1. SAST Online
  2. Application Security News and Articles
  3. The Last Mile of Zero Trust: Securing Where Work Really Happens — The Browser
Authenticate your profile to see activity

The Last Mile of Zero Trust: Securing Where Work Really Happens — The Browser

The Last Mile of Zero Trust: Securing Where Work Really Happens — The Browser

At RSAC this year, Andy Ellis, former CSO at Akamai and now Partner at YL Ventures, challenged us to rethink what Zero Trust really means. Not the buzzword. Not just ZTNA. But the principle of “trust” and what it means to have “Zero Trust” as a cybersecurity strategy.

He starts his presentation by laying a compelling foundation for the concept of trust as being embedded in IT and, ultimately, how IT enables the business and how business has evolved. Businesses were operated by employees who used to go to a physical office location, and those employees worked with pencils and paper to do their jobs. But over time, software and endpoints have replaced pencils and paper, and the network has replaced the physical office location. (This was, in my opinion, a fantastic opening. Props to Andy, and disclaimer that I’m a huge fan of him.)

Why does any of that matter?

Because Zero Trust has been reduced to endpoints talking to software across a network or in the cloud. People have been effaced from this entire equation. Later on in the presentation, Andy talks about how “least privilege” as a concept and how it implies that employees “should have less ability to do stuff” — to get their jobs done.

And Zero Trust cannot work if it is stopping employees from getting their jobs done.

Zero Trust: The Vision vs. The Reality

Ellis makes a critical point in his opening: Zero Trust was never just about the network. It was supposed to focus on people and systems — not just the paths between them.

But somewhere along the way, implementation got narrowed. ZTNA became the shorthand, and many organizations focused on the transport layer — identity, access, device posture.

And yet, most security incidents don’t happen in the transport layer. They happen:

  • When a user clicks a malicious link
  • When data is copied to personal cloud storage
  • When unmanaged extensions exfiltrate sensitive info
  • When credentials are reused or leaked

Today, these all happen inside the browser.

The Browser Is Where Work — and Risk — Now Lives

Ask any employee about their most used application, and many likely forget that it’s the browser. That’s because most of us treat browsers like thin shells. But in reality, they’ve become the new operating system for work. SaaS apps, file shares, collaboration tools — they all live in the browser tab.

For CISOs and security architects, this shift introduces a new challenge:

  • Traditional endpoint agents don’t provide fine-grained control within the browser.
  • Network-based protections like inline decryption introduce latency and can only attempt to reconstruct application layer attacks with limited network traffic data
  • BYOD and third-party access limit what you can deploy at the endpoint.

Which means there’s often no security enforcement where it matters most: the user interface.

The Zero Trust Challenge: Protect People, Not Just Packets

In his presentation, Ellis urges security leaders to move beyond checkbox architectures and focus on the real-world environments users operate in. That has to include the browser.

Browser-native security helps bridge this last mile of Zero Trust by offering:

  • Context-aware access controls: Who the user is, what device they’re on, what app they’re accessing — all enforced at the browser level.
  • In-browser data loss prevention: Preventing uploads, pasting, downloads or screen captures from sensitive apps based on policy.
  • Visibility without heavy infrastructure: Real-time telemetry and policy enforcement without relying on deep packet inspection or agents.

Many CISOs are understandably hesitant to add another security layer. It’s not about layering more tools — it’s about “shifting up” and bringing security closer to the user’s workflow, as Ellis advocated.

Browser-native controls can:

  • Reduce reliance on endpoint agents
  • Allow more scalable controls across managed and unmanaged devices
  • Extend Zero Trust approaches into the browser

Ultimately, by enabling browser security with a lightweight extension, IT and security teams have a compute-friendly security solution that protects users online. In the spirit of Ellis’s talk, browser-native security solutions bring security back to its intent: not to manage packets and boxes and tunnels, but to protect people and how they work.

Final Thought: Are We Helping Employees Do Their Jobs Securely?

Andy Ellis reminded us at RSAC: Zero Trust was supposed to secure users, not just their pathways.

In 2025, that means securing where users actually engage with their work and your data — the browser.

Whether you’re deep into Zero Trust implementation or just refreshing your endpoint strategy, it’s worth asking:

“Have we extended our controls to where the work — and risk — actually happens?”

Curious what browser-native security would look like in your environment?

Let’s walk you through it. Request a demo to see how SquareX delivers context-rich security controls in the browser — without agent sprawl or latency.

The Last Mile of Zero Trust: Securing Where Work Really Happens — The Browser was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post The Last Mile of Zero Trust: Securing Where Work Really Happens — The Browser appeared first on Security Boulevard.

20 May 2025


>>More