MPA Best Practice Guidelines Name RBI as Implementation Guidance Infrastructure for Web Filtering and Usage Control

This blog was originally published by Ericom Software here.

Written by Peter Fell, Group CTO, EME, Ericom Software.

What Every TPN Vendor Should Know About Remote Browser Isolation

In a recent important addition to the Motion Picture Association (MPA) Content Security Program, MPA Best Practices Guidelines were updated in Version 4.09 to recommend Remote Browser Isolation (RBI) as an implementation guidance option for Data Security Best Practices including DS-2.0, DS-2.1, DS-2.2 and DS-5.0.

To protect pre-release content and prevent web-enabled attacks on the networks of both content production and content delivery company networks, previous versions of the Implementation Guidance stipulated complex, time-consuming and highly restrictive internet use policies and processes for vendor organizations supporting MPA Member Companies.

While protecting pre-release content during production, post-production, marketing and distribution is, of course, of paramount importance, the processes required to date introduced considerable inconvenience, frustration and productivity loss into the collaborative model on which so much of the entertainment industry depends today.

Adding Remote Browser Isolation to MPA Best Practices in the Implementation Guidance for data security is a game-changer for users. When done correctly, it will go a long way to streamlining internet-enabled collaboration while maintaining the airtight content protection that both content producers and content delivery companies require.

Remote Browser Isolation was first introduced almost a decade ago and is today a fully mature technology. According to Dr. Chase Cunningham, a leading Zero Trust security advocate at Forrester Research who recently joined Ericom Software, the time has arrived for broad adoption of RBI as a security control.

Security That Works For Users, Not Against Them

For Trusted Partner Network (TPN) vendors and Consultant Assessors—and especially for users–RBI is the rare security solution that reduces risk while boosting productivity and improving the user experience for entertainment industry employees, when designed and implemented properly. Now that the MPA has joined the finance industry and government sector in recommending RBI to secure internet use, TPN vendors can enable rigorous, granular internet usage control and content protection, while simultaneously streamlining access, in full compliance with MPA Best Practices.

According to the most recent Verizon DBIR, almost 40% of breaches involved phishing, 25% involved credential theft, and malware was a factor in over 20%. 58% of CISOs identify human error as their organizations’ greatest cyber vulnerability. These threat actions, which directly impact pre-release content security, are precisely the ones that RBI effectively blocks.

Remote Browser Isolation: What It Is and How It Works

RBI blocks all website content from user devices and networks by isolating the content in a remote location yet enables users to fully use and interact with the sites in compliance with granular policy-based controls. Here’s how it’s done:

When a user opens a website, the RBI solution…

• Generates a virtual browser in an isolated container in the cloud or on a remote server
• Executes the website in the virtual browser
• Sends only safe rendering information to the user’s device
• Enables users to interact with the websites as usual, using their device browsers

Critically, when the user stops browsing, the isolated container is destroyed, along with the virtual browser and all website content within—including any malware or ransomware that may have been on the site.

Because websites do not execute on the endpoint, no content is left in the browser cache. So, if a device is stolen, lost or breached, content that has been uploaded to or downloaded from the web can’t be retrieved from the device browser cache.

Additional Web Usage Controls and Reporting to Consider

For TPN vendors and Consultant Assessors, the extent to which users can upload content to websites and apps is of as great concern as malware that may be downloaded. Following are some of the additional key capabilities and features that are particularly relevant and valuable when applying MPA Best Practice Guidelines for Digital Security Infrastructure Implementation Guidance for DS-2.0, DS-2.1, DS-2.2 and DS 5.0.

• A wide range of policy controls. Look for RBI that enables granular, policy-based controls that simplify strict compliance with DS-2.0 and DS-2.2 Implementation Guidance. For instance, access can be fully blocked to prohibited sites such as web-based email sites, peer-to-peer, digital lockers, and known malicious sites to prevent content exfiltration and theft.
• Reporting and auditing. Find a solution that provides full audit trail and reporting capabilities, including historical web access data, upload and download activities, user activity reports, risk analysis, security events, and more. Security admins should be able to drill down into report data to reveal patterns and define custom reports to get maximum insight from historical organizational data. Data can also be automatically exported to an external SIEM for archiving and further analysis.
• End user experience. Look for an RBI solution that works with standard browsers on users’ regular device or desktop and fully protects users, on any browser they choose, at any time. This provides an excellent end user browsing experience–even HD video plays smoothly and on-page navigation is extremely precise.
• Integrates easily with current (and planned) security stacks. Many leading security solution providers partner with RBI providers which makes integration seamless. In addition to integrating simply with a wide range of the firewalls and secure web gateways in use today, some solutions are compatible with new generation SASE platforms and security solutions. So even clients who are considering updates to their security stacks can adopt RBI now, without locking themselves in to any specific security vendor.
• Protection from phishing emails and sites, and infected attachments. Ask RBI solution providers how they protect against phishing. You want to be sure that they are opening URLs in emails in isolated containers in the cloud, away from endpoints. Moreover, as required by DS-2.1 but by no means standard in most browser isolation solutions, you want to open new, uncategorized sites in read-only mode to protect users who might be lured into entering credentials on phishing sites. Some RBI solutions also integrate content disarm and reconstruction (CDR) capabilities which examine attachments and remove any malware embedded within before downloading to endpoints. And you want to be able to establish policies that may be set to restrict downloads based on user, site or type of attachment – or block all attachments.
• Virtual Meeting Isolation. Like all other websites, web portals of virtual meeting solutions are vulnerable to infection with malware, which can then be passed to meeting participants via their browsers. In addition, malware has been identified which can take control of user cameras and expose private chats via virtual meeting solutions.

In addition, browser capabilities such as printing, downloading and copy/pasting content from websites that may be exploited by malicious (or simply careless) insiders may also be restricted via policy-based controls, in keeping with DS-2.0 Implementation Guidance to block “local drives, USB mass storage, mapping of printers, copy and paste functions, and download/upload to the Internet gateway system from the production network.”

Security That Eases MPA Implementation Guidance Compliance for Users

For content creators and distributors, security is of paramount importance. After all, content is your product. MPA Best Practice Guideline compliance is likewise essential—but not always easy.

The new Implementation Guidance that recommends RBI for DS-2.0, and the fact that RBI capabilities enable the controls recommended in DS-2.1, DS-2.2 and DS-5.0, allows TPN Vendors to lighten the security burden on their clients’ employees while ensuring that valuable content is fully air-gapped and protected from the dangers of the web.

To learn more about how Remote Browser Isolation works and why web browser applications like Chrome and Safari have become an increasingly common target for advanced threats, read “Browsers are the Target: Protect Them with Zero Trust Browser Isolation” today.