How to Secure Unmanaged Devices, with Palo Alto Networks

Explore the pivotal role of enterprise browsers in securing unmanaged devices with Anand Oswal from Palo Alto Networks on CXOTalk. Uncover strategies for enhancing cybersecurity in an era where personal device use in corporate environments poses significant risks.

18:59

Mar 01, 2024
32,513 Views

In this episode of CXOTalk, Michael Krigsman speaks with Anand Oswal from Palo Alto Networks to explore the critical issue of securing unmanaged devices by using enterprise browsers. 

Oswal highlights the alarming statistic that over 50% of devices accessing corporate data are unmanaged, contributing to 90% of successful malware attacks. He emphasizes the need for robust security measures that can consistently protect both managed and unmanaged devices without compromising user experience. The discussion examines the role of enterprise browsers as a solution, with Gartner predicting their significant adoption by 2030 for secure application access on unmanaged devices.

The conversation further examines the risks associated with unmanaged devices and the strategies organizations can employ to mitigate these threats. Oswal outlines a three-step approach involving Secure Access Service Edge (SASE), securing the browser workspace, and implementing data loss prevention controls. 

He also discusses Palo Alto Networks' acquisition of Talon, to enhance their security offerings with a secure enterprise browser. The integration of Talon's technology with Palo Alto's Prisma SASE architecture aims to provide a seamless and secure browsing experience, extending protection to the growing number of contractors and remote workers using personal devices for corporate tasks. 

The episode concludes with Oswal stressing the importance of education in understanding the risks of unmanaged devices and the necessity of a holistic security approach that encompasses all devices within an organization.

Episode Highlights

Overview of Palo Alto Networks and Unmanaged Devices

  • Palo Alto Networks' Role: Anand Oswal describes the company as a leader in cybersecurity, aiming to make each day more secure than the last.
  • Definition of Unmanaged Devices: Devices not directly managed by an organization's IT, such as personal laptops and phones, which are a significant security concern as they access corporate data.

The Threat Landscape

  • Malware and Data Breaches: A staggering 90% of successful malware attacks come from unmanaged devices, and 80% of data breaches occur through applications and email accessed via browsers.
  • Real-world Impact: An example is provided where an attacker exploited a vulnerability in media software on a personal laptop to install keylogging software and steal credentials.

Gartner's Perspective on Enterprise Browsers

  • Emerging Category: By 2030, enterprise browsers are expected to be the primary platform for securing access from unmanaged devices.
  • Adoption Forecast: Gartner predicts that by 2026, over 25% of organizations will start adopting enterprise browsers.

Drivers for Enterprise Browser Adoption

  • Security vs. User Experience: Traditional solutions like VDI are costly and offer poor user experience, whereas enterprise browsers provide a balance between security and usability.
  • Protection for Managed Devices: Enterprise browsers not only secure unmanaged devices but also add a layer of protection for managed devices against sophisticated cyber threats.

Securing Unmanaged Devices with Prisma SASE

  • Consistent Security: Prisma SASE by Palo Alto Networks aims to provide consistent security capabilities for any user, on any device, accessing any application or data.
  • Visibility and Control: The solution addresses the lack of visibility and control over activities on unmanaged devices, which is essential for securing them.

Talon Acquisition and Its Significance

  • Strategic Acquisition: Palo Alto Networks acquired Talon [now called Prisma Access Browser] to enhance security for unmanaged devices and provide additional protection for managed devices.
  • Talon's Enterprise Browser Technology: Talon's technology is based on Chromium and adds layers of security to protect against browser-based attacks and control data exfiltration.

Final Thoughts and Advice

  • Holistic Security Approach: Organizations are advised to secure all devices, managed and unmanaged, with a consistent layer of security capabilities.
  • Importance of Education: Educating organizations about the risks associated with unmanaged devices and the role of enterprise browsers is crucial for cybersecurity.

