Adopting Zero Trust
Adopting Zero Trust
AZT: The Market For Enterprise (Secure) Browsers

AZT: The Market For Enterprise (Secure) Browsers

Season two, episode 18: Evgeniy Kharam, a founder, CISO, architect, and podcast producer discusses the rise of Enterprise (Secure) browsers.

Catch this episode on YouTubeAppleSpotifyAmazon, or GoogleYou can read the show notes here.

In the latest episode of AZT, Evgeniy Kharam, a founder, CISO, architect, and podcast producer, joins the discussion to talk about the rise of Enterprise (Secure) browsers. The conversation explores the importance of browser security and its relevance to the Zero Trust framework.

Share Adopting Zero Trust

Key Takeaways

  1. The birth of the enterprise browser - Remote Browser Isolation: Evgeniy explains the concept of remote browser isolation, which creates a layer of separation between users and potentially harmful websites. By browsing through a remote browser, users can mitigate the risks associated with malware and other online threats.

  2. Customized Browser Profiles: The conversation delves into the idea of using customized browser profiles to enhance security and control access. By providing contractors or temporary workers with specific browser profiles, organizations can ensure that only authorized individuals can access certain applications or data.

  3. Managed Device and Compliance: The discussion highlights the trend of using managed devices and the impact on compliance requirements. With the ability to enforce the use of specific browsers through Mobile Device Management (MDM), organizations can strengthen security measures and simplify compliance audits.

Editor’s Note

Season 2 of Adopting Zero Trust is inching toward the finish line. We have just one more episode planned (we may squeeze one more in) before we do our traditional season wrap up episode before the holidays. Next episode, you can expect a lively chat with a former hacktivist, the co-founder of LulzSec, who spent a bit of time behind bars. We’ll discuss his start, how he moved into red-teaming (pen testing), and some more modern approaches as it relates to Zero Trust.

We will also launch a final giveaway for the year: A Flipper Zero. Be on the lookout for that one soon.

New podcast releases next week: Mastering the Art of Failing

Unrelated to the world of cybersecurity, I am also launching a new series next week (Nov 21) called Mastering the Art of Failing. This will focus on all different types of successful people (business, athletes, in life, etc.) and how they weaponized past failures to become who they are today. The pilot season will feature three amazing people ranging from an investor-turned university incubator coach, a CFO who found success in building a wild personal brand, and the creator of a media company with a successful exit. You’ll also hear just one of the many flops I went through, which explains why my co-host and I built the series.

Brand Building Course with Cybersecurity Marketing Society

Most of our audience consists of security practitioners, but if you are interested in brand building, I will soon announce how to access the first modules in a related course built for the Cybersecurity Marketing Society. You can subscribe to updates here.

The birth of the Enterprise Browser - Remote Browser Isolation

Before we get to the current state and the unicorn companies building in the enterprise browser category, it’s important to understand what has led us to this massive growth.

“It started all the way back in 2008 with remote browser isolation, but you can also think about Citrix and people connecting remotely to places. The idea was if I'm browsing the Internet and I potentially going to a bad website, I want an isolation between me and the bad stuff. So if I have A remote browser somewhere, I'm going to browse to this browser will browse for me.

Think about this as you're a technician and you need to operate and open a bomb, for example, potential bomb,” said Kharam. You're going to operate a robot. So the robot will do the work for you. And if something happened, the robot will have a problem and not you. So you're creating a layer between you and the bad stuff. So the same idea here, if the malware going to detonate on the browser, it will happen on the remote browser.

However, there were issues with this approach. Companies were still (and still may be) using secure gateways, and using remote browser isolation. It’s also where Google’s Chromium was birthed.

Chromium is an open-source project that creates the foundation for the Google Chrome web browser, and had an initial goal to create a fast, secure, and stable browsing experience. This has led to changes in web standards, and while we may say there were some performance enhancements, you and everyone else with 20 tabs open need the new M3 chip just to run it properly. Regardless, Chromium has since become the basis for various other browsers, including Microsoft Edge and Brave.

“Several years ago, probably around four or five, a number of companies realize okay, ‘What if I create an extension or take the chromium browser, strip it even more, and build on top of it and create my own browser.’ And this browser will also have the traditional similar features like URL filtering, malware analysis, DLP, and many other things. I can also control which extensions you're going to have to install.

Why? Because extensions may change permissions and may do different things. Now I can also figure out and say, ‘Hey, Evgeny, for you to do the work in this particular application, let's call Salesforce or AWS, you have to come from this browser.’ So now you need to authenticate to this browser and this browser potentially will do host checker to understand from which device you are coming, do you have the latest patches, and, if you don’t come from a particular browser, these applications will not authorize the user to access it.

The Future of Enterprise Browsers

As the way organizations operate and function, the role of enterprise browsers offer more potential solutions to common use cases like remote or hybrid environments. Evgeniy emphasizes the potential of browser security in the context of Zero Trust, where access is granted based on continuous verification and validation.

He also touched on the challenges of inspecting encrypted traffic and the advantages of shifting control and inspection to the browser level. By leveraging browser-based security measures, organizations can enhance their protection against threats while ensuring a seamless user experience.

This also goes for situations such as having contractors, where it may not be cost effective to send them their company-owned and managed hardware. These scenarios, where contractors must use their own devices, should still have a layer of controls in place, and asking people to download something that could be perceived as spyware doesn’t jive with many. An enterprise browser, where work and access to applications are contained, could be a more viable solution.

The Impact on Remote Work and Compliance

The rise of remote work has led to new considerations in terms of device management and compliance. The use of MDM solutions, coupled with customized browser profiles, offers a flexible and secure approach to enable remote workers without compromising security and compliance requirements.

