Network Security with Palo Alto NetworksPalo Alto Prisma SASEBlogPalo Alto Networks Prisma AccessPalo Alto Networks
Blog5 minute read

How the Prisma Access Browser Trivializes Decryption

Anyone who works with TLS decryption will probably tell you it's hard to do and never truly finished. New support tickets about websites or applications that don't work as expected are constantly coming in, requiring continual tuning of TLS decryption settings. The Prisma Access Browser can significantly reduce the complexity and increase the effectiveness of the overall solution. Let's talk about how it does this.

In this blog

  1. Dial-up days
  2. Decryption is hard
  3. The Prisma Access Browser difference
  4. Advanced URL filtering
  5. DLP
  6. Advanced WildFire
  7. Final thought

 Dial-up days

Security was not a consideration when the internet started on dial-up modems. People used their home phones to order pizza, expecting it to be delivered in 30 minutes or less, and Amazon didn't exist yet. Remember those days? When credit cards started online, browsers highlighted that the site was secured with the gold lock icon. Even with the rollout of high-speed internet, most internet browsing was not secured with encryption, except for shopping, banking and a few other types of sites. Five years ago, less than 20 percent of websites had valid SSL certificates; today, that number is over 90!

The rise of SSL has been both beneficial and worrisome. No one will argue that protecting financial transactions from people who would love nothing more than to get your private information and steal from you is essential. However, bad actors also leverage SSL protection to deliver their malware, protect their phishing sites and control ransomware. The current method that provides the best protection for users and enterprises is decryption of the outbound internet traffic using a proxy or firewall to intercept the traffic and apply a policy to the decrypted content. This method has been in place for years and works. However, tuning is always a time-consuming effort.

 Decryption is hard

I've spent hours with clients planning and implementing their SSL decryption strategies. There are always several required steps to get decryption on a proxy or firewall, often resulting in abandoned or non-started projects. People are too afraid of something going wrong and are content with the giant gaping hole left by not decrypting traffic. This is where the Prisma Access Browser shines.

As mentioned earlier, other solutions require the interception and termination of the session using a certificate trusted by the users so that the traffic can be inspected and policy enforced. With the Prisma Access Browser, the game has changed. There is no need to intercept the traffic when the browser is the SSL session's source. 

 The Prisma Access Browser difference

The Prisma Access Browser trivializes the decryption process because it works with web servers and has access to the entire browsing session, negating the need for the traditional man-in-the-middle approach. The Prisma Access Browser can be a target in this position, so Palo Alto Networks has taken additional steps to protect it with another level of encryption inaccessible to users or even administrators. This secures the browser from tampering and allows for a host of features that would otherwise not be possible or require several additional security tools. Let's look at some of these features.

 Advanced URL filtering

One of the key features any solution needs to have in place is the ability to analyze and categorize websites for policy action, and the Prisma Access Browser excels at this by leveraging advanced URL filtering, one of Palo Alto's cloud-delivered security services. The engine for this service uses a combination of static categorization for known sites and an advanced AI-assisted dynamic categorization engine for unknown websites. By combining Advanced URL Filtering and Palo Alto's AppID engine for defining SaaS providers, it is now possible to give very granular access to websites and SaaS solutions, a key component in a zero trust (ZTNA) strategy.

 DLP

Much can be written about the DLP features in the Prisma Access Browser, so I'll only cover some of the highlights. Again, because of the position of the browser and the ability to see all the content without decryption, the browser can offer user-based or group-based policies for granular control. Examples of some of those controls include the ability to mask data types, leverage Microsoft Purview tags and control the ability to copy and paste. The control for copy and paste can be user and application-specific, allowing the use for approved applications but denying it for others, including pasting content outside the browser. 

 Advanced WildFire

Other browsers are forced to use third-party feeds or sandboxes for application analysis, and this is another area where the Prisma Access Browser excels because of the integration with the Advanced WildFire solution from Palo Alto. The Prisma Access Browser natively integrates the Advanced WildFire solution, allowing inspection of the downloaded file in a seamless manner while still providing protection against malware, including zero-day threats. 

 Final thought

In an age of continuing threats against companies, both from internal and external sources, the Prisma Access Browser is giving both users and security teams a highly valuable and useful tool. This tool can be used on its own with traditional security architectures, or it can be used in conjunction with Prisma Access to seamlessly extend the secure platform all the way to the endpoint.  It also forms a key piece of the ZTNA strategy for its ability to identify each user and customize the experience and access based on the policies assigned to their role. And since it is based on the open-source Chromium project, implementing this browser is usually very seamless for users. 

There is a whole lot more about the Prisma Access Browser than what I can write about here. To learn more or to see how it could be tailored to your network, please reach out to your local WWT account team, and we will be happy to answer any questions you may have. 

Technologies