By Guermellou Mohammed
Cloud Security Architect, Skyhigh Security

Today we access many legitimate personal cloud communication services, such as WhatsApp, for both work and personal purposes. However, sometimes those legitimate cloud services can be misused and lead to risk exposure of the corporate data. Throughout this blog, we will be discussing the challenges with personal web applications that bypass proxy technology to exfiltrate data and inject malware and how Skyhigh's Security Service Edge (SSE) portfolio, with Remote Browser Isolation (RBI), can reduce the attack surface and limit data exposure.

These days, communication platforms are essential. These platforms are used to stay connected with families and colleagues and to make new friends. Their usage was accelerated by COVID-19 and the new modern workplace, where we often work outside of office spaces, where we can socialize with teammates and friends. Working exclusively from home or from other remote locations, we reduce the time we see each other, and as a result communications technologies like WhatsApp, Signal and Telegram are being used for both personal and work purposes.

New Risks Introduced in the Modern Workplace

WhatsApp is a widely used mobile applications for communication. The application by itself doesn't bring a security risk for organizations, as the user uses his personal device to access the service. But what about when we bridge corporate-managed and personal devices, like using the web version of WhatsApp from a managed device? This usage would be considered a risk on the corporate device. Let's take a closer look at how the WhatsApp service works and where the risk lies.

When a user accesses, they are asked to pair their mobile device with the web portal, resulting in the web service bringing the conversations through the local browser. Technically, the browser on the local machine establishes a secure communication with the WhatsApp web service. This communication is a bi-directional message called a web socket. The proxy technology’s role is to secure web traffic by inspecting HTTP communications, but it can't inspect the content of web socket communications, as shown in Figure 1.

Figure 1. Diagram describing a WebSocket session

Once the WhatsApp web application is installed on a corporate device, a user can then upload and exfiltrate sensitive corporate data. This makes enforcement of the cloud proxy DLP policy impossible because the data is encrypted and will not be inspected. As you can see in Figure 2, the data bypasses the cloud proxy control.

Figure 2. Bidirectional messages bypass the forward proxy inspections

In the Data Exfiltrated Through WhatsApp demo video, a user tries to share a confidential document containing credit card information using his personal email, but based on the Cloud Proxy DLP policy, the information contained in the file is too sensitive to be uploaded to a personal mailbox, and therefore is blocked. Then, to bypass this restriction, the user then tries to copy and paste the content of the file directly on the browser. Like before, the cloud proxy DLP Policy is triggered, and the attempted copy is again blocked. In a last attempt, the user uses WhatsApp Web and pairs their device. This time they’re able to upload the file without the cloud web proxy DLP inspecting the content.

Overcoming the Challenges

Understanding this risk creates a dilemma for admins. They need to decide whether to allow users access to these communication services while working from home or to block WhatsApp to secure against this risk while hampering the user’s ability to work. The ideal solution will be to allow the user to use this service (or others) while keeping the corporate data secure. Therefore, isolation technologies will bring to the admin the level of security they need at all times, while also allowing the users fewer restrictions in accessing web services.

Isolation technologies remove website content from being executed on the local browser of the user’s machine by moving it to a secure remote location. Then, only an image of the target website’s content is displayed on the browser of the local machine. None of the potentially compromised content of the website will be executed in the local machine - automatically reducing the browser vulnerability exposure and the risk of cookie hijacking. According to Gartner’s Innovation Insight for Remote Browser Isolation research (subscription required), organizations using isolation technologies can reduce the attack surface by 70 percent. The diagram in Figure 3 demonstrates Skyhigh Security Remote Browser Isolation (RBI) technology and how it sits between the local browser and WhatsApp service.

Figure 3. Isolate WhatsApp and inspect before getting into WebSocket communication

Our WhatsApp Secured with RBI demo video provides an example of a user trying to access the WhatsApp web service. WhatsApp web will be open inside an isolation cloud environment on Skyhigh Security Cloud and only the image of the conversations will be sent to the local browser. A web socket is established between the isolation cloud environment with the WhatsApp service secured with RBI allowing the admin to control all the activities performed from the isolation session.

Key Takeaways

Isolation technology brings web proxies more freedom to apply actions rather than just allow and block them. It's like in the automotive industry, where the invention of brakes allowed for a safe increase in car speed. As brakes can reign in a car from going too fast and losing control, engineers have developed more powerful engines that can go at higher speeds, more confident that these speeds can be controlled more safely.

Similarly, isolation technology opens the door to web proxy controls, by removing all the execution from the local machine to a secure isolated browser. Doing so reduces the admins’ need to maintain huge exceptions lists and gives more freedom to the user while working from home. This approach also supports Zero Trust Security Architecture principles, as we don’t trust the destination site or the content within it, but continuously assess and remove the execution of any potential risk from the corporate machine to a secure and remote browser.

Useful Links