How to Secure Unmanaged Devices, with Palo Alto Networks

Michael Krigsman: We're discussing enterprise browsers, an emerging category for securing unmanaged device access, with Anand Oswal from Palo Alto Networks. Tell us about Palo Alto Networks and about your role.

Anand Oswal: Palo Alto Networks is a leading cybersecurity company in the world. We want to make every day more secure than the day before. 

I run the network security business at Palo Alto Networks, ensuring that all users, all applications, and data are consistently secure across all our control points. 

Michael Krigsman: We're discussing enterprise browsers and unmanaged devices. When we talk about unmanaged devices, what do we mean?

Anand Oswal: Unmanaged devices are devices like my personal laptop or my phone that are accessing critical corporate applications and corporate data. Michael, over 50% of devices that access corporate applications and data are unmanaged devices.

Michael Krigsman: How big a problem is this?

Anand Oswal: About 90% of successful malware originates from unmanaged devices. Now 80% of data breaches that happen, happen from applications and email which are typically accessed via a browser.

I spoke to a customer. They had these site reliability engineers, DevOps engineers who were using a personal laptop. An attacker hacker got into the personal laptop and, using, exploiting, a vulnerability in their media software package, was able to install malware (keylogging software, in this case) and was able to steal credentials. 

This all happened from unmanaged devices. So, unmanaged devices are a huge, huge problem. That's why I think we need to be able to secure these devices so they can access the applications and data consistently and securely.

Michael Krigsman: Anand, Gartner has identified this as a very important emerging category. Why has this become such a big issue?

Anand Oswal: Gartner has said that, by 2030, enterprise browsers will become the platform by which unmanaged devices will access applications and by which this access will be secure. By 2026, they say that over 25% of organizations will be starting to adopt enterprise browsers.

Michael Krigsman: What is driving the growth of enterprise browsers? What's happening in the environment? 

Anand Oswal: In the past, users had to choose between security and agility and productivity and a better user experience. So, to get secure access, we deploy a VDI on desktop as a service which are costly but also have a poor user experience. Or you want to ensure that, for every single contractor, you ship a particular laptop and have a managed device. 

These are cost prohibitive, so enterprise browsers change the game where now you can secure your unmanaged devices consistently and also add a new layer of protection for your managed devices to protect from key things like advanced phishing attacks, keylogging, and so on and so forth.

Michael Krigsman: How significant are the risks associated with these unmanaged devices?

Anand Oswal: Think about it in three key important steps. First, as we talked earlier about SASE (Secure Access Service Edge), bringing networking and security together delivered as a massive, distributed cloud service, and ensuring that you can secure the users as they access the applications and data no matter where the user is, no matter where the applications are. 

That was what we call a zero-trust network access 2.0 where you're going to have continuous trust verification, continuous security inspection, and provide that consistently across all users and applications. From the enterprise browser perspective, you can have additional checks to ensure that the posture of the device is right, and we can do this every 90 seconds.

The second key part of the solution is ensuring that you're securing the browser workspace. 

• As you know, the majority of the work happens today in the browser, so how do we ensure your passwords, your bookmarks, your cookies, your keychains, and so on and so forth are moved from just consumer encryption to trusted encryption? That's the first thing.
• The second, how do you ensure that you're adding an additional layer of runtime partition in the browser from things like keylogging, screen scraping, device certificate manipulation? 
• Third, how do you ensure that you're protecting the browser extensions so that when you're accessing untrusted websites, you have full control of all components of the browser, you have full visibility into all the extensions that have been installed on the browser, and control over those?

The third step is around all the controls for data loss prevention from the browser. 

• So, how do you ensure that when you're seeing sensitive information and you're not authorized for it, I mask sensitive content? 
• How do you ensure that you are either allowed or not allowed to share on collaboration applications to ensure that you can only upload sensitive data and files to corporate accounts: a corporate G Drive, a Microsoft account, or a Box account? 
• How do you ensure that if I download a file, it's encrypted but can be only opened within the browser? 

All of these constructs for data loss prevention are part of the solution for having the acquisition of talent which provides unmanaged device access security but also an additional layer of security for managed devices. 

Michael Krigsman: Unmanaged devices (our phones, our laptops) are everywhere. What are the challenges that organizations face trying to secure these devices?

Anand Oswal: I think, first, they don't have consistent security over unmanaged devices today. So, I have consistent security across all my users in the office, whether they work from the office or work from the home, from managed devices. We don't have that for unmanaged devices.

Second is that we don't have visibility and control over all the activity happening from the unmanaged devices. I can only secure something if I see what's happening. 