Moreover, the discussion highlights the potential compliance benefits of containing work within the browser. By proving that sensitive operations and data remain within the browser environment, organizations can streamline compliance audits and alleviate the need for additional endpoint security measures.

Our resident threat intel expert, Neal Dennis, wraps things up with his perspective on the role these enterprise browsers will play into the future.

I think this is fun because the browser itself, to your point earlier on, this is where everybody lives nine times out of 10, unless you're an engineer who doesn't understand what a tab looks like and you do command line all day long everybody, everybody has a browser somewhere and everybody's doing something with the browser.

And so why are we going to only focus on those network devices that are trying to secure the inbound outbound on those comms when we could take it down that echelon a little bit more and endpoint security management at the end of the day, really at a much more granular level and a much more effective level,” said Dennis.

Thanks for reading Adopting Zero Trust! Subscribe to receive new posts and support our work.


This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot Volkman: Hello, and welcome back to another episode of Adopting Zero Trust or AZT. I am Elliot, your producer alongside Neil, your host. And today we have a guest that's going to be talking into a pretty hot topic as far as it comes down to things that people interact with on a frequent or regular basis. But and I already told him I was going to mess up his name.

Eugenie if you could kindly give us a little bit of background on yourself, you are currently, I don't know, a CISO, a founder. You have run an MSP or MSSP, which one was it?

Evgeniy Kharam: So a bit of a ball, everything. So thank you for inviting me here. I'm almost like all you can eat. Meal because I spent 15 years in MSSP in a bar in a company called hard to the group that now calls it. There is. And over there, I did installation of firewalls in the beginning, running a number of teams later on, did the pre sales for customers, working with vendors.

And when I left last year, I basically was the VP of architecture. So right now I'm doing several things myself. I have a consulting business where I mainly work with VARs, MSSPs and some vendors. I have a podcast with a friend, actually two podcasts right now, Security Architecture Podcast and Cyber Inspiration. We did a cybersecurity conference earlier this year called Keynes Snowboard Cybersecurity Conference with other folks. And we do another one next year as well with Tony. And what else I'm doing? I'm writing a book. Let's separate. I'm spending a lot of time on LinkedIn. And in general, I very involved in the vendor community and cybersecurity vendor community.

I speak with a lot of founders. I understand how stuff work because fundamentally, I'm an architect as well. So this is important. And when Talk to customers and talk to people. I always want to approach the idea of connected infrastructure, connected architecture.

Elliot Volkman: Love it. So I guess the that trip, the conference that you did, it wasn't just a ride off to go skiing and snowboarding with a bunch of tech folks.

Evgeniy Kharam: No, this actually was testing an idea. So the idea was, if we bring people that has two or more, several passions, we just don't need to do anything. If any of you do scuba diving, there's a company called Morris. And it says just add water. So it's pretty much the same. Just add beer and food. So we are testing and theory testing, but we wanted to make sure it is if we bring cyber security people and we wanted people to communicate to have a networking event that like cyber like skiing or snowboarding.

So we don't need to do a lot. They will communicate that we don't need to think about how open the conversation, how to talk with this person, because it's very easy to say, Oh, are you skiing? Are you snowboarding? And you will see what is your favorite mountain? What do you do for cyber? Everybody wearing sport jackets.

There is no issue with, Oh, you have a Armani suit. You're probably a very important person. And as my buddy and my co founder for the skiing snowboard conference says it's a perfect elevator pitch. We have not very big mountains here in Toronto. So you have two minutes when you're going up and somebody can pitch you on the idea of what they do.

And if you don't like them, you just say, thank you very much. And you ski a different way. Or if you like them, you can continue skiing with them or snowboarding with them. And funny enough, we saw people standing on top of the mountain and talking cyber. They went up and just continue talking about cyber. The idea was to test networking. It was really great. People connected. People loved it. People enjoyed sport activity and also business.

Neal Dennis: I was just making it quick. Brings a whole new way to the term elevator pitch. Up the

Elliot Volkman: Yeah. So I was going to poke at Neil. So he he helps out with the is it Texas cyber?

Neal Dennis: Texas Cyber Summit, yes sir.

Elliot Volkman: So maybe you can encourage them to add in a ultra marathon for us next year. And I will definitely go and show up for that.

Evgeniy Kharam: Ultramarathon is a bit hard because you're not going to do a lot of networking. You're going to be running for a long time. So maybe at sprints, then you can actually talk between them.

Neal Dennis: We do a lot of the walkings, not the runnings.

Evgeniy Kharam: So walk for cyber, basically walk and talk.

Neal Dennis: Yeah,

Elliot Volkman: Yeah, exactly.

Neal Dennis: No, it's fun stuff. No, it's good. That's cool. Conferences are hard, especially your own conference. So speaking from experience, but yeah, that's good stuff. I like it. I

Evgeniy Kharam: a lot of learning. And it was for me very interesting because I did spend a lot of time with vendors. But it was the first time when I actually spent a lot of time with the marketing people from the vendor side, because all the conversation, who's going to be there? Do I get the people? How do we understand if they like it?

They had a lot of communication about. Qualify leads for it, not qualify leads. And all this conversation went to brand new level on my other podcast. I spoke and some of my friends

Elliot Volkman: Very cool. Well, while we're actually talking about marketing, I want to derail us before we get to actually meeting the conversation only because I just saw a pretty wild thing on LinkedIn. So I hope you don't mind us doing that. And I already threw it up in front of you. So probably not going to do the video since no one actually watches this, which we do have this on YouTube, by the way.

