Zscalerのブログ
Zscalerの最新ブログ情報を受信
Extending Zero Trust to the Browser: A New Frontier for Enterprise Security
Every major shift in enterprise technology has forced security to evolve. Mainframes centralized control. Client-server architectures pushed security toward the endpoint. Cloud and SaaS transformed the network into a policy enforcement point, while the rise of hybrid work made identity foundational to modern security.
Today, another shift is underway. The browser has become the central hub of productivity and a critical new frontier for enterprise security.
Employees use browsers to authenticate, collaborate, access business-critical applications, interact with generative AI (GenAI), and handle an organization's most sensitive information. What was once simply a window to the internet has quickly and quietly become one of the primary places where work happens.
That does not make the network, the endpoint, identity, or application security any less important. It makes the security architecture around modern work more important.
The browser does not operate in a silo. Every interaction depends on the infrastructure around it: the connection that delivers the application, the identity and posture of the user and device, the content that reaches the browser, the code that executes within it, and the data moving through each session. Each creates a different security challenge, and no single control can address them all.
As the browser becomes more central to how work gets done, Zero Trust must extend deeper into it while strengthening the layers around it.
A Growing Attack Surface
Attackers have always followed wherever work goes. As applications moved to the cloud, attackers shifted their focus from data centers to SaaS. As work expanded beyond corporate offices, they adapted to distributed users and unmanaged devices. Today, as more work happens through the browser, attackers are evolving again.
The rise of GenAI is accelerating this shift. Employees are not simply consuming information in the browser anymore. They are creating it, transforming it, and sharing it through browser-based AI applications. Every prompt, upload, and response creates new considerations for security and data protection.
At the same time, the browser itself presents a uniquely challenging environment to secure. Modern browsers are among the most complex software platforms ever built, often compared in complexity to operating systems. They execute code from constantly changing and often untrusted sources, manage identities and authenticated sessions, support extensive ecosystems of extensions, render dynamic applications, and increasingly mediate interactions with AI.
Attackers are taking advantage of that complexity. Adversary-in-the-middle attacks can hijack authenticated sessions. Browser-in-the-browser techniques can manipulate users with convincing fake interfaces. Malicious extensions and client-side attacks can operate inside the browser, where traditional network and endpoint controls may have limited visibility.
This does not mean existing security controls have become obsolete. Quite the opposite. It means modern enterprises need defense in depth more than ever.
The goal is not to move security from the network into the browser. It is to extend security all the way into the browser.
Modern Browser Security Requires Defense in Depth
The industry's growing focus on browser security is encouraging. Enterprise browsers are emerging. Browser extensions have evolved into meaningful security controls. Browser isolation continues to mature, and browser-native protections for AI and web-based threats are advancing rapidly.
But these technologies should not be viewed as competing answers to the same question. They solve different parts of a much larger problem.
Modern browser security begins before content ever reaches the browser. Known threats, malicious destinations, and clearly suspicious activity should be stopped upstream through cloud-delivered security and advanced threat protection. Content that cannot be fully trusted should be isolated so active web content cannot directly reach the endpoint. And because sophisticated attacks can still emerge inside the browser itself, organizations need browser-native visibility and protection to detect what may evade upstream controls.
These layers are complementary, not optional alternatives.
At Zscaler, this defense-in-depth approach starts with Zscaler Internet Access (ZIA) and advanced threat protection to stop known threats and suspicious activity before they reach the user. Our Cloud Browser Isolation capabilities provides another layer of defense for questionable destinations, high-risk content, and sensitive applications by separating active web content from the endpoint. And our industry-first Browser Detection and Response (BDR) extends detection, investigation, and response into the browser itself, helping identify browser-native attacks that traditional network and endpoint tools were never designed to see.
Each layer addresses a different point in the attack path. Together, they provide protection before content reaches the browser, while it is being rendered, and as the user interacts with it.
That is what defense in depth should look like for the modern web.
Securing the Browser and Securing Access Through It
There is another important distinction that is often lost in the browser security conversation.
Securing the browser itself and securing access to enterprise applications through the browser are related challenges, but they are not the same problem.
The first is about protecting the browser as an execution environment. Organizations need to protect users from malicious content and browser-native attacks, detect suspicious extensions and client-side activity, and control how sensitive data is handled. This is where cloud-delivered threat prevention, isolation, browser-native protection, and in-browser data controls work together.
The second challenge is about connectivity and access.
When a user opens a private enterprise application in a browser, the browser is ultimately the rendering engine. The more fundamental security question is whether that user and device should be connected to the application in the first place.
This is where Zero Trust Network Access (ZTNA) becomes critical.
With Zscaler Private Access (ZPA), users connect directly to authorized applications based on identity, device posture, policy, and context without being placed on the network or exposing the application to the internet. Privileged Remote Access extends this model to sensitive administrative and third-party access, helping organizations provide secure access without the complexity and risk of traditional network-based approaches.
