Bring your own device (BYOD) refers to the personal endpoints that employees use to perform their work duties. While enabling personal device access to corporate resources may have seemed unthinkable in the past, the adoption of BYOD initiatives has been steadily growing across organizations in recent years. This is because BYOD enhances enterprise productivity, flexibility, and cost savings. Additionally, ever since COVID-19 forced countless companies to shift to a remote style of work, employees have been using their personal devices to do their jobs more than ever before. As an illustration, in the event that a remote user experiences an issue with her or his managed laptop, IT is no longer nearby to provide a quick fix or replacement; quickly pivoting to a personal laptop is a readily available method of remaining productive.
In addition to BYOD, there are other unmanaged devices that do not belong to the enterprise but are often used to access corporate resources and data. These endpoints are owned and managed by third-party organizations like channel partners, suppliers, technology partners, and even customers. Whether unmanaged devices belong to these third parties or are employees’ personal endpoints, organizations have to be able to maintain proper visibility and control wherever data goes. Compounding the difficulty of this challenge is the ever-increasing adoption of cloud applications. Like BYOD, SaaS app usage has been rising in recent years because of its numerous benefits, but has accelerated rapidly in response to the global pandemic.
So, why are security teams concerned about BYOD and other unmanaged devices in the modern workplace, particularly when it comes to cloud applications?
The risks of BYOD
The average enterprise today has off-premises users leveraging unmanaged, potentially risky devices to access the public internet as a means of interacting with corporate data in cloud applications that the organization does not own. This leaves plenty of opportunity for something to go wrong. Sensitive information can easily be downloaded from a SaaS app to an employee’s personal device, where the organization lacks visibility and the data can quickly be exposed and exfiltrated further. Additionally, unmanaged endpoints containing malware can unknowingly or maliciously be used to upload infected files to a cloud application, where threats can surreptitiously spread to connected apps as well as other devices on download. These kinds of issues (and others) can also have adverse effects on regulatory compliance.
Unfortunately, the legacy security stack is no match for today’s dynamic, distributed organization. A castle-and-moat, perimeter-focused approach to security loses its efficacy when users leave the office, leverage unmanaged devices without security software, and access resources which are also off-premises. Unfortunately SaaS applications usually lack native data and threat protection to address these problems--and the few that do have such functionality still typically fail to provide the needed levels of granularity and sophistication.
CASBs and reverse proxies
In light of the above, cloud access security brokers (CASBs) have quickly become go-to technologies for securing the use of cloud applications. They provide data loss prevention (DLP), advanced threat protection (ATP), and other key functionality for these off-premises resources--without requiring on-premises appliances. However, most CASBs today operate primarily in forward-proxy mode, which entails the installation of traffic-forwarding software on every user device--something that is infeasible with unmanaged endpoints that don’t belong to an enterprise. As such, in pursuit of agentless security for BYOD, some CASBs also offer reverse proxies.
This deployment mode forgoes the use of agents on endpoints but requires URL rewrites that allow user traffic destined for sanctioned cloud apps to be redirected to the proxy, inspected, and secured. However, because reverse proxies are hardcoded to specific versions of applications, they frequently suffer from breakages when even minor updates occur for SaaS apps. This downtime is inevitably incredibly costly for any organization; when a proxy experiences a breakage, it does more than just impede proper security--it also grinds business operations to a halt.
So, how can an organization secure BYOD and other unmanaged devices with leading CASB technology without experiencing the headaches that come with reverse proxies?
Zscaler’s Cloud Browser Isolation
Zscaler’s innovative Cloud Browser Isolation (CBI) allows organizations to embrace the productivity of BYOD without compromising security. This unique capability delivers agentless security for any unmanaged device anywhere, while completely circumventing the need for a volatile reverse proxy.
With Zscaler’s agentless Cloud Browser Isolation, admins simply configure a sanctioned cloud resource’s SSO setting to redirect to Zscaler. After that, when users attempt to access said cloud resource from a personal or third-party endpoint, their traffic is sent to Zscaler automatically and without any software installations. For each of these users, Zscaler applies CBI and runs a virtualized session in the Zero Trust Exchange. Only pixels are sent down to user devices, which prevents downloading, copying, pasting, and printing. In this way, users can perform their work duties from unmanaged endpoints, but data leakage is prevented, malware uploads are blocked, and compliance requirements are respected.
As the leading inline vendor with a proven, highly scalable architecture, Zscaler is positioned uniquely to deliver this inline CASB capability. With 150 global data centers processing 200 billion transactions each day, Zscaler boasts a capacity unrivaled by its competitors and delivers security services as close to the end user as possible. This powers Zscaler CASB to solve key cloud security challenges elegantly and effectively.
Want to learn about other important use cases that Zscaler CASB can solve for your organization? Download our ebook.