Key Takeaways

Unmanaged Devices Pose a Critical Security Risk: Unmanaged devices significantly increase your organization's vulnerability to attacks. Prioritize strategies to secure these devices, as attackers are increasingly targeting them for malware and data breaches.

Enterprise Browsers Offer a Balanced Solution: Enterprise browsers provide a way to secure unmanaged devices without sacrificing user productivity or significantly increasing costs. Consider them as a crucial part of your cybersecurity strategy to enable secure access without hindering agility.

Zero Trust is Essential for Browser Security: Implement a zero-trust approach to browser security on both managed and unmanaged devices. This means continuous verification, least privilege access, and layered protection against browser-specific attacks.

Consider a Unified SASE Solution: A unified SASE solution, like Palo Alto Networks Prisma SASE, can streamline the management and security of both managed and unmanaged devices. This provides a consistent security framework with visibility and control across your entire enterprise.
 

Episode Participants

Anand Oswal serves as Senior Vice President and General Manager at cyber security leader Palo Alto Networks where he leads the company’s Firewall as a Platform efforts. Prior to this he was Senior Vice President of Engineering for Cisco’s Intent-Based Networking Group where he was responsible for building the entire set of platforms, from switching, wireless and routing to IoT and cloud services, that make up Cisco’s extensive enterprise networking portfolio. Anand joined Cisco in 2009 via the acquisition of Starent Networks, a leader in mobile packet core gateways.  He holds more than 60 U.S. patents and earned a bachelor’s degree in telecommunications from the College of Engineering, Pune, India and a master’s degree in computer networking from the University of Southern California, Los Angeles.

Michael Krigsman is an industry analyst and publisher of CXOTalk. For three decades, he has advised enterprise technology companies on market messaging and positioning strategy. He has written over 1,000 blogs on leadership and digital transformation and created almost 1,000 video interviews with the world’s top business leaders on these topics. His work has been referenced in the media over 1,000 times and in over 50 books. He has presented and moderated panels at numerous industry events around the world.

Transcript

Michael Krigsman: We're discussing enterprise browsers, an emerging category for securing unmanaged device access, with Anand Oswal from Palo Alto Networks. Tell us about Palo Alto Networks and about your role.

Anand Oswal: Palo Alto Networks is a leading cybersecurity company in the world. We want to make every day more secure than the day before. 

I run the network security business at Palo Alto Networks, ensuring that all users, all applications, and data are consistently secure across all our control points. 

Michael Krigsman: We're discussing enterprise browsers and unmanaged devices. When we talk about unmanaged devices, what do we mean?

Anand Oswal: Unmanaged devices are devices like my personal laptop or my phone that are accessing critical corporate applications and corporate data. Michael, over 50% of devices that access corporate applications and data are unmanaged devices.

Michael Krigsman: How big a problem is this?

Anand Oswal: About 90% of successful malware originates from unmanaged devices. Now 80% of data breaches that happen, happen from applications and email which are typically accessed via a browser.

I spoke to a customer. They had these site reliability engineers, DevOps engineers who were using a personal laptop. An attacker hacker got into the personal laptop and, using, exploiting, a vulnerability in their media software package, was able to install malware (keylogging software, in this case) and was able to steal credentials. 

This all happened from unmanaged devices. So, unmanaged devices are a huge, huge problem. That's why I think we need to be able to secure these devices so they can access the applications and data consistently and securely.

Michael Krigsman: Anand, Gartner has identified this as a very important emerging category. Why has this become such a big issue?

Anand Oswal: Gartner has said that, by 2030, enterprise browsers will become the platform by which unmanaged devices will access applications and by which this access will be secure. By 2026, they say that over 25% of organizations will be starting to adopt enterprise browsers.

Michael Krigsman: What is driving the growth of enterprise browsers? What's happening in the environment? 

Anand Oswal: In the past, users had to choose between security and agility and productivity and a better user experience. So, to get secure access, we deploy a VDI on desktop as a service which are costly but also have a poor user experience. Or you want to ensure that, for every single contractor, you ship a particular laptop and have a managed device. 

