given the enterprise footprint they have, browser security rarely ranks on the priority list of security teams, leaving many businesses susceptible to attacks. This failure of security is caused by the simple fact that the vast majority of organisations continue to use consumer-focused browsers for their enterprise requirements,” Lohokare explains.

“In a digital world, everyone – from employees to third-party vendors – uses a browser to access the confidential corporate resources required to do their jobs. This level of access creates risk, which is only exacerbated by the fact that employees often use the same work browser to access their personal data in cloud consoles. This can invite more opportunities for bad actors to create chaos within an organisation.

“The above opens up a Pandora’s box of browser-based vulnerabilities, both pre- and post-authentication, including cookie hijacking, malware attacks on unmanaged endpoints and unauthorised user access that can lead to data exfiltration.”

Some of the more common browser capabilities that, in an enterprise environment, can pose a serious security threat, include allowing users to install unverified extensions that can secretly upload data to attacker-controlled servers; providing enterprise workers with built-in tools to circumvent preventative controls put in place by the organisation; and enabling users to store passwords for all their applications – work-related and personal – in built-in password managers that are prone to breaches.

Lohokare notes that as these browsers have been created primarily for the consumer market, they prioritise convenience over protection, and thus lack the control and visibility needed by security teams in order to mitigate potential security incidents. Meanwhile, although enterprise browsers that focus specifically on security do exist, their restrictive controls negatively impact user experiences.

“Therefore, to deal with challenges such as workforce identities and their actions within browser environments remaining hidden from security teams, the enterprise needs to be able to integrate a foundational identity security strategy into the browser environment, which strikes an effective balance between enterprise security and workforce productivity.

“Clearly, modern businesses require a comprehensive identity security strategy. This should be based on intelligent privilege controls that go beyond endpoints into browsers, enabling companies to secure every workforce identity with access to the heart of their enterprises,” he adds.

“The best way to do this is by extending the identity-based approach used for everything else into the browser environment as well. This will enable the security team to ensure that all workforce identities – employees, vendors and remote workers – adhere to risk-tolerant practices, guided by the principles of least privilege and just-in-time access.”

Remember that enterprise browsers are able to prevent cookie hijacking by storing cookies on secure servers, thus keeping sensitive data beyond the reach of attackers. However, they should also come with built-in controls that can extend access to privileged targets using native integration. This will enable the security team to monitor end-user activities within high-risk browser sessions, allow them to enforce policy-based browsing and ensure they prevent the misuse of confidential corporate data.

“Ideally, the enterprise browser should combine with other defence-in-depth solutions, such as multifactor authentication (MFA), single sign-on (SSO) and session monitoring. This will allow them to secure identities, endpoints, passwords and credentials from pre- and post-authentication attacks; enable users to access their resources and applications securely; and unify identity security controls, while ensuring privacy for every identity on every endpoint.

“This is critical, as – while consumer browsers are not built with today’s identity-focused threat landscape in mind – enterprise browsers, given their restrictive controls, can disrupt user experiences. Thus, ensuring that your enterprise browser and your existing security measures work together is key to delivering both optimal web security and a seamless workforce experience. This ultimately provides the foundation to an identity-based security posture that is tailored to preventing cyber breaches,” concludes Lohokare.