- Policy design: Move from network rules to a “who, what, where, when, why” logic model. Policies should be readable statements: GRANT access IF (user_group == ‘Finance’) AND (app == ‘SAP’) AND (device_status == ‘Compliant’) AND (auth_method == ‘FIDO2’). Start with a default “deny” and create explicit “allow” rules, creating a policy matrix that maps user personas to data and applications.
- Dynamic access: Token claims must be context-bound and short-lived. A token issued for a read-only wiki should not be valid for accessing a finance application. True phishing resistance requires eliminating all phishable recovery methods. This means deprecating SMS, email links and security questions in favor of passkey-based recovery or in-person identity verification.
- Risk automation: Session adaptation (step-up, revocation) must be triggered by automated analytics. Integrate the IdP and ZTNA solution with your SIEM/SOAR platform. An EDR alert (e.g., “high-severity malware”) or a UBA alert (e.g., “impossible travel”) should automatically trigger a SOAR playbook that calls the IdP’s API to revoke the user’s session tokens.
- Governance-as-code: Policies must not be managed via manual “click-ops” in a GUI. All ZTNA access rules, IdP Conditional Access policies and RBI configurations should be defined as code (e.g., using Terraform, HCL or JSON). This enables version control, peer review (via pull requests) and automated CI/CD pipelines, aligning with CISA’s cross-cutting controls for governance and automation.
Configuration patterns (Latest, 2025)
- Chrome Enterprise: Use Chrome Browser Cloud Management to enforce a secure baseline on all corporate browsers. Enforce policies like BrowserSignin (to force login to a managed profile), PasswordManagerEnabled (set to false to mandate use of an enterprise password manager), SafeBrowsingProtectionLevel (set to Enhanced) and BuiltInDnsClientEnabled (to enforce secure DNS). Google’s Chrome Enterprise policies provide the full list of controls to manage extensions, data leakage and security settings.
- Intune/conditional access: Create a non-negotiable “baseline” policy: Require compliant device and Require phishing-resistant MFA for all users accessing all cloud apps. Then, create more granular policies. For example, block access entirely from high-risk countries or require a “Compliant + Hybrid Joined” device for access to legacy on-prem apps.
- FIDO2/WebAuthn passkeys: Deploy passkeys (platform-based like Windows Hello and hardware-bound like YubiKeys) as the primary authenticator. Start with privileged users (admins) and high-value targets (executives, finance) first, then roll out to the general population.
- Cloudflare RBI/ZTNA: Configure clientless ZTNA to secure third-party and BYOD access without requiring an agent. Use Service Auth policies (based on mTLS certificates or service tokens) to secure non-human (RPA bot) access to web applications. Configure a “default-isolate” policy that automatically sends all traffic to unclassified or high-risk domains through the RBI service.
- SCIM automation: Connect your IdP (Okta, Entra ID) to your source of truth (e.g., Workday) via a pre-built SCIM connector. Map HR attributes (e.g., Department, Role, EmploymentStatus) to IdP attributes. Use these attributes to drive dynamic group membership, which in turn drives all application access and ZTNA policies.
The browser is now both sword and shield
Browser security is the linchpin for zero trust and organizational resilience. By converging validated identity, rigorous device posture, adaptive access policies, automated provisioning and session isolation, we not only defend against the sophisticated threats of 2025 but also set a foundation for scalable, measurable governance.
In moving from static perimeters to live, session-level policy enforcement, every click and credential is scrutinized, every privilege time-boxed, every access revocable by context and behavior not convenience or legacy. Teams must treat the browser not as an exposed window, but as the policy stronghold of the modern enterprise.
Building toward this architecture is a journey: Begin with SSO and robust MFA, enforce device compliance, automate provisioning and integrate RBI where risk justifies isolation. Codify policy, automate telemetry and develop governance as code. Refuse the ‘trusted network’ myth. Zero trust is here, and the browser is now both sword and shield.
