Compliance and the Blacklist/Whitelist Fallacy

Pressure from the SEC and state authorities has increased over the past two years to remediate areas of cybersecurity weakness. Yet regulators and compliance professionals agree that alarming gaps remain in how regulated financial services firms use the web.¹  Many firms still struggle to effectively control, secure and monitor employee web activities.

So what’s the holdup?

Industry insiders point to the ubiquitous use of a tool that was conceived almost 30 years ago: the locally installed browser. Many firms still use a traditional “free” browser for all their web activities, its inherent architectural flaws and vulnerabilities notwithstanding. At the same time, CCOs and IT are also increasingly aware of the risks associated with local browser use:

• Traditional browsers indiscriminately execute web code, no matter if benign or malicious, on the local computer or mobile device. This exposes the firm’s IT to web-borne exploits, such as ransomware or spyware.
• Regular browsers leak data to visited websites and other third parties, such as plug-in developers. This can cause unintentional disclosure of sensitive information about the firm, individual users within the firm and what they are working on. Such browsers also don’t allow for control of the “clipboard” functionality. Malicious insiders can – and do – use the copy-and-paste command to exfiltrate proprietary information from their firm’s cloud to a different account opened in another tab.
• Local browsers are notoriously difficult to monitor and audit. This creates a critical blind spot for compliance managers and IT administrators whenever employees upload files to (third-party) cloud storage services, access their webmail from the office or remotely or post comments on social media.

“Free” Browsers Blow Up IT Security Budgets

For financial firms, this dependency on architecturally flawed technology has significantly increased the risk of web-borne exploits, data loss and noncompliant online behavior. In addition, they risk productivity losses each time the CCO and IT try to compensate – with restrictive web use enforced through third-party point solutions – for the firm’s lack of actual control and oversight when someone on the team fires up a locally installed browser.

The underlying problem here is that local browsers weren’t designed to perform in a highly regulated environment with tight security and compliance demands. Never mind that mainstream browsers are marketed as “secure.” The dirty little secret of the IT industry is that “free” and “secure” browsers are neither free nor secure.²

Even without factoring in damages resulting from data breaches or regulatory enforcement actions, relying on this tool comes at a steep price, especially for the financial sector and other regulated industries. Firms incur ever-increasing costs for point solutions mostly aimed at remediating the local browser’s cybersecurity and compliance vulnerabilities.

One prime example is what I call the “Blacklist/Whitelist Fallacy:” the ill-fated attempt to mitigate browser risks by policing web use via blacklists (“blocked”) or whitelists (“approved”) of web resources. Why did it fail?

Growing Risks in The Web’s “Gray Zone”

One significant reason is the ineffectiveness and insecurity of URL filtering tools. Like other patchwork solutions aimed at mitigating the inherent flaws of the local browser, they have proved ineffective as a reliable backstop to prevent data breaches and compliance violations.

IT security experts agree: URL filters cover only a narrow sliver of today’s web.³ Yesteryear’s “black and white” approach is missing the “gray” areas where most of the risk lives – such as (firm-approved) cloud apps and storage services, social media or industry news outlets. Blacklists and whitelists are no match for the risks associated with local browser use in the gray zone, primarily for three reasons:

1. The web changes too fast. As of January 2018, there were more than 1.9 billion websites, with nearly 400 new websites added every minute.⁴ Even sites once categorized as “safe” may have fallen in the wrong hands since or are vulnerable to exploits because they run Flash, Java, Visual Basic or other web-based scripts.
2. Approved URLs harbor risk, too. Today, 1 in 13 web requests lead to malware (up from 1 in 20 in 2016).⁵ Millions of website visitors to the New York Times and the BBC, for example, were exposed⁶ to ransomware exploit kits distributed via compromised online ads networks. Online comment sections on firm-approved websites also increase the compliance⁷ risks for firms who have no visibility into the actual web activities of employees on those sites.
3. Web filters often get it wrong. URL categorization relies on automated, heuristic processes. Frequently, such systems mistakenly block access to work-relevant web resources. Defining exceptions for individual employees or “whitelisting” resources for the firm at a third-party URL filtering service slows down important processes and puts an extra burden on IT.