So you're just gonna get the audio version of us like explaining the situation. Maybe I'll put it in the link in the show notes too. Thank you. But a doctor who works over, well, a PhD doctor works over at a healthcare organization. You all know marketing as far as things that get sent to your inbox.

for the higher ups, you tend to get direct mail. Anyways if you have been on the receiving end this is a torn down piece of marketing material where basically it opens up like a greeting card and within it, it will blast some sort of video message at you. Anyways, he tore it down. And typically you wouldn't see anything much besides like a chip and a screen and a little bit, but this version, and I will not say what company it was, because it was a very large company and pretty generally well respected, but if you look in this, there's a LTE.

Chip and also a SIM card in here. So absolutely freaking wild. I will say I work in the marketing side of the house typically, but yeah, this it's a little bit weird. So for our vendors that listen, which I know isn't like the largest group out of our practitioners maybe encourage not sending stuff like this.

Neal Dennis: How do I get on that mailing list?

Elliot Volkman: These are fun to tear apart, though, because I got them from like Salesforce and stuff like that. But yeah, that's interesting. So anyways, back to the actual episode, since we've got somewhat of a expert who can cover a All sorts of things. One thing that we have not covered really from the Zero Trust perspective is something that people interface with on a regular basis across the entire day, which is the browser that connects you or the user to the Internet.

I got it wrong before. It is not just secure browsers. It is now enterprise browsers, but maybe we'll hand it back off to you. You kind of give us a little bit of a rundown. What is the background and, you know, how is that kind of shaping up? What is the importance? Relevance towards zero trust to, you

Evgeniy Kharam: because there's quite a lot of time to talk about it, but

Neal Dennis: it a long version.

Evgeniy Kharam: sounds good. Sounds good. It started all the way probably 2008 with remote browser isolation, but you can also think about Citrix and people connecting remotely to places. But this is connecting back with remote browser isolation.

The idea was if I'm browsing the Internet and I potentially going to a bad website, I want an isolation between me and the bad stuff. So if I have A remote browser somewhere, I'm going to browse to this browser will browse for me. Think about this as you're a technician and you need to operate and open a bomb, for example, potential bomb.

You're going to operate a robot. So the robot will do the work for you. And if something happened, the robot will have a problem and not you. So you're creating a layer between you and the bad stuff. So the same idea here, if the malware going to detonate on the browser, it will happen on the remote browser.

There was a number of issues with this and some interesting applications, how you can use it. And still a lot of companies in a secure web gateway space, using the feature of remote browser isolation, especially on the unknown websites. So it's quite cool. This the beginning Google also Chromium if you're not familiar.

So Google Chrome around Chromium and edge random Chromium as well and many other browsers actually support isolation between tabs from 2008. So it allows you to do the separation and basically you cannot go from a top to top Several years ago probably around four or five years ago number of companies realize okay What if I create an extension or take the chromium browser?

Strip it even more And build on top of it and create my own browser. And this browser will also have the traditional similar features like URL filtering, Marvel analysis, DLP, and many other things to the point that got many different features. I can also controls which extensions you're going to have to install it.

Why? Because extensions may change permissions and may do different things. Now I can also figure out and say, Hey, Evgeny, for you to do the work in this particular application, let's call Salesforce or AWS, you have to come from this browser. So now you need to authenticate to this browser and this browser potentially will do host checker to understand from which device you are coming.

Do you have the latest patching AV, whatever it is. And then. Before you're going to the applications, you need to actually prove and we're not going to technical details yet. We can go maybe later on to say, Oh, if you're not coming through this browser, I'm not going to let you in. So I'm supporting the entire idea of the zero trust framework is that I'm not allowing access to anyone.

I only allow access. Our access to validated people from validated devices to the validated browser. So i'm adding another layer of security and this technology potentially could be very interesting right now Not just to the internal users, but I think the first very logical application is If I need to have Elliot when you do part time work for me, do I need to give them access browser laptop?

How do I actually do this in many big companies? They're not going to give you access to the environment. You know, you know, give you the cell VPN. You can actually ship your laptop because as a laptop with standard images, all their tools quite expensive. In this case, I say, okay, here's a browser.

You can have to use this browser. And to kind of go deeper a bit. Let's say I would want to download some documents that he saw very cool when he was working for this customer so I can prevent Data leakage, DLP, to formally download the documents, or if you download the documents, they will be encrypted.

So there are several multiple kind of ideas and features that we can use here that support enterprise security, zero trust and general hygiene.

Neal Dennis: Yeah. I'm going to dive in. Oh, it's I think still computing there's a lot of good little nuggets there for Elliot in my brain, but yeah I think it's fine. We talked historically. Someone take us back slightly. I remember the 1st, what did they call them back? You go back 2008, 2007. We had. Firefox put out a sandbox browser or whatever, which was, I think, kind of the precursor to these, the way they ended up being in 2008 later.

And so I love the evolution of this because as a guy who did a lot of open source research things and. Less desirable locations, you know, being able to have these or have a virtualized environment or have a microcosm of what could be a virtualized browser environment just on my local box still and, you know, mitigate certain paths at risk is always good and then moving forward a little bit.

The 1 thing I like to talk about personally, when we think about, I love your scenario where instead of shipping someone a laptop or an ISO to install, whatever, they just tell them, download this browser profile, right? And then all of your basic fundamentals for security, for what they're going to access or load it up in there, some kind of fingerprint more or less, right?

Attached to whatever their architecture is. I love that. I've actually, I think I've only seen that maybe once or twice as an option. So it's kind of fun, I think, to talk about that as an option, because I don't think too many people. Have considered that when they do hire that contractor, they hire that third party entity for just two weeks.