These are cost prohibitive, so enterprise browsers change the game where now you can secure your unmanaged devices consistently and also add a new layer of protection for your managed devices to protect from key things like advanced phishing attacks, keylogging, and so on and so forth.

Michael Krigsman: How significant are the risks associated with these unmanaged devices?

Anand Oswal: Think about it in three key important steps. First, as we talked earlier about SASE (Secure Access Service Edge), bringing networking and security together delivered as a massive, distributed cloud service, and ensuring that you can secure the users as they access the applications and data no matter where the user is, no matter where the applications are. 

That was what we call a zero-trust network access 2.0 where you're going to have continuous trust verification, continuous security inspection, and provide that consistently across all users and applications. From the enterprise browser perspective, you can have additional checks to ensure that the posture of the device is right, and we can do this every 90 seconds.

The second key part of the solution is ensuring that you're securing the browser workspace. 

  • As you know, the majority of the work happens today in the browser, so how do we ensure your passwords, your bookmarks, your cookies, your keychains, and so on and so forth are moved from just consumer encryption to trusted encryption? That's the first thing.
  • The second, how do you ensure that you're adding an additional layer of runtime partition in the browser from things like keylogging, screen scraping, device certificate manipulation? 
  • Third, how do you ensure that you're protecting the browser extensions so that when you're accessing untrusted websites, you have full control of all components of the browser, you have full visibility into all the extensions that have been installed on the browser, and control over those?

The third step is around all the controls for data loss prevention from the browser. 

  • So, how do you ensure that when you're seeing sensitive information and you're not authorized for it, I mask sensitive content? 
  • How do you ensure that you are either allowed or not allowed to share on collaboration applications to ensure that you can only upload sensitive data and files to corporate accounts: a corporate G Drive, a Microsoft account, or a Box account? 
  • How do you ensure that if I download a file, it's encrypted but can be only opened within the browser? 

All of these constructs for data loss prevention are part of the solution for having the acquisition of talent which provides unmanaged device access security but also an additional layer of security for managed devices. 

Michael Krigsman: Unmanaged devices (our phones, our laptops) are everywhere. What are the challenges that organizations face trying to secure these devices?

Anand Oswal: I think, first, they don't have consistent security over unmanaged devices today. So, I have consistent security across all my users in the office, whether they work from the office or work from the home, from managed devices. We don't have that for unmanaged devices.

Second is that we don't have visibility and control over all the activity happening from the unmanaged devices. I can only secure something if I see what's happening. 

We want to make sure that we're able to secure all activity (activity happening on managed devices and activity happening on unmanaged devices) where all the visibility, control, the logging information, so we are quarantining these as needed.

Michael Krigsman: Anand, you've described the background. What can organizations do to address this very growing problem?

Anand Oswal: We want to ensure that we secure both your managed device and unmanaged device. But we also want to ensure that we do this consistently. 

When we think about Prisma SASE (which is protecting these users, those devices), we want to protect the user on any device: a managed device and unmanaged device. We want to provide the consistent set of security capabilities for any access to applications or data that sit anywhere.

We're really solving the "any" problem: any user on any device, managed or unmanaged, accessing any applications and any data or any network. We are securing that constantly with the best in class security services. We're able to provide a consistent view to the administrator, so they have visibility into managed and unmanaged devices. 

This all has to happen without compromising the end-user experience because, as end users, we want the most optimal experience on any device that we are on.

Michael Krigsman: Your goal then is to provide a very consistent experience and set of policies regardless of the device, whether it's a device that's issued by the organization or a personal device owned by an employee, a contractor, what have you.

Anand Oswal: Because you've got to have productivity when you are on the road. You're accessing very sensitive information from your personal laptop or your personal phone. It gets you speed, agility, and productivity.

But you don't want to compromise with security. You want to have all the benefits of those, but you also want to ensure that you weave in all the layers of security so you can get both of them done.