In short, while website functionalities evolve, as do the firm’s needs and regulatory demands, URL filters remain static.

Back in Control with a Secure Cloud Browser

As the web grows, so does the challenge for compliance and IT managers. With web filtering and other point solutions, firms risk unintentionally blocking the “wrong” websites, slowing down critical workflows or alienating employees with web use policies perceived as too restrictive.

How can firms maximize security and compliance when employees access the internet, without sacrificing speed and convenience? “Ten years ago, our compliance manual used to be three to four pages thin,” says the Chief Compliance Officer (as a matter of policy, he doesn’t want to be named) of a midsize investment firm with headquarters on the east coast. “Now it’s a whole book.”

For his firm, like for many others, deploying secure cloud browser technology (aka “remote browser isolation”) has been key to taking back control over its own web activities. With a cloud browser, all web code is processed in the cloud on a remote host configured for regulatory compliance and data security.

The firm, which has several satellite offices and roughly a dozen team members working from home, prides itself on its tight-knit team and flexible work culture. Most employees spend a significant amount of time online. They use the cloud browser mostly for conducting research, but also take care of personal tasks from the office, according to the CCO.

One main area of concern for the firm was online data loss prevention, he explains, and “IT was concerned, because compliance had become too taxing and too rigid for our users. As a firm, we definitely didn’t want to be perceived as ‘Big Brother’ by our employees.”

Using remote browser isolation instead allowed employees to maintain their work-life balance without putting proprietary data or compliance at risk. With the cloud browser, which is centrally managed and monitored by IT and the compliance team, the firm and its clients remain protected no matter what websites employees visit, because no code from the web can reach the local device. Some cloud browser customers even report elimination of their prior break-inspect and web filtering gateway infrastructure.

Throughout the financial services industry, firms are now deploying cloud browsers to maintain oversight and governance when employees go online. No more blind spots or erroneous “site not approved” roadblocks – with a cloud browser, firms no longer need to accept a risky trade-off between governance and control versus risk and productivity.

Win-Win-Win for Compliance, Productivity and IT

Because compliance-ready cloud browsers build each web session with embedded policies that are pre-defined by IT or the compliance team, oversight, governance and data protection are ensured each time employees use the web:

• Research analysts, investment managers and administrative staff get a secure and personalized browser that enables them to leverage the powers of the internet without putting the firm at risk.
• CCOs and IT administrators get a compliance-ready browser that is centrally managed and gives them control and oversight over all employee activities on the web.

Device access, websites, content types, credentials and data operations are centrally managed, which prevents IT bottlenecks and minimizes risk when onboarding/offboarding team members. All user actions are logged and encrypted, which makes it easy for regulated entities to “promptly produce”⁸ data requested by the SEC and conduct compliance reviews.

Many firms have learned the hard way that categorizing URLs and depending on blacklists and whitelists to compensate for the weak security posture of regular browsers is a losing proposition. Cloud browsers provide a win-win-win solution instead – for users, compliance managers and IT admin alike.

¹ SEC Office of Compliance Inspections and Examinations Announces 2018 Examination Priorities (Press release 2/2018) and Authentic8: What Regulators Want to See (White paper 10/2018)

² Osterman Research: Why You Should Seriously Consider Web Isolation Technology (White paper 12/2018)

³ Gerd Meissner: When URL Filtering Fails, This Secure Browser Has Your Back Authentic8 blog 4/11/2017)

⁴ Real Time Statistics Project: Internet Live Stats

⁵ Symantec: 2018 Internet Security Threat Report  

⁶ Gerd Meissner: Reliable Resources – for Ransomware Infections (Authentic8 blog 3/17/2016)

⁷ SEC Division of Investment Management: Guidance on the Testimonial Rule and Social Media

⁸ Authentic8: Inefficiencies Put Compliance at Risk (White paper 7/2018)