Most of them are like, you either come to the office or here's the VPN and here's a giant software suite you have to download. But being able to tie that into a browser fingerprint and they control media based off of that browser fingerprint from a zero trust perspective. I think that's fun and I don't know if Elliot wants to, but I'd love to expand on that.

Evgeniy Kharam: There is also another, I think two catalysts that are important here. One with digital transformation and COVID. We move more stuff to cloud, more cloud, more stuff to sauce. It mean even more stuff. We now axing via the browser right now over HTTPS and. Majority of our traffic right now is HTTPS. So it's encrypted.

Guess what? For us to inspect the traffic with traditional secure web gateway and firewalls, we need to do the cell offloading inspecting of the SSL. We're not going to go to this part right now, but it's not always possible. It's hard. It's CPU consuming and we have this problem of what we call certificate pinning that not, I'm not always able to open the certificate.

But when it pushing the control and the inspection to the browser, I can actually do it before you encrypt. So there is a lot of interesting parts here as well. And how it's actually going to grow.

think I'm DM. I think DM is more very important here because I can use the MDM. To roll the browser. So let's think about the problem. I say, okay. Hey, Neil, here's my fancy new browser. Use it. Like, I don't want to use this. Like, leave me alone. Like, no. Here's my MBM. Here's you're going to use it.

So you actually can force people or you can create a condition and say, if you don't have this MDM installing your laptop. And MVM only going to be installed on corporate devices that you cannot use the browser. And because you cannot use the browser, you cannot log into XYZ and you cannot do this work.

So we can bring this conditional scenarios that even if the bad guys gonna get your credentials, get your MFA, they're still going to missing this part of conditions.

Neal Dennis: Yeah, I think the managed advice aspect of things, I've seen a trend recently. So to give Ellie a little fluff for what he's, he was going to ask, I've seen a trend recently where both some startups, smaller startups, you know, 20, 30, 40 people startups, and then some companies hiring consultants back to the whole point of no equipment.

They've told them, take your own laptop, install our MDM solution, and then install, you know, our browser or other tools right through that solution. And one, I'll say this, I think that's, for me personally, I'm abhorred to that model. If you want me to install more than just a browser, you're going to need to give me something else other than my own equipment if it's not something I'm already working in.

But like it or not, I think that's kind of to where we're going at the moment. That's kind of where the trend of things is with the bring your own device policies that a lot of companies set up, especially startups that they're expecting us to install this service. And then they're expecting us to install the additional tools and collateral.

But if someone told me to install just a browser from a particular build, I'd be okay with that because I'm only ever going to do work stuff from that browser. And at the end of the day, it's not some third party, you know, managing my overall box as a whole, right?

Evgeniy Kharam: There is interesting compliance aspect here. It's not still there because we're going to get there. Elliot, you're working with the companies that are doing actually compliance stuff, okay,

Elliot Volkman: More or less.

Evgeniy Kharam: more or less. And it's interesting because we have compliances and then we need to prove stuff. So part of the stuff we need to prove, oh, do you have an EDR on your laptop?

For example, SOC 2 compliance, other compliances. Now, if I can actually say that I don't need EDR. Why? Because everything I do is contained in the browser. Then Neil is going to support you, you part, I can bring my own device to do this particular work for this company. And I don't need to prove I have an EDR because I have a way to prove you everything is contained inside the browser.

So let's say your device is potentially having issues, but it's supposed to be contained. Again, we're not there, we're not even close to be there and it will take time to prove it's actually right. But this could be one of the things that you can do. No,

Neal Dennis: I like the idea. I think it's clever and especially, once again, remote work. I think this is a big thing. There, there's obviously a place for enterprise. I think we can ping that in a few minutes, but being that I think all of us work remote. I know Elliot does. So when we think about the lifestyle of what that is, how do we want to mitigate risk?

How do we want to mitigate cost exposure at the business level? And once again, back to what we mentioned earlier, it's far less expensive to design some kind of contained browser solution that adopts ZT in some methodology, as opposed to shipping someone a laptop or shipping someone additional software or requesting them to install.

A robust amount of security software. So on that note, when we think about this, so you say it's not necessarily quite there per se. Where do you think today, where do you think it is from maybe a security implementation? Is it good for them to do from a remote work perspective and say, hey, you're good?

Or is it, should we kind of fixate more on the

Evgeniy Kharam: No. I'm saying we're a long way to say I don't need an endpoint security because I only use the browser. You know, I can only have this claim that I only do my work in the browser. This way. I don't need to install my E. D. R. O. E. P. Oh, because this is the only thing I'm doing and it's contained.

But. From there, if I use endpoint security or MDM, whatever it is to protect my laptop, the browser itself has quite a lot of capabilities and features from a variety of companies. Now, I am talking about browsers, but there is also other type of vendors that say, wait a second. Why do I need to install the entire browser? I like my Firefox. I like my Opera. Why do you force me to use? If you have any browser tomorrow, there is another sliver of vendor to say don't worry. Here's an extension that you can install in the browser. You like Chrome, Firefox, Safari, whatever this edge and we'll do almost everything with the entire browser can do. There are some nuances here. So for example, one of the cool features that we spoke with several vendors is, Oh, I'm looking at an important document. And I did mention if I want to download the document, you're going to be encrypted. Okay. But what if I want to just take off my phone and take a picture of this document? Then these browsers can actually do watermarking. So when you take a picture, it will have a Evgeny Karam. This is today, October, blah, blah, blah. So if you take a picture and send it to someone, they're going to be a watermark of the document saying how it came. So you can protect the information like this as well.