Michael Krigsman: Is there a layer of complexity that gets added in as well or is it seamless?

Anand Oswal: It's seamless. It's also the best user experience because as you add more users or unmanaged devices, it's a single way to download the enterprise browser. It's built on the same constructs of consumer browsers like Chromium, but then you add a layer of security.

You want to ensure that all your browser surface area controls are done so that there's no phishing, no malware that can do keylogging, screen scraping. And then providing those additional controls of data, especially for your sensitive data where you mask them, you can't print it, you can't copy it. You can download it, but it's only open in the browser. You can't upload it to your personal Gmail account. All those controls.

It's adding that additional layer of security even for managed devices for your sensitive applications.

Michael Krigsman: Regardless of the device, you have a consistent set of policies and a consistent approach to security across the enterprise.

Anand Oswal: The whole approach to security is on the principles of zero trust. Zero trust talks about least privilege access. It talks about checking the posture of this device on a continuous basis: continuous trust verification, continuous security verification.

Now we're extending those constructs to unmanaged devices. We're adding an additional layer of production, even on managed devices, for browser applications to provide additional protection for runtime browser attacks and also controls for data security.

Michael Krigsman: Anand, you acquired a company called Talon specifically to address these issues. Can you tell us about that?

Anand Oswal: We acquired Talon in December. Talon is headquartered in Israel. They are the leading enterprise browser company, bringing all the benefits I talked about of securing unmanaged devices, of providing these additional runtime protection on browser applications, providing the additional controls of data, visibility, and control for the applications, and bringing it together with SASE, which is a leading solution in the market that Palo Alto has which provides zero trust network access, firewall service, data security, secure Web gateway, working together through a common layer of autonomous digital experience management. 

We can extend all those constructs to managed and unmanaged devices now. Now the network security admin has a comprehensive view of all users on any device, both company-issued managed devices but also the unmanaged devices, accessing any applications and any data sitting in any location.

Michael Krigsman: Can you give us a little more detail about the Talon product specifically and why it's so important at this time?

Anand Oswal: Talon brings an enterprise browser technology. It's based on Chromium, but it's adapted for enterprise, so adding the additional layers of security.

What Talon really did well was ensuring that all of the things that are happening in the browser are secure. If you think of data controls from things like masking of data that are very sensitive information when viewing them, to data exfiltration (they aren't allowed to upload it to different public websites or personal accounts), to all the things around data control. 

  • Can you print a given document? 
  • Can you share a given document even on a collaboration application?
  • If something is displayed, do you want to watermark the application? 
  • If you download an application, I want to only ensure that I'm opening it within my secure browser. 

Providing additional layers of control to that.

Think about your browser components, your cookies, your passwords, your access cards, your tokens, your auto-fills. Moving away from consumer encryption to trusted encryption. 

Then when you access untrusted websites, how do you ensure that you have full control on disabling different components? Having full visibility into what extensions are in the browser and full control over them, those are critical aspects that Talon brought together in the acquisition. 

We've taken all these best-in-class components that we had with Talon, all the amazing capability that we had in the leading solution for SASE with Prisma SASE, and brought these together to ensure that now we're able to secure all devices across all the user base, applications and data, consistently manage them, and have all the layers of visibility and control.

Michael Krigsman: From a management perspective, integrating Talon with Palo Alto I'm sure provides a variety of benefits, both from a security standpoint and from a user experience perspective. 

Anand Oswal: It provides a lot of benefits from security, of course, because you're extending all the best-in-class security capabilities and additional layers of protection for both managed and unmanaged devices. It provides incredible operational simplicity for the enterprise because now they have full visibility of all users on managed devices and unmanaged devices, and they're able to quarantine them. If they're accessing sensitive applications and data, you have full visibility and control on that. 

Michael Krigsman: The simplicity and ease of use is a crucial component.

Anand Oswal: Simplicity, ease of use but, most important, consistent, best-in-class security.

Michael Krigsman: Anand, what's the best way for organizations to embark on this journey with enterprise browsers and securing unmanaged devices?