We want to make sure that we're able to secure all activity (activity happening on managed devices and activity happening on unmanaged devices) where all the visibility, control, the logging information, so we are quarantining these as needed.

Michael Krigsman: Anand, you've described the background. What can organizations do to address this very growing problem?

Anand Oswal: We want to ensure that we secure both your managed device and unmanaged device. But we also want to ensure that we do this consistently. 

When we think about Prisma SASE (which is protecting these users, those devices), we want to protect the user on any device: a managed device and unmanaged device. We want to provide the consistent set of security capabilities for any access to applications or data that sit anywhere.

We're really solving the "any" problem: any user on any device, managed or unmanaged, accessing any applications and any data or any network. We are securing that constantly with the best in class security services. We're able to provide a consistent view to the administrator, so they have visibility into managed and unmanaged devices. 

This all has to happen without compromising the end-user experience because, as end users, we want the most optimal experience on any device that we are on.

Michael Krigsman: Your goal then is to provide a very consistent experience and set of policies regardless of the device, whether it's a device that's issued by the organization or a personal device owned by an employee, a contractor, what have you.

Anand Oswal: Because you've got to have productivity when you are on the road. You're accessing very sensitive information from your personal laptop or your personal phone. It gets you speed, agility, and productivity.

But you don't want to compromise with security. You want to have all the benefits of those, but you also want to ensure that you weave in all the layers of security so you can get both of them done.

Michael Krigsman: Is there a layer of complexity that gets added in as well or is it seamless?

Anand Oswal: It's seamless. It's also the best user experience because as you add more users or unmanaged devices, it's a single way to download the enterprise browser. It's built on the same constructs of consumer browsers like Chromium, but then you add a layer of security.

You want to ensure that all your browser surface area controls are done so that there's no phishing, no malware that can do keylogging, screen scraping. And then providing those additional controls of data, especially for your sensitive data where you mask them, you can't print it, you can't copy it. You can download it, but it's only open in the browser. You can't upload it to your personal Gmail account. All those controls.

It's adding that additional layer of security even for managed devices for your sensitive applications.

Michael Krigsman: Regardless of the device, you have a consistent set of policies and a consistent approach to security across the enterprise.

Anand Oswal: The whole approach to security is on the principles of zero trust. Zero trust talks about least privilege access. It talks about checking the posture of this device on a continuous basis: continuous trust verification, continuous security verification.

Now we're extending those constructs to unmanaged devices. We're adding an additional layer of production, even on managed devices, for browser applications to provide additional protection for runtime browser attacks and also controls for data security.

Michael Krigsman: Anand, you acquired a company called Talon specifically to address these issues. Can you tell us about that?

Anand Oswal: We acquired Talon in December. Talon is headquartered in Israel. They are the leading enterprise browser company, bringing all the benefits I talked about of securing unmanaged devices, of providing these additional runtime protection on browser applications, providing the additional controls of data, visibility, and control for the applications, and bringing it together with SASE, which is a leading solution in the market that Palo Alto has which provides zero trust network access, firewall service, data security, secure Web gateway, working together through a common layer of autonomous digital experience management. 

We can extend all those constructs to managed and unmanaged devices now. Now the network security admin has a comprehensive view of all users on any device, both company-issued managed devices but also the unmanaged devices, accessing any applications and any data sitting in any location.

Michael Krigsman: Can you give us a little more detail about the Talon product specifically and why it's so important at this time?

Anand Oswal: Talon brings an enterprise browser technology. It's based on Chromium, but it's adapted for enterprise, so adding the additional layers of security.

What Talon really did well was ensuring that all of the things that are happening in the browser are secure. If you think of data controls from things like masking of data that are very sensitive information when viewing them, to data exfiltration (they aren't allowed to upload it to different public websites or personal accounts), to all the things around data control. 

• Can you print a given document? 
• Can you share a given document even on a collaboration application?
• If something is displayed, do you want to watermark the application? 
• If you download an application, I want to only ensure that I'm opening it within my secure browser. 

Providing additional layers of control to that.

Think about your browser components, your cookies, your passwords, your access cards, your tokens, your auto-fills. Moving away from consumer encryption to trusted encryption. 

Then when you access untrusted websites, how do you ensure that you have full control on disabling different components? Having full visibility into what extensions are in the browser and full control over them, those are critical aspects that Talon brought together in the acquisition. 

We've taken all these best-in-class components that we had with Talon, all the amazing capability that we had in the leading solution for SASE with Prisma SASE, and brought these together to ensure that now we're able to secure all devices across all the user base, applications and data, consistently manage them, and have all the layers of visibility and control.