So not everything is available with the extensions depending on the company, because you have much more control with the browser versus just the extension. But. When the big company, it's probably much easier to roll out the extension, kind of make your feet wet a bit and understand how it's working before you're all the entire browse.

Neal Dennis: So let's kind of poke at it some more then. So from a technology perspective if we think about. You know, we've got the front end, the end user, all they're going to see is I've got a browser and it lets me do things, but from a actual implementation perspective, what kind of stack are we looking at?

I mean, are we looking at. I guess, how big of a tie in to our identity access management side of the house? Is this something that we can use SAML with as well, along with the other, you know, zero trust type tooling? Or is it something that, you know, is more reliant on, I guess, slightly more traditional things like VPN, but maybe not VPN, right?

Stuff like that, side channel comms, things of that nature.

Evgeniy Kharam: So this is a good segway as well. So majority of these browsers or extensions actually do local inspection and lock and blocking. What does it mean that you're not going to route your traffic to some kind of proxy in the internet for the inspection? Do you still have a management somewhere in the internet to push policy and tell you what needs to be done?

This is one part. And by the way, some of them can give you a remote access as well, because they can integrate SSL VPN or ZTNA, what we call inside the browser to basically give you not just access to SaaS applications, but on prem as well. Of course, to do this, you will need to deploy something on prem to give the connections, but I think you use already know how it's working.

So we don't need to dive in to ZTNA architecture only if you guys want to. So this is one part. Second part. All of them definitely support IAM and SQL Sign On. Because you need to log in to the browser or to the extension to prove who you are because you want the policy to be applied for you and the policy could be you cannot go to hacking sites, but you can go to new sites and this is the application that you can log in and this is the extension you can install and stuff like that.

So all of them support local users. Maybe only will work for very small company and all of them going to support Okta. Azure, MFA, Google, and many others with is interesting part that they can support the Azure MFA conditional access Google aware and octa where you can actually create the layers of conditions what you can do before you log in.

But this part is related to you. I am part, not just the browsers. I do tie to I am because if I'm looking to AWS. And AWS authenticate me with Google, then the Google need to have the part of Google aware and the condition access that it will check from which browser you're coming. So there is some parts where there's no magic, you know, you need some mechanisms that will actually do this interrogation to understand from where you're coming, where you're using.

Neal Dennis: Yeah, that makes sense. In essence, you know, the enterprise browser is... From a tooling perspective, it's a great extension to help one either facilitate access controls at a, I wouldn't say granular, but at an, a level of back to the contractor pieces where they're the exceptions to the things for what's coming from a device management perspective on the same flip side.

If we tie this all back in, like on my corporate laptops I think the last time I had a browser that was managed was obviously on the government side. And I haven't done that stuff for eight, nine years. I've worked at a couple of big companies. I've worked at a couple of small companies. The browser is just the browser.

It goes wherever it wants to go. There's very little limitations, which is scary sometimes. So pushing that towards enterprise perspective, you know, thinking what this means from zero trust and just another step in securing the environment. Right. So we build our profiles. We build out, you know, finance team should obviously only really be looking at finance stuff and spreadsheets probably, and not necessarily Splunk.

Type things or whatever, stuff like that. So I think it's a really cool extension of the zero trust mentality to help put the right brackets around what the corporate environment should look like for those personas. How do you see this ever ballooning out of proportion from a profile perspective?

Or do you see, like you mentioned with Okta, it should just kind of become an innate process, right? Does that seem fair if you do the right setup?

Evgeniy Kharam: Yes, a couple of things. First of all, what's cool about the browser is that it's something we know how to use. You know, it's a Chromium based browser. We're going to have a different logo. But we don't need to learn and understand what's new. We just know this. And I also support the extensions we like and we use.

If you use an extension for your passwords or for your zoom, you can still use them. There was a limitation in some of the previous technologies as well. Second of all, it's if you think about the contractors, you know, we used, okay, I'm not going to ship your laptop, but you need this VPN, that VPN.

So if you're doing part time job, you may end up with like five, six, eight VPNs and each have issues with this one. In this case, you may end up with eight different browsers, depending on the company you're working with. So it's probably going to be much easier for you, but growing and accelerating because I'm pushing this control to the end user.

That's almost become an endpoint security product if you think about this. So I'm speculating right now. I don't know if, but if you put my analyst hat, I think the EDR EPP companies will want this to be part of the portfolios. One part. Second part, the SASE and SSE vendors that provide secure web gateways, May also want to add this to their portfolio, even so there is a bit of a contract of interest here because they're doing similar things in the case.

But we just saw the Palo Alto didn't buy, but want to buy one of the vendors called Helen. Did it didn't close yet? I'm not sure what it's going to close or maybe by this time going to be able to be really closed and I'm going to be very interesting to learn if they're going to put it under their endpoint portfolio on as a network portfolio.

Neal Dennis: Yeah, I think that's a fun, fun comparison there of growth and where they could be. I agree. I think it's for me personally, I think it's more endpoint security because of the limitations you can apply to that persona. And obviously it's the endpoint, it's deployed down to the user, like you mentioned.


Evgeniy Kharam: Now, I was thinking about it. I'm going to cut you off here. If I may, I was just thinking about this. We have chromium devices. Think about this. We have laptops and basically one jug eating Chrome browser.

Neal Dennis: Yeah.

Evgeniy Kharam: So what's yeah, this is this phone. So what's stopping us? And there was actually companies like blue coat in the past.

