24-07-2025
Eliminating Blind Spots: How Browser-Based ZTNA Closes Security Gaps
Etay Maor is Chief Security Strategist for Cato Networks, a leader of advanced cloud-native cybersecurity technologies.
Zero trust promised a fundamental shift: security where access depends not just on identity, but on full context—rigorous authentication, device posture, location and real-time risk assessment. Zero trust network access (ZTNA) became the engine driving this vision, replacing porous network perimeters with granular, policy-driven control. Yet, a critical blind spot persists in many implementations: the unmanaged device.
Contractors, partners and BYOD users leverage unmanaged endpoints daily—essential for modern business, yet often outside IT's direct visibility and control. They lack agents and consistent configuration. For security leaders, this gap isn't an inconvenience; it's a direct threat to zero trust integrity. Unmanaged devices represent a glaring vulnerability, undermining the model's core principles.
The Shortcomings Of Traditional ZTNA: Where The Perimeter Fades
ZTNA dethroned legacy VPNs, offering stronger authentication, micro-segmentation (app-specific access) and superior visibility. However, its Achilles' heel is clear: It primarily serves managed devices running dedicated agents under IT's control.
Unmanaged devices are left exposed, and common workarounds are flawed. Consider the following shortcomings:
• Agent Deployment Hurdles: Installing clients on third-party or personal devices is often unscalable, invasive and blocked by user permissions or policies.
• The VDI Burden: Virtual desktops (VDI) create a secure "bubble" but sacrifice performance and user experience—and add significant infrastructure complexity and cost.
• Fragmented Tool Chains: Bolting on separate solutions (browser gateways, SWGs, reverse proxies, etc.) creates parallel access paths, inconsistent policy enforcement and siloed visibility—reintroducing complexity that zero trust aimed to solve.
These approaches fail to deliver true zero trust for unmanaged devices and introduce new risks: policy gaps, visibility holes, operational overhead and user friction. We need a unified approach that can secure every user and device without multiplying complexity.
The Imperative Of Consistency: No Exceptions Allowed
Security effectiveness hinges on consistency. If managed users face stringent zero trust controls while unmanaged users operate through weaker exceptions, the entire model unravels. Uniform enforcement is impossible.
This inconsistency has tangible consequences, especially for compliance (PCI-DSS, HIPAA, GDPR, SOC 2, etc.). These frameworks demand demonstrable, uniform security controls across all access points handling sensitive data. Gaps for unmanaged devices aren't just vulnerabilities; they are potential compliance violations with severe penalties.
To address this, some organizations are turning to browser-based ZTNA. Unlike agent-based ZTNA models that require deep device integration, browser-based ZTNA delivers secure access directly through the user's standard web browser.
This simple difference can be transformative. Contractors on home PCs, partners on their laptops and BYOD users can instantly fall under the exact same granular access policies, continuous risk assessment and inspection frameworks as managed users.
Crucially, it achieves this without requiring device-level control, persistent software installs or intrusive endpoint changes. The browser becomes the universal conduit. Every access request undergoes rigorous verification, monitoring and filtering—true zero trust extended to the entire workforce ecosystem.
Reducing Complexity, Not Just Risk
Security leaders know the trade-off: more control often means more complexity. Accommodating unmanaged access historically meant buying new tools and managing parallel policy engines—draining resources and creating gaps.
Browser-based ZTNA offers consolidation. It can eliminate the need for separate point products for external users. All traffic flows through a single, unified policy engine with common enforcement points. This ensures uniform access control, threat prevention, data protection and monitoring, reducing the overhead of managing siloed systems. In my experience, it streamlines multiple checkpoints into one efficient lane.
Just as importantly, browser-based ZTNA respects the user experience. By supporting standard browsers (Chrome, Edge, Firefox, etc.), users access resources as they always have. No disruptive workflow changes, no specialized software installs or configuration changes. Adoption, I've found, is often frictionless.
Use Case: Secure Access For Unmanaged Devices
The most compelling application of this model is securing access from unmanaged devices, delivering core zero trust benefits universally. By focusing on these devices, you can:
• Enforce identity and risk-based access policies.
• Limit users to specific, authorized applications or data sets.
• Prevent lateral movement within the network.
• Log and audit access for compliance reporting and forensics.
• Inspect web traffic for threats and data loss—no endpoint agent needed.
In contrast to traditional VPNs or VDI setups, I've found that this model is lighter, faster, more scalable and simpler to manage.
Getting Started
Organizations beginning their zero trust journey should first address the critical vulnerability of unmanaged devices. Established, traditional ZTNA models often fail here, leaving contractors, partners and BYOD users outside consistent security controls. Agent deployment is impractical, while VDI introduces performance penalties and complexity. Fragmented solutions recreate the visibility gaps zero trust aims to eliminate.
Prioritize implementing browser-based ZTNA for unmanaged access. This approach directly tackles the core weakness: It allows applying rigorous zero trust policies—strong authentication, granular access control, continuous inspection—to every user without agents or disruptive changes. The standard web browser becomes the secure conduit, delivering immediate risk reduction at the perimeter's weakest point.
Ensure consistent policy enforcement across all users and access paths; security and compliance demand no exceptions. Base access decisions on rich context: identity, device posture (where feasible), location and real-time risk. Critically, reduce complexity by choosing solutions that unify access paths and policy management, avoiding fragmented tools that undermine zero trust. Start by securing high-value applications via this browser approach to demonstrate value and build momentum.
Why This Matters Now
Hybrid work and third-party collaboration are not temporary—they're the permanent operational fabric of our day-to-day efforts. Unmanaged devices are integral to this landscape. Half-measures are obsolete.
A consistent, identity-centric, browser-based ZTNA approach can eliminate fragmented solutions and ensure comprehensive policy coverage. The same stringent rules apply to the CEO on a corporate laptop and the contractor on a personal device. It simplifies operations for security teams.
For CISOs, this means fewer dangerous security exceptions, fewer exploitable gaps and more confidence in protecting data and meeting regulatory obligations—regardless of where work happens or which device is used. Browser-based ZTNA doesn't just close the blind spot; it provides the consistent control demanded by boundary-less work.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
