EN
    • Top
    • Employee Work Strategies
    • IT Support Department Members Explain the "Cloud-Based Web Isolation System" Security Solution that Prevented 20,000 Attempts to Access Potentially Risky Content in One Month

    IT Support Department Members Explain the "Cloud-Based Web Isolation System" Security Solution that Prevented 20,000 Attempts to Access Potentially Risky Content in One Month

    IT Support Department Members Explain the

    [Notice] Effective October 1, 2023, LINE Fukuoka has changed its company name to LY Communications. Articles published on or before September 30, 2023 were written with our former company name.

    This is the IT Support Department's Infrastructure Team.

    LINE Fukuoka's IT Support Department handles all in-house IT work, and is made up of five teams: the Help Desk Team, the Help Management Team, the Technical Support Team, the Infrastructure Team, and the Information Security Team. The Infrastructure Team is responsible for office infrastructure operations and network security, and takes on a variety of projects to bolster the company's cyber-security.

    In this post, we will explain the details of how the "Cloud-based Web Isolation Service" (a security solution that has prevented over 20,000 major security risks in just one month) came to be adopted, the results it achieved, and some issues surrounding it.

    If you're in IT and are searching for a security solution that is effective for in-office as well as work-from-home (WFH) setups, this article is for you!

    Making access to websites safer

    安全にアクセスしたい
    ▲ This is an example of what happens when you access a suspicious site.

    Have you ever unintentionally clicked on a link to a suspicious site when you were just trying to look something up for work? If you connect to a website that targets a weakness in your network or may infect your device with malware, you have to stop working, disconnect from the company network, have your device scanned for viruses, and wait for a cause to be found and dealt with until everything is determined to be safe. These investigations and adjustments also place a burden on internal IT.

    Just because you accessed a suspicious site doesn't mean that your PC will be impacted, but obviously, you want to reduce security risks as much as possible, especially on devices like PCs that you use for work.

    LINE Fukuoka is responsible for checking if there are any issues with URLs posted on LINE services or in the services handled by companies that have applied for a review of their LINE services (such as their LINE official account). The company was considering a solution that would allow employees to safely access any website, and posed no risk to servers or devices connected to the company's network.

    Primary methods of utilizing "web isolation" as a security measure

    In simple terms, web isolation is the process of separating web content on a standard internet connection from an internal network. The phrase "internet isolation" is sometimes used in a broader sense, but in this post, you can think of it as one example of a basic security solution. The four primary methods of web isolation are explained below, but after considering costs, usability, and management, LINE Fukuoka chose option 4, "cloud-based web isolation."


    上As seen in the image above, there are four methods of web isolation, and each of them has their pros and cons. Also, when considering these solutions, one of the major issues the company faced was remote work (WFH).

    Which system is the best fit for remote work? On-premise? Cloud-based?

    Most companies put various security measures (such as a firewall) in place when their devices connect to the internet from the office in order to prevent employees from accessing dangerous sites. Of course, even when working from home, if you're connected to a virtual private network (VPN), you can access the network safely in the same way by going through the internal security measures.

    But what if you aren't connected to a VPN?  If an employee bypasses internal security measures when accessing a site, they could directly access the internet from their home connection, and if they open a malicious website, their device may be infected with malware.

    VPN未接続時のスプリットトンネル英語

    Additionally, if you're using a split tunnel VPN (where internal systems are accessed through a VPN but internet access uses your home connection), you can still directly access the internet even if you're connected to the VPN. Accessing the internet directly from a work device is a major security risk.

    There are two types of security systems: on-premise and cloud-based. On-premise systems can't perform web isolation for remote work environments if the device doesn't go through a VPN, but cloud-based security systems can isolate in a WFH setup even without a VPN.

    Our initial requirements were that the solution should be an effective security measure even in WFH setups, in addition to being able to access websites safely and posing no risk of infecting servers or devices that access the company network. After considering these requirements, we decided that the solution also needed to be cloud-based.

    <On-premise solutions>
    オンプレミス型英語

    ■ Advantages
    Unrestricted access to websites that cannot be connected to from the cloud

    ■ Drawbacks
    - Web isolation can't be done without a full tunnel VPN, so directly connecting to the internet from outside of the VPN or via a split tunnel VPN presents risks
    - Separate server management costs are incurred


    <Cloud solutions>
    クラウド型 英語

    ■ Advantages
    - Cloud foundation eliminates the maintenance costs of servers, etc.
    - Whether working in the office or from home, the same services can be used (web isolation is ensured)

    ■ Drawbacks
    The IP used to connect to websites is the cloud itself, so sites that restrict access from the cloud cannot be reached



    Here is a list of the requirements we had when selecting our solution:

    ☑️Must be cloud-based (because it can be used both in and outside of the company, regardless of the connection environment)

    ☑️Capable of a "small start"

    ☑️Free Proof of Concept (trial introduction to verify operation)

    ☑️Must support full-width characters (E.g. Japanese)

    ☑️Poses no issues to usability (such as communication lag)

    When we were considering integrating a solution, Company A was the only company that met all of these requirements, so we chose that company.