If anybody remembers the companies like this, we're creating special packages for chromium devices and many other companies as well. So what's stopping us to have. Yeah. A special device that basically run the enterprise browser version of it and give you all the URL filtering. I think you need. So we don't want to give Chromium device.

You don't really installing endpoint security on there because the entire device is just a browser. So we assume it should be secure. So you may have similar ideas and kind of coming back to terminal days. You know, here's a terminal and

Neal Dennis: I think that's kind of fun too, though, because that's a cost perspective. I mean, I can go out and get a hundred dollar, 120 Chromebook right now and do not a lot of heavy things, but I can do the basics. If you need me to log into a couple of websites, poke and prod some things, I can do it. But if you need me to do heavy lifting, like most enterprise companies, as an engineer, they'll give you like a MacBook pro or some kind of Linux build, right?

A big heavy box, but I think cost perspective, I think it's a great thing to take into account. If we do this in a Chromebook environment, we plus up that, that Chromebook a little bit. Like you mentioned, the whole thing's basically virtualized at that point and comparatively more secure out of the box than just a basic default Mac or Windows.

Well, you know, at that point I mean, I think that's some good fun potential impact for growth for a company and cost

Elliot Volkman: If you don't mind me jumping in with my annoying marketing hat, I think probably one of the best use cases I could see out of a scenario like this is reducing risk in the supply chain. I work with a ton of like contractors and freelancers, but if like for my onboarding process, they have to go through background checks, security reviews and all that.

It doesn't make sense to necessarily send them a piece of hardware to them. But if we want them to be able to access basically anything, that is the barrier to entry. So potentially instead of, we're not going to just do like a VPN either, you know, remote based ordering that it only goes so far.

So I don't know, maybe even potentially a use case in an enterprise browser in this scenario would be something very specifically set up where they can access things. Still having to go through an IDP something to that extent, be able to access thing, but you know, that in theory would be able to reduce.

Evgeniy Kharam: think about this right now, even with all the security checks they're doing. Thank Can you actually truly tell us that they don't download any documents when they're done working with you? And don't

Elliot Volkman: Oh, most certainly

Evgeniy Kharam: No, you cannot. And I spend enough of my time with DLP programs in my past life. It's a program.

It's not a vendor. It's not a specific, it's hard. It's not easy. It's possible, but it's not easy to do. But if I contain this to only one channel, but it will contain this to only one part was a browser. And there's the only point of entry then it's become much easier and manageable actually to do from a technology perspective.

Neal Dennis: I'm a huge fan of the zero trust doc setups and the people that are tackling that program. Once again, government side of the house. You know, we've had that construct of some kind of Orcon originator control stuff. And tying that back to the meta within the files for a very long time. Enterprise, you know, with zero trust and the whole construct is neat to see that.

So then to your point, download a doc. The key pair is actually tied back to the browser and those auths are there. So when the laptop's not connected or when the browser's not connected, rather the doc's not connected and it's just a dead doc, right? I think that's very important. And especially in this world with PII and everything getting stolen, there's a reason why China has a jet fighter that looks like every one of ours.

It's because they got access to someone's laptop that happened to have copies of crap on it that were not encrypted. So simple things, simple stories to solve, but doing something like this browser based with the key pairs already there, tied all together. And then I can't do anything with those docs and I'm done.

It's just good policy management.

Evgeniy Kharam: Yeah.

Neal Dennis: And then Elliot gets his supply chain risk mitigation strategy out of the way.

Elliot Volkman: There you go. That would be, again, if you also how long it took just to onboard, like a single contractor anything that where you can produce that would be absolutely amazing. By the time they get approved, I'm like, ah, man, I found someone better. Sorry.

Evgeniy Kharam: you're saying everybody's listening right now. If you want to sell something to Elliot on more people faster, this is your chance. You know, I

Elliot Volkman: I'm on parental leave right now.

Evgeniy Kharam: Don't know.

Elliot Volkman: even more helpful. I had a vendor call me earlier. I was like, sorry, coming back in like 2 months, but although

Evgeniy Kharam: this is the perfect time. You know, vendors always give you like free WS cards, whiskey ones. Guys, I need diapers. I need cream. I need that. You're like, I'm happy to have a call with you. Please make sure we have a nanny for me when I'm talking to you.

Elliot Volkman: Right. Yeah, pay for a nanny and I will talk to anyone right now. I'm totally on board for that.

Evgeniy Kharam: Oh my

Neal Dennis: I'll

Evgeniy Kharam: right now. You know, we're going to give ideas to vendors

Elliot Volkman: Bring it on Salesforce.

Neal Dennis: Well, so being the guy who normally doesn't put us back on track, but putting us back on track, because I'm very curious about the question that I'm in the process of trying to remember, because the nanny thing got me sideways.

Elliot Volkman: You're welcome.

Neal Dennis: That's where I was going, supply chain. So we think about this as an idea. So Elliot kind of touched on this. And I think Jenny, I think this is a good thought flow too. When we think right now, most of the big corps are relatively speaking compared to their supply chain are relatively hardened comparatively.

There's always a way in obviously, but we see. We had wonderful examples with solar winds and some other things for supply chain risk and needing to monitor. But if we take that down a scale and we look at someone like a fortune 500 company, or even a fortune 2, 500 company, chances are they have five, six, 700 plus different supply chain.

Things going on or more even, you know, thousands in some cases, whether it's physical, digital or whatever, right? But if you have these dedicated third parties that are having to come into your solution or if you have These partnership arrangements where it's just as simple as communicating spreadsheets, you know that I think you as a large company Oh it to yourself and the company you're working for with To provide them some kind of secure methodology beyond just the basic emails and the basic logins, right?