Once access is granted, browser controls can add another layer of protection around the interaction itself. Sensitive data can be protected, risky actions can be controlled, and browser-native threats can be prevented.
The distinction matters. ZTNA secures access to the application, while browser security protects the user’s interaction with the application and helps prevent the application itself from being exploited.
Modern Zero Trust requires both.
One Architecture, Multiple Ways to Secure the Browser
No two enterprises have exactly the same users, devices, applications, or access requirements. Even within a single organization, the right browser experience can vary significantly by user and use case.
That is why we did not begin with the assumption that every customer should adopt the same browser. We began with the principle that every customer should be able to extend Zero Trust into the browser in the way that best fits the business.
That philosophy is reflected in Zscaler’s Zero Trust Browser, which can be deployed in three ways, depending on what best fits the customers needs: Cloud Browser Isolation, Browser Extension, and Enterprise Browser.
The Zero Trust Cloud Browser Isolation provides a powerful layer of protection for high-risk web content, sensitive cloud applications, unmanaged devices, and other scenarios where active content should be separated from the endpoint.
For organizations that want to extend protection into the browsers employees already use, the Zero Trust Browser Extension brings browser-native security directly into the existing user experience. With industry-first Browser Detection and Response (BDR), organizations gain another line of defense inside the browser to detect and respond to threats that may evade upstream network and endpoint controls.
And for organizations or user populations that require a fully managed browsing environment, the Zero Trust Enterprise Browser provides a purpose-built Chromium browser with Zero Trust security integrated into the experience. It gives customers another powerful option for securing modern work without requiring them to build a separate security architecture around the browser.
These form factors are not about forcing an enterprise to choose a single approach for every user. An organization may use isolation for one workflow, browser extensions for its broader workforce, and a purpose-built enterprise browser for specific users or use cases.
The form factor can change. The security architecture should work together.
The Power of Zscaler's Zero Trust Architecture
This is where we believe the browser security conversation needs to go next.
The future will not be defined by one security control replacing another. Network security does not become less important because the browser has become more important. ZTNA does not become less important because organizations deploy browser-native controls. An enterprise browser does not eliminate the need to stop threats before they reach the user.
Each layer has a distinct job to do.
Zscaler Internet Access and advanced threat protection stop known threats and suspicious activity before they reach the browser. Cloud Browser Isolation contains content that should not be trusted. Browser Detection and Response, delivered through our Browser Extension and Enterprise Browser, provides visibility and protection inside the browser against threats that can evade upstream controls. Zscaler Private Access provides Zero Trust connectivity to private applications without exposing them to the network. Data protection helps safeguard sensitive information as it moves across applications and through user interactions. And the Enterprise Browser provides a purpose-built, fully managed experience for the users and use cases that need it.
The value is not simply in having each of these capabilities.
The value is in how they work together.
Modern enterprises are a mix of cloud and legacy applications, managed and unmanaged devices, employees and third parties, internet and private application access, and increasingly, human and AI interactions. Security architectures must be able to protect that complexity without forcing every user, application, or workflow into the same model.
Security should adapt to the enterprise, not force the enterprise to adapt to security.
The Next Chapter of Zero Trust
We are excited about the availability of the Zero Trust Enterprise Browser because it represents an important expansion of how customers can extend Zero Trust to modern work.
But the larger story is not about adding another browser to the market.
The browser is a critical new frontier for enterprise security, and securing it requires defense in depth. Threats must be stopped before they reach the user. Questionable content must be isolated. Attacks that emerge inside the browser must be detected and stopped. Private applications must be protected with Zero Trust connectivity. Sensitive data must remain protected throughout the interaction.
No single control can do all of this alone.
The next chapter of Zero Trust is not about replacing the security architecture that came before the browser. It is about extending that architecture further, from the network and the application all the way to the browser interaction itself.
That is the future we are building toward.
Every layer doing the job it does best.
Every layer working together.
And Zero Trust extending wherever work happens.
To learn more about Zscaler’s Zero Trust Browser, visit our website or contact your sales representative.
このブログは役に立ちましたか?
免責事項:このブログは、Zscalerが情報提供のみを目的として作成したものであり、「現状のまま」提供されています。記載された内容の正確性、完全性、信頼性については一切保証されません。Zscalerは、ブログ内の情報の誤りや欠如、またはその情報に基づいて行われるいかなる行為に関して一切の責任を負いません。また、ブログ内でリンクされているサードパーティーのWebサイトおよびリソースは、利便性のみを目的として提供されており、その内容や運用についても一切の責任を負いません。すべての内容は予告なく変更される場合があります。このブログにアクセスすることで、これらの条件に同意し、情報の確認および使用は自己責任で行うことを理解したものとみなされます。



