Encryption is a fundamental aspect of securing internet traffic and protecting data, so much so that today, 95% of all traffic is encrypted, according to Google. And yet, ironically, encrypted traffic is also a major source of risk for today’s enterprises. Recent research found that over 93% of malware is stealthily delivered through encrypted traffic.

To secure encrypted traffic, security teams must set up decryption policies and controls that comply with end-user privacy rules and application requirements, a heavy and complex task. Palo Alto Networks addresses this challenge through advanced decryption capabilities in our Next-Generation Firewall (NGFW) and SASE solutions, providing industry-leading visibility, threat detection, and DLP across decrypted channels. However, given that some types of traffic remain undecrypted, Prisma Access Browser complements these network capabilities, ensuring security, even for traffic that cannot be decrypted, while preserving performance and user experience.

Undecrypted traffic, or traffic from apps and protocols that don’t allow decryption, is very common with emerging protocols, just like the Google Quick UDP Internet Connections (QUIC) protocol or the Cloudflare Encrypted Client Hello (ECH) protocol. In fact, a recent survey showed that 64% of traffic remains encrypted. This exacerbates this security challenge further. Moreover, while it is possible to decrypt Microsoft 365, the service-level agreement (SLA) indicates that the decryption of Microsoft 365 will impact any SLA commitments to its customers.

The QUIC protocol is faster and more efficient than traditional TCP, and it is used by a growing list of websites to deliver better performance, including YouTube streaming. Complying with Microsoft 365 SLA is mandatory as it is one of organizations' most used productivity apps.

This leaves security teams needing to decide, like always, between security and app performance for a better and more productive user experience. Either ignore inspection of QUIC traffic and Microsoft 365 – to maintain performance – or block QUIC traffic (and degrade to traditional protocols) and decrypt Microsoft 365 – to analyze traffic for potential threats like malware or sensitive data leakage.

Adhering to regulatory and compliance requirements, including stringent data protection standards like GDPR and PCI DSS, adds yet another layer of complexity to the encrypted traffic security challenge for many organizations.

Securing All Traffic from SaaS and Web Apps Requires a Different Approach

The sheer volume of encrypted traffic means traditional methods often fail to provide the necessary visibility and control across all SaaS and web applications. Many organizations would confidently expand their SaaS landscapes further if they knew their security could scale to meet that demand. Prisma Access Browser, in conjunction with Palo Alto Networks’ SASE and NGFW solutions, closes these gaps by providing a seamless, integrated layer of browser-based security for all encrypted and undecryptable traffic. Together, they form a robust Zero Trust approach, securing sensitive data across the full range of application traffic while maintaining security compliance and optimizing performance.

According to a Palo Alto Networks analysis, large organizations use approximately 10,000 SaaS apps. Encrypted data from SaaS apps can overwhelm traditional monitoring tools like SSL/TLS decryption devices or proxy servers, which often aren’t equipped to handle the decryption and analysis required to inspect this traffic thoroughly. This creates bottlenecks and latency issues, slowing down network traffic and negatively impacting the user experience and overall network performance. Plus, keep in mind that traditional security solutions can’t secure and monitor undecryptable traffic.

Of course, it would be ideal if security teams did not need to focus their time and energy on decrypting anything. Organizations could securely access all the SaaS and web apps they need to be productive, using any device—including unmanaged ones. Visibility and control would be assured. Administrators could easily add whatever security controls they need, including unified policies. And there would be no worries about compliance.

That ideal solution isn’t a wish. It’s Prisma Access Browser from Palo Alto Networks.

More Visibility, Threat Protection, and a Seamless User Experience

Today’s browser is the primary hub of productivity, with workers spending almost all day in this virtual workspace. But browsers are vulnerable—in fact, 95% of organizations reported a security incident originating in the browser. So, adding an additional layer of security to the browser to protect sensitive data on critical applications on any device is a logical strategy.

Prisma Access Browser can see all web and SaaS app interactions, like WhatsApp Web and Microsoft 365 without requiring decryption, so your security teams can easily log and control all events for data protection, threat protection, and hunting and forensics. For example, with Microsoft 365, it can maintain SLA commitments and deliver security policies, helping to ensure that enterprise data remains protected while maintaining optimal application performance.

Prisma Access Browser is the first Secure Access Service Edge (SASE)-native secure browser, and it can extend SASE to any device in minutes. Your users can enjoy consistent, frictionless zero trust access to SaaS and private apps on both managed and unmanaged devices, wherever they work.

With the browser’s unique capabilities, your enterprise gains multidirectional protection that helps you:

• Protect against web threats by reducing the attack surface and defending against web threats and malicious extensions
• Protect against compromised endpoints by isolating your environment against keyloggers, screen scrapers, and other threats
• Collect web insights for threat hunting and forensics through activity auditing, session recording, and user timelines

Prisma Access Browser lets you extend context-based zero trust policies across all app user actions, including unauthorized logins, printing, screenshotting and sharing. You can apply last-mile data, identity and privileged access controls on all apps. Additionally, you can use multifactor authentication (MFA) and just-in-time (JIT) access on all controls.

Through its integration with Palo Alto Networks Enterprise DLP, Prisma Access Browser helps guard against sensitive data exposure, loss, and exfiltration. Our Enterprise DLP engines use LLMs to sort and classify documents (e.g., financial, healthcare) based on over 1,000 built-in data classifiers, 22 predefined regulations and compliance profiles, including HIPAA, GDPR, PCI, and more.

Get to Know the Secure Browser That’s Like No Other

Prisma Access Browser’s policy engine stands apart from other enterprise browsers on the market that tout similar capabilities. Our customers tell us that creating policies and scaling them across the organization is much faster with Prisma Access Browser compared with other solutions they’ve tried. Plus, all rules and policies are fully customizable and can be easily tailored to specific use cases and corporate needs.

Powered by Palo Alto Networks Precision AI®, Prisma Access Browser is natively integrated with Advanced WildFire®, one of the strongest file-scanning engines in the industry, which identifies 8.9M new and unique attacks every day. Our AI-powered URL Filtering blocks up to 347K malicious URLs per year.

Schedule a demo today to see for yourself how Prisma Access Browser can help your organization Browse Bravely by enabling your organization to overcome encrypted traffic security challenges, gain unmatched visibility into undecryptable traffic, achieve last-mile DLP, and enable safe generative AI usage.