So yes, it may mean that these vendors have 18, you know, 100 fricking browsers because maybe they're working with that many, but a lot of times you've got that lower echelon and that, that key of 600, that maybe there's out of that, maybe 10 percent that they're only working with you and maybe two other people.

Right? So if you give them this secure browser modality and say, Hey, use this to one download our purchase orders or whatever they are, use this to interact and submit stuff to our doc repo this way. I think from a supply chain risk management perspective, yeah, it costs you, you know, if you're using Okta and the browser and everything, what, you know, maybe a hundred bucks a month for a user for a device, give or take.

This is just me guesstimating based off of Okta experiences. A hundred bucks a month for one net new browser that's relatively more secure. The comms line is relatively more secure versus, you know, 15 million breach because they got popped with your documents that then got exposed and then used against you.


Evgeniy Kharam: and don't

Neal Dennis: thoughts on that.

Evgeniy Kharam: Yeah. So I agree with you. Also, I have controlled documents, what's going everywhere. And if I ship your laptop, I need to collect the laptop when you're done. If I ship your laptop, I need to make sure it has all the tools. So I need to pay for the EDRs, MDMs, VPN, also on this laptop.

iF I don't want to ship your laptop. But I need to give you the VPN. I still need to pay for the VPN. a month, whatever it is you're using. Or maybe an MDM as well, as you mentioned. So I still need to pay a cost for a contractor to do work for me, even so they may be doing two hours a month or five hours a month, or whatever it is a month.

And as I mentioned, and I mentioned as well, you don't really know how they work and how they control. And what do they do and to support the idea of zero trust and ZT and E, I only want them access to specific locations and not only location, sorry, specific applications in my company to make sure. Yes, you can say, but if I open an RTP and I jump from here and here, so this is a different story, but I'm supporting by definition.

I'm giving you only what you need. We're giving you a lot and then trying to narrow you down to understand what's happening.

Neal Dennis: Yeah. And then it becomes a corporate based policy, not a business unit type idea. So whenever you have these solicitations for third party supply, whatever it is to come into your environment, you've hopefully already built out the basics and you can run it through the normal. IT processes at a corporate level.

I see, I say all this because I see a lot of business units that they hire third party, especially in control systems, right? Whether it's HVAC, fire, power, whatever. And back to some companies that have had their fish tanks hacked in prior lives. But they have these third party vendors with control systems, right?

That they want that independent connectivity to be able to service it remotely. But the problem is they're doing it from their own already compromised solution, most likely. And that's how we ended up getting these weird backdoor HVAC fish tank compromises at these companies. So

Evgeniy Kharam: interesting twist here. If I ask, hey, tell you how many people working with you part time. You're like, oh, let me go to HR. I need to check about this part. So it's a bit. Become complicated. And now I'm pitting it on Gilead. You know, I'm just talking about in general in the company

Elliot Volkman: Yeah, of course not. Hey, I have a raw number off the top of my head. I already know it.

Evgeniy Kharam: So you're one of the few that actually know how many people working, but many companies will may not know. Because if we need to go back to HR or back to anywhere places or make understand that this particular laptops are classified differently in Active Directory or with the EDR MDM, whatever you call it.

In this case, if I have a particular browser and extension, then I just go to this management of this vendor. Oh, okay. That's all the people that work for me. So my asset management, my vendor contract, my, my list of people that are doing work for me in a way become easier for me as well. I

Neal Dennis: and it's eight for Elliot plus me.

Elliot Volkman: How? That is exactly the number. That's a little weird that you know how many folks that I've got under me.

Neal Dennis: You should also see what else I have on your laptop.

Evgeniy Kharam: Every time

Elliot Volkman: dogs, no cats.

Evgeniy Kharam: everybody, sometimes somebody reached to me and say that based on my profile and anything, I need X, Y, and Z because I'm growing faster. Like it's just me, microphone and a cat. Like what do you think?

Neal Dennis: No I like these. So I think this like we started off with, this is one of the things that we haven't had a chance to really talk about. We talk about, you know, we've talked about endpoint security. We, a little bit, we've talked about server type security models a little bit. And obviously we, and in most cases, we always just come back to identity access management.

What does that mean? Pick someone who does it and does it well. But I think this is fun because the browser itself, to your point earlier on. This is where everybody lives nine times out of 10, unless you're an engineer who doesn't understand what a tab looks like and you do command line all day long everybody, everybody has a browser somewhere and everybody's doing something with the browser.

And so why are we going to only focus on those network devices that are trying to secure the inbound outbound on those comms when we could take it down that echelon a little bit more and endpoint security management at the end of the day, really at a much more granular level and a much more effective level, I think.

I don't know, Ellie, if you've got more to throw in there, that's kind of where my brain's at the moment. I'm also running on two hours of sleep. So

Elliot Volkman: Oh, yeah. I mean, that sounds right. So I actually want to chime in we'll pull something maybe out of the background. So I fortunately got to also chat with our guest here yesterday and invite him to chat with a bunch of other kind of I don't know, brand cyber marketing folks to chat through things.

But one of the main things that I got out of that conversation was that you focused on. the money aspect. So I was hoping maybe we can look into that. It's not something that we typically chat about on here. As far as like bringing in tools, cause we keep things a little more neutral in nature. So not from the vendor side, not saying that you necessarily work on an enterprise browser as a vendor, but I'm curious, like in your CISO hat and as an Do you feel like that as a paid offering provides value.

Like what kind of organization do you think would actually have something that this would appeal to? Cause obviously they're probably using VPNs for the most part. Maybe they're using SASE or ZTNA to an extent, MDN all of these other different pieces. It does offer some consolidation, but you know, where do you feel like this would fit, like, is this.