Michael Krigsman: From a management perspective, integrating Talon with Palo Alto I'm sure provides a variety of benefits, both from a security standpoint and from a user experience perspective. 

Anand Oswal: It provides a lot of benefits from security, of course, because you're extending all the best-in-class security capabilities and additional layers of protection for both managed and unmanaged devices. It provides incredible operational simplicity for the enterprise because now they have full visibility of all users on managed devices and unmanaged devices, and they're able to quarantine them. If they're accessing sensitive applications and data, you have full visibility and control on that. 

Michael Krigsman: The simplicity and ease of use is a crucial component.

Anand Oswal: Simplicity, ease of use but, most important, consistent, best-in-class security.

Michael Krigsman: Anand, what's the best way for organizations to embark on this journey with enterprise browsers and securing unmanaged devices?

Anand Oswal: If we think about the enterprise browser, we have two big capabilities. The first is how you secure these unmanaged devices just like you secure your managed devices. And how do you allow them to have an additional layer of protection on the browser: advanced phishing attacks, advanced malware, et cetera? How do you do that consistently across the entire organization without having yet another point product, yet another security tool? 

The journey for most of our customers is that many of them are already secure. Their users access from managed devices, accessing applications and data. 

It's very easy to extend the unmanaged devices on the same consistent Prisma SASE architecture with the best in class security and then have the common layer of manageability in terms of how you configure, how you monitor, and how you get insights.

Now there's a certain set of customers who are now just starting this journey. They have not yet got into Prisma SASE but they want to secure these unmanaged devices. 

Forty percent of the workforce today identifies themselves as contractors or independent workers. Many of these contractors or independent workers access corporate resources through their own personal devices. How do we extend solutions of Prisma SASE for the contractor workforce or workforce that is having unmanaged devices?

The goal is to ensure that all users (whether they are contractors, independent workers, employees) having managed or unmanaged devices are accessing any application, any data, through a common layer of best-in-class security, and having additional layers of protection against this browser runtime attacks, but also having all the controls the organization needs on what's happening in the browser, what kind of controls you can have.

Michael Krigsman: With the huge proliferation of personal devices, it sounds like enterprise browsers fill a crucial gap in the security arsenal, we could say.

Anand Oswal: Not only is it helping us secure the unmanaged devices which are accessing critical applications and data which are not secure today. Then for your managed devices, adding an additional layer of security to protect you from attacks that are happening on browser runtime and having good control about the entire browser attack surface.

Michael Krigsman: Education plays a very important role in many aspects of security. How does education figure into this?

Anand Oswal: If all organizations understand that 90% of successful malware originates from unmanaged devices that their employees have. Part of it is understanding all of that's going on. Forty percent of the workforce today is an independent workforce or contractor workforce, and many, many of these workforce are accessing critical applications and data from unmanaged devices. 

Of course, education plays a very key role to ensure that organizations understand the risks associated with unmanaged devices and what's going on, and also to know that the majority of the data breaches are happening through applications and email that are accessed via the browser. As the browser becomes the workspace of the future, how do you ensure that you're securing that consistently across your managed devices, your unmanaged devices, and how do you add additional layers of protection as needed?

Michael Krigsman: Education is crucial because these unmanaged devices are a very significant source of potential attacks. 

Anand Oswal: Yes, absolutely.

Michael Krigsman: Anand, any concluding advice on securing unmanaged devices for technology and security professionals?

Anand Oswal: Securing all devices is very, very important. Securing your managed devices and securing your unmanaged devices.

In the past, if you wanted to really secure your unmanaged devices, it was costly and the user experience was not good because you used desktop as a service or VDI applications, which impacted the user experience. With a secure enterprise browser, you have a very easy and more secure way of securing your unmanaged devices. You can add an additional layer of protection even for managed devices.

All of these can be delivered consistently across the workforce, so the consistent layer of security capabilities from advanced threat prevention to advanced malware to URL filtering are applied consistently across your managed and unmanaged devices for any applications and data they access.

Then you have full management capabilities that are consistent. The administrator is allowed to set policies, look at visibility, and look at login information, monitoring capabilities. It's consistent now across both these managed and unmanaged devices with best-in-class security capabilities.

Michael Krigsman: Thinking holistically across the full range of devices, unmanaged devices and managed devices.

Anand Oswal: Yes, unmanaged devices, managed devices, having the best in class security capabilities and ensuring that you're able to now have full visibility into the activities, the insights so that you can drive the actions consistently.

Michael Krigsman: Anand Oswal, thank you so much for taking time to speak with us.

Anand Oswal: Michael, always a pleasure to talk to you. Thank you.