Anand Oswal: If we think about the enterprise browser, we have two big capabilities. The first is how you secure these unmanaged devices just like you secure your managed devices. And how do you allow them to have an additional layer of protection on the browser: advanced phishing attacks, advanced malware, et cetera? How do you do that consistently across the entire organization without having yet another point product, yet another security tool? 

The journey for most of our customers is that many of them are already secure. Their users access from managed devices, accessing applications and data. 

It's very easy to extend the unmanaged devices on the same consistent Prisma SASE architecture with the best in class security and then have the common layer of manageability in terms of how you configure, how you monitor, and how you get insights.

Now there's a certain set of customers who are now just starting this journey. They have not yet got into Prisma SASE but they want to secure these unmanaged devices. 

Forty percent of the workforce today identifies themselves as contractors or independent workers. Many of these contractors or independent workers access corporate resources through their own personal devices. How do we extend solutions of Prisma SASE for the contractor workforce or workforce that is having unmanaged devices?

The goal is to ensure that all users (whether they are contractors, independent workers, employees) having managed or unmanaged devices are accessing any application, any data, through a common layer of best-in-class security, and having additional layers of protection against this browser runtime attacks, but also having all the controls the organization needs on what's happening in the browser, what kind of controls you can have.

Michael Krigsman: With the huge proliferation of personal devices, it sounds like enterprise browsers fill a crucial gap in the security arsenal, we could say.

Anand Oswal: Not only is it helping us secure the unmanaged devices which are accessing critical applications and data which are not secure today. Then for your managed devices, adding an additional layer of security to protect you from attacks that are happening on browser runtime and having good control about the entire browser attack surface.

Michael Krigsman: Education plays a very important role in many aspects of security. How does education figure into this?

Anand Oswal: If all organizations understand that 90% of successful malware originates from unmanaged devices that their employees have. Part of it is understanding all of that's going on. Forty percent of the workforce today is an independent workforce or contractor workforce, and many, many of these workforce are accessing critical applications and data from unmanaged devices. 

Of course, education plays a very key role to ensure that organizations understand the risks associated with unmanaged devices and what's going on, and also to know that the majority of the data breaches are happening through applications and email that are accessed via the browser. As the browser becomes the workspace of the future, how do you ensure that you're securing that consistently across your managed devices, your unmanaged devices, and how do you add additional layers of protection as needed?

Michael Krigsman: Education is crucial because these unmanaged devices are a very significant source of potential attacks. 

Anand Oswal: Yes, absolutely.

Michael Krigsman: Anand, any concluding advice on securing unmanaged devices for technology and security professionals?

Anand Oswal: Securing all devices is very, very important. Securing your managed devices and securing your unmanaged devices.

In the past, if you wanted to really secure your unmanaged devices, it was costly and the user experience was not good because you used desktop as a service or VDI applications, which impacted the user experience. With a secure enterprise browser, you have a very easy and more secure way of securing your unmanaged devices. You can add an additional layer of protection even for managed devices.

All of these can be delivered consistently across the workforce, so the consistent layer of security capabilities from advanced threat prevention to advanced malware to URL filtering are applied consistently across your managed and unmanaged devices for any applications and data they access.

Then you have full management capabilities that are consistent. The administrator is allowed to set policies, look at visibility, and look at login information, monitoring capabilities. It's consistent now across both these managed and unmanaged devices with best-in-class security capabilities.

Michael Krigsman: Thinking holistically across the full range of devices, unmanaged devices and managed devices.

Anand Oswal: Yes, unmanaged devices, managed devices, having the best in class security capabilities and ensuring that you're able to now have full visibility into the activities, the insights so that you can drive the actions consistently.

Michael Krigsman: Anand Oswal, thank you so much for taking time to speak with us.

Anand Oswal: Michael, always a pleasure to talk to you. Thank you.

Published Date: Mar 01, 2024

Author: Michael Krigsman

Episode ID: 827