Like future state, we'll see maybe more of it as it gets refined. Or do you feel like organizations are probably like, you know what? This is big enough issue solves enough of our issues. Maybe it consolidates, like, what's your perspective there on the financial aspect?

Evgeniy Kharam: couple of things, and I think, first of all, if I put in my thesis ahead, not many companies still have a calculation on how much they spend a month on a user for security tools. So if I want to hire 5 people, how much money I need to spend more per Evgeny or Neil to actually run the EDR, email security, MDM, vulnerability management, you know, probably stuff I'm forgetting right now for sure.

Secure web gateway. Okay. So this is add to this pile. Many medium companies don't even have secure web gateway, for example, or reliable VPN or a way to conditional access. So this is Probably going to be a much easier way to go for the smaller company media companies there for a bigger companies. It's going to be a bit harder because you need to replace it or potentially replace the browser or potentially understand how it's going to work with your traditional secure gateway or the traditional remote access.

Oh, okay. There's also this part when I using. Something like Palo, Zscaler, Checkpoint, Netscope, iBoss, and many companies in this space. Forty, I'm not just doing remote access and secure browsing. I'm also doing Cosby, cloud access security broker. I'm also connecting over API to my Dropboxes, OneDrives, and SalesPoints.

So I'm not replacing this part right now. So this is the part that I need to calculate which part I can remove and not remove. Right now, I feel the perfect use cases is the part time contractor for people. Basically, and the people that don't have anything mature or have still something on prem, because this follows you.

And after that, then understand and build a model on the price. Do I replace or do I recommend, or I potentially take people that are not higher risk. So you mentioned programmers. They're very important people because they have access to a lot of. Stuff, they can break or doesn't get break. So maybe when the people need to do DevOps or other things, they're going to have study browsers or such extensions, because I want to create more condition for you to access more options to control who you go on, what do you do?

And again, back to the conversation of if your identity got stolen somehow. And now the bad guys going and manipulating Xamarin Active Directory, guess what? They may be not able to do it because they're missing this conditional part as a browser with the extension. Yeah.

Neal Dennis: yeah, it makes sense. Yeah. So I think overall in the cost perspectives, you know, it's a good business risk discussion, right? I think you hit kind of a fun point at the end there when you were talking about people who are more on prem versus currently cloud and cloud versus on prem. I've been fortunate in the last couple of years to work with a lot of companies that are in the process of adopting a more cloud based environment, right, which I think browser type constructs that we're talking about here Would spit the bill a lot for how they should go about securing that engagement and mitigating those risks because some of those are moving people like engineers or like internal finance type people from being on their intranet and only their intranet to now having to go out and do this legitimate browser type, you know, public facing internet type stuff.

So I think that's kind of a fun key now. So for that being said, though iterating on the. Cloud versus on prem, you know, if you were to start and focus on this a little bit more, if you were to go down this rabbit hole, would you think that these more secured browser solutions should be for those who are transitioning from cloud or on prem to cloud, or do you think someone who's already kind of committed to the cloud should be kind of your first taker for this stuff?

Evgeniy Kharam: I think both the one that's moving and already in the cloud, because the moment you are traveling and you're outside, then you have to be protected any time. This is why the company, like as I see, these cables, that scopes are pushing as well. If you just on prime, I don't think a lot of people just on prime that you can probably have your traditional.

Also, we still have the idea of you're leaving the company and then you bring your laptop and VPN backs and you're basically using the traditional stock. But I'm a bit hesitate to say is that many enterprise companies, we're going to stop moving everyone to such model yet, you know, we are talking, I think is there's a use cases, but as you mentioned, if I already paying for my secure web gateway, what do I get here?

And where do I get here? This one thinking sub of people in company and right now, And then we'll see how the industry will shape to understand if I need both, or is it going to basically meet and become a part of something bigger?

Neal Dennis: I think it'll be a fun transition to see what happens with the companies and mergers who buy this stuff out, especially talent, what they label it. I think that'd be a good indication of where we should poke and prod next steps. Right. Back over to you, Mr. Elliott, giving up on time.

Elliot Volkman: all right. I think we're at the top of the hour, but so to wrap this up, I think just looking at pure numbers wise to there's a heavy investment into enterprise browsers. So I'm curious to see how that does unfold. But I mean, at the end of the day, a lot of people use Chrome because it's what they're used to.

And they do have like enterprise versions. So I think they somewhat align. Obviously, there are specialty versions, which are getting heavy investments and hitting unicorn status, which is over a billion dollars worth of value. So yeah, it'll just be interesting, but I'm with Neil. I think there, as per usual, will be a lot of consolidation as typically happens.

So yeah, it'll be interesting to see how the market turns out, but that takes us to the end of today's episode. I will say one other thing, if our listeners use enterprise or secure browsers, definitely reach out, let us know what your perspective is. Love to get a little bit more insight there too.

That said yeah. Thank you so much for joining us. Always appreciate bugging you on LinkedIn and the rest of the, uh, the spots can you give a shout out to where people can listen to your two different podcasts as well?

Evgeniy Kharam: So security architecture podcast is the place to find both of the podcast cyber inspiration role under security architecture. And if you find me is LinkedIn, Evgeny Karam, thanks God, there is not too many Evgeny's on the LinkedIn. So you'll be able to find them quite easy, E V G E N I Y K H A R A M.

Thank you very much. It was a lot of fun.

Elliot Volkman: Thank you so much again. We really appreciate it.

Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology.
We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.