Last updated:
Future proofing cybersecurity: zero trust and secure workspaces
Hybrid work broke the castle model of security: one firewall, one guard at the gate no longer works when 77% of your workforce is remote-ish and every SaaS app runs in the browser, the biggest attack surface there is. This demo talk explains zero trust with a museum analogy and shows it applied to three real use cases.
Talk by Anil Kumar Krishnashetty at CyberSec Europe, Brussels, May 2024.
Key takeaways
- The castle model (perimeter firewall, one identity check at the gate) fit office work. Hybrid work needs the museum model: every precious asset gets its own security layer, an ID badge alone is not enough, and everything is recorded and auditable.
- In a Parallels customer survey, 77% reported a hybrid workforce and 64% ran hybrid cloud (on-premise plus cloud). The browser became the primary work surface, and with it the primary threat surface.
- Zero trust sharing is temporary, scoped, and revocable: share a medical record with an external expert via an expiring, password-protectable link with preview-only permissions, then revoke it, with a full audit trail.
- Session sharing beats credential sharing: an external IT consultant can watch or co-drive a sensitive virtual desktop in the browser, with the owner granting or refusing the request and terminating the session the moment work is done.
- Remote browser isolation moves rendering into a cloud container and streams only safe pixels to the device, like streaming a movie. Malware detonates in the container, never on the endpoint, while admins get per-user app access, domain allowlists, watermarking, and audit logs.
Transcript
Transcript lightly edited for clarity.
The context: hybrid work, hybrid cloud, and the browser problem
Welcome everyone. This session is about zero trust, and we’re going to see it in action through three real use cases, mostly as demos.
We all used to work in offices. Now there’s a clear shift to hybrid. When I ask a room, usually at least 70% of hands go up for hybrid. At Parallels we surveyed our customers: 77% work in a hybrid model. We also asked about infrastructure: 64% use hybrid cloud, meaning on-premise systems plus some cloud.
Here’s the deal: to use cloud SaaS solutions, you use a browser, and browsers are a main target for cyber attacks. And connecting your on-premise systems to your cloud solution invites misconfiguration, which also leads to attacks.
Zero trust, explained with a museum
To understand zero trust, first look at security without it. The best analogy is a castle: many rooms, one security guard checking your ticket at the entrance. That is roughly the model that worked for office-based work: one firewall controlling security at the perimeter.
Hybrid work needs a different model: a museum. A museum has many precious monuments to preserve and protect. Sensitive pieces get an extra layer of security. Even a museum employee who wants to access those pieces faces that extra layer. Showing an ID card (“I work here”) is not sufficient. And zero trust requires one more thing: recording. Who accessed what, when. Auditing.
Apply the analogy to your digital assets: your day-to-day workspace and resources need an extra layer of control over who accesses what, whether it’s a desktop, a virtual desktop, or files, especially when on-premise assets are involved.
Use case 1: sharing medical records with an external expert
Imagine a hospital wants an outside expert to analyze a patient’s x-ray or medical report. How do you share it in a zero trust way?
In the demo I use Parallels Secure Workspace, a browser-based workspace: nothing to install, for you or the external user. The expert might be near an operation theater without a laptop; a phone or tablet browser is enough.
I open my files, select a medical report, and share it with the external user via a link. I can add context for the recipient, set an expiration date and time, restrict it to preview-only or allow download, and protect it with a password. It can be public, user-specific, or domain-specific. I can see every link I’ve shared and disable any of them at any moment. Access is temporary, scoped, revocable, and audited: that’s the extra layer.
Use case 2: sharing a sensitive virtual desktop session
Files are one thing. What about virtual desktops? Imagine an electricity infrastructure company that needs an external IT consultant to debug a system, but that desktop controls power distribution for a city. You cannot hand out access.
In the demo I open my virtual desktop in the browser and enable session sharing. I share a link (password-protectable) with the consultant. When they join, I get a request I can grant or refuse. Once granted, they see exactly my screen, a mirror, live in their browser, and can assist with the diagnosis. When the issue is resolved, I terminate the session and they lose access instantly. No credentials ever change hands.
Use case 3: secure SaaS access for external freelancers
SaaS adoption grows every year, and hybrid companies increasingly work with external contractors and freelancers who touch sensitive data. How do you give the right user the right access to a SaaS app?
The demo uses Parallels Browser Isolation, built on remote browser isolation (RBI). Instead of your browser rendering the public internet directly, requests go to an isolated cloud container where the rendering happens. Your device just streams the result, like streaming a movie. If there’s a cyber attack or malware, it detonates in the container and never reaches the end user device.
As IT admin I add a new application, Atlassian Jira: name, description, icon, start URL, and which users may access it. The user only sees the apps published to them. On first launch the page gets blocked, because Atlassian redirects to its identity provider on a different domain, blocked by default. I allowlist the auth domain, and login works.
Two more admin controls matter for client-sensitive data. First, watermarking: the SaaS session is watermarked, so even a screenshot of sensitive data carries the watermark. Second, auditing: I see who accessed what and when, so suspicious activity is visible and actionable. Policies offer many more categories and customizations, and external users can be managed as groups.
That’s zero trust in practice: the Jira application secured, published to exactly one user, isolated from the endpoint, watermarked, and audited. Thank you very much for attending.
FAQ
What is zero trust, in one sentence?
Never trust, always verify: every access to every resource is authenticated, authorized with least privilege, and logged, regardless of whether the request comes from inside or outside the network perimeter.
How is zero trust different from a firewall-based perimeter?
A perimeter (the castle) checks identity once at the gate and trusts everything inside. Zero trust (the museum) puts a check in front of each sensitive asset, refuses to treat employment or network location as sufficient proof, and records every access for auditing.
What is remote browser isolation (RBI)?
A technique where web pages render inside an isolated cloud container and only a safe visual stream reaches the user’s device. Malware executes in the disposable container, not on the endpoint. Admins can layer per-user app publishing, domain allowlists, watermarking, and audit logs on top.
Where can I watch the full talk?
The full recording is on YouTube, from CyberSec Europe, May 2024. Related writing: 5 key strategies for Zero Trust integration in cloud architecture.