Using Reverse Proxies to Secure Endpoints in a Zero Trust Environment
By Dr. Edward Amoroso
CEO, TAG Cyber
This is the fourth of a series of five blog posts by analysts from TAG Cyber, a trusted cybersecurity research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises. This chapter explores how reverse proxy solutions are useful to secure endpoints in emerging Zero Trust environments.
One effective protection approach found in nearly every modern security architecture is the reverse proxy.
Different enterprise security architectures deployed across enterprise organizations will vary in their specifics. For example, some enterprise security teams will buy into the full solution suite from one commercial vendor, whereas others might be more comfortable dealing with a variety of tools from a range of vendors. This will have implications on how their solution architecture protects resources – be they local, in the cloud, or a combination of both.
There are, however, many aspects of modern cybersecurity architecture where high levels of commonality will be found, even across organizations of varying size and scope, as well as different business and government sectors. This is sometimes driven by common compliance requirements, but it is more often led by a shared view of effectiveness. Such agreement helps teams adopt best practices and benefit from shared learning.
One effective protection approach found in nearly every modern security architecture is the reverse proxy. This solution has been in place for many years, and unlike firewalls and passwords, reverse proxies are not being phased out. In fact, they are more relevant than ever.
This blog post shows their utility in securing endpoints and enabling Zero Trust. We reference the solution from PortSys in our discussion following to illustrate this case.
What Is a Reverse Proxy?
A reverse proxy is a piece of software that intercepts and forwards requests from browsers to back-end applications to improve security and performance. Client users view the interaction as being with the back-end application directly – hence, the term proxy. This is useful for security teams tasked with minimizing user friction. (Forward proxies, by the way, are used to securely obtain Internet resources on behalf of corporate users.)
Reverse proxies are especially useful when it comes to enforcing security policies, as well as other security functions such as HTTP header inspection and support for TLS. A reverse proxy also offers many non-security benefits for legacy and hosted web applications. For example, they can help balance network delivery, compress traffic, cache content, and reduce the load on servers supporting the application.
How do Reverse Proxies Support Endpoint Protection?
As one would expect, the use of reverse proxy solutions for legacy and web applications has a positive, holistic impact on the overall protection profile for both the secured application as well as any accessing clients. This implies that the deployment and use of reverse proxies across enterprise and Internet infrastructure actually reduces the burden of endpoint detection and response (EDR) solutions to protect PCs and other user devices.
This is evident in TAC, which deploys into the enterprise as a reverse proxy, enabling a range of endpoint protections. For instance, TAC is designed for Zero Trust Access from managed and personal devices coming from a range of different locations—both local and remote. Rather than implement endpoint security to enable access, TAC can be inserted to enable properties such as Zero Trust, as well as features such as single sign-on (SSO).
How do Reverse Proxies Support Zero Trust?
An additional useful feature of reverse proxy usage is that it enables application access from a more generalized set of locations. In other words, by protecting hosted resources, organizations can allow users to gain access from virtually any type of environment – including remote access, work-from-home, or other modern virtualized arrangements. This is typically a major requirement for enterprise work today.
In this sense, reverse proxy capability – such as that implemented by PortSys – helps drive the adoption and use of Zero Trust initiatives. The transition from perimeter-based security to Zero Trust-based architectures is a useful advance in enterprise security design, because it reduces dependence on the corporate firewall. As such, reverse proxies help streamline this design approach, ultimately reducing overall cyber risk.
Dr. Edward Amoroso