    Note: The information below is from August 2020, when introduction was being considered.

    Results of introducing a "Web Isolation System"

    The graph below shows the number of attempts people using web isolation made to access sites that pose security threats (in the most recent one-month period). We also found history of connecting to malicious content such as malware, and if we weren't using web isolation, those devices may have been infected.

    マルウェア

    By introducing isolation, we were able to prevent over 20,000 major risks in just one month.

    Additionally, there were five confirmed connections to websites that contained malicious content classified as malware. If web isolation were not in place, we would have had to stop working and use man-hours to do investigations, so being able to connect safely allows us to reduce those man-hours.

    Perceived issues in introducing a "cloud-based web isolation system"

    Cloud-based web isolation systems are extremely effective as a security measure, but in the process of integrating a solution, we also saw some issues.

    Issue 1: If the connection is controlled by the website, a proper connection may not be established
    A website can detect that access is occurring from the cloud because connections to the site take place through an isolated web environment. Cloud access may be blocked depending on the website, so in some cases, sites that were previously accessible can no longer be accessed.

    If the website you can no longer access is actually a cloud service being used as part of an in-house system, you can utilize transmission routes such as a PAC to avoid using web isolation. However, adjusting transmission routes so that they don't go through web isolation for normal public websites increases security risks, which is not ideal.

    It's also difficult to contact website administrators and request cloud access to their site.

    Webサイト側が接続元制御をしている場合に正しく接続できない場合がある英語

    Issue 2: Web isolation can't be applied at the OS level

    Originally, we would have preferred to apply web isolation at the OS level and protect all communication from work devices.

    If you want to apply web isolation to an HTTPS-encoded website, you need to import a specific certificate authority (CA) for decrypting the secure socket layer (SSL) and transport layer security (TLS) on the cloud to your OS and verify ("trust") it.

    However, trusted CAs may be managed independently by applications, so the CA you've imported to your OS may not be trusted. If this happens, SSL/TLS will not function properly because the application can't verify the certificate chain, and your devices will not be able to communicate.

    This is why we've currently applied web isolation only for communication from browsers.

    Issue 3: The connecting country may not always match the global IP address
    Even if your transmission originates from within Japan, it is connected to the region with the lowest latency, so you may not be using a web isolated environment in Japan. If you're connected to a region outside of Japan, you'll no longer be able to use Japan's global IP address, which means that you won't be able to access websites that reject access from other countries.

    Also, even if access from outside of Japan is allowed, the page may be displayed in another language.

    Issue 4: Websites may not appear properly, but end-users won't be able to notice
    Websites that have had malicious content neutralized may not appear correctly, but users won't be able to tell if that's how the site normally looks or if it's due to the effects of neutralization.

    For example, information that is displayed incorrectly can have a negative impact on review work, which involves checking the advertisements or videos posted on a site.

    Issue 5: It may take a time to connect to a website
    With web isolation, websites are displayed after they have been neutralized. This neutralization process starts loading when you connect to a site, and it may take a few seconds for the site to be displayed. On sites with a lot of content, it may take even longer.

    For work that requires connecting to several hundred websites, these few seconds can accumulate and cause time to be wasted. Because web isolation isn't the best fit for work that requires accessing a large number of websites quickly, we only integrated the web isolation system into departments that require it.

    We'll continue giving our best to ensure that we can solve issues like the ones above. If you read this post and think you may have the information to solve issues like these, you want to introduce a similar system, or you want to hear more details, please feel free to send us a message or leave a comment! The IT Support Department looks forward to exchanging ideas with you.

    ▼ Inquiry Form
    https://linecorp.com/inquiry/linefukuoka/form.html

    We plan to continue sharing interesting and useful IT information (such as the IT Support Department's security measures, know-how, and case studies) through this blog. We hope that you'll bookmark the page!

    If you have any messages or comments for us, you can also send them to Mr. Takashi Kaida's (the Enterprise IT Center Vice-Center Head/IT Support Department Head) Twitter account! On Twitter, Mr. Kaida shares Digital Transformation (DX) and information about internal IT information as well as IT recruitment events✨

    スクリーンショット 2021-10-07 9.55.43

    For the IT Support Department's recruiting page, please see here. (Sorry, only available in Japanese)
     

    LY Communications Official social media accounts

    Get blog update announcements and the latest
    information about LY Communications!