Your firewall, antivirus, and log management tools are no longer enough to keep you safe. As of 2018, 85% of all companies allowed users to bring in their own devices for work. That means that they’re potentially doing work on devices with security solutions that you haven’t personally verified. In addition, seven out of ten employees work remotely at least once a week. In other words, they’re working in places that aren’t protected by your firewall – or any firewall at all, for that matter.
When your employees work remotely using devices that they choose themselves, they may be more productive – but they’re certainly more vulnerable to attackers. Without firewalls or enterprise-grade antivirus, the simple act of browsing the internet is akin to Russian Roulette. Phishing attempts — which commonly lead users to fake URLs in order to drop malware into their browser — have risen 250% in 2019. Whether your employees click on a phishing email or fall victim to a drive-by download, the result is the same, with infected SMBs risking a 60% chance of bankruptcy in the six months following a breach.
In this kind of environment, it’s obvious that users need better protection for their browsers. This protection needs to be seamless and universal – the kind of thing that users won’t notice, while still providing complete protection for the endpoint.
Many systems like this have been tried, but which one is the best?
The Pros and Cons of Virtual Browsers
A virtual browser is a browser that runs in a virtual machine. Most virtual browser solutions host the virtual machine locally, on users’ devices. Theoretically, nothing that users download into the virtual machine should be able to escape and infect their endpoint as a whole.
In practice, however, virtual machines are far from foolproof. These machines often have vulnerabilities that malware can exploit. In May 2019, security researchers unveiled a whole new category of vulnerabilities known as Microarchitectural Data Sampling that could allow for virtual machine escape.
Although each of these vulnerabilities comes with a patch, adopting a virtual browser comes with a whole lot of effort. For example, you must apply every patch that comes out and adopt a computationally-expensive infrastructure. Plus, there’s the budget expense of purchasing extra software licenses. Most importantly, there’s no end to potential vulnerabilities. For each one that is patched, there are many more vulnerabilities just waiting to be found and exploited by malicious actors.
Beyond vulnerabilities, virtual machines are overhead hogs. Because each runs its own operating system, they use lots of RAM and CPU cycles and are likely to slow down endpoint devices, making the experience anything but seamless.
How is Isolated Browsing Different from a Virtual Machine?
Isolated browsing takes the virtual browser concept and iterates it an important step further. Instead of placing the browser in a VM, isolated browsing places the browser inside a container. While a container isn’t necessarily more secure than a VM (and in fact, might be a bit less), containers are much easier to spin up, manage, and destroy. As a result, it’s possible to create a new container and browser every time users begin a session and destroy the container along with the data inside it every time the session ends. And because containers are less resource-intensive than virtual machines, they generally have less of an impact on the user experience.
Is All Isolated Browsing the Same?
The market for browser isolation solutions is burgeoning. Gartner labeled it as one of the top 10 security technologies of 2017 and continue to project rapid growth — a prediction confirmed by the dozens of entrants now crowding into the browser isolation space. Each one uses a slightly different model. Some models are confined to customer endpoints, on-premise servers, or private clouds. Others are public cloud-only. Many — perhaps most — require users to use a proprietary secure browser.
This requirement isn’t intrinsic to the concept of isolated browsing, but it is certainly annoying. People don’t want to use a proprietary browser to access the internet. They want to use Chrome, Firefox, Opera, or Internet Explorer – the icons on the screen that they’re used to. Faced with a choice between using a dedicated isolated browser and a browser that they’re familiar with, users will revolt.
In addition, let’s revisit an earlier point — it’s possible for malware to escape containers in the same way that it can escape VMs. In fact, perhaps even more easily. If the isolated browsing model places the container inside your network or on an endpoint, it’s still not totally secure.
Remote Browser Isolation
Remote browser isolation (RBI) is different from both local isolated browsing and virtual browsers. By isolating browsing in a remote location in the cloud, it protects endpoints from the dangers of leakage and potential malware escape.
While it’s possible to host virtual machines in the cloud or the DMZ, there’s a big drawback: It requires RDS/VDI infrastructure, which is expensive to license and difficult to use.
Instead of using VMs, remote isolated browsing uses lightweight containers. Each time users open their browser, a container is provisioned in the cloud with a virtual browser within it. With the best of these solutions, content is rendered within the container and streamed to users in near-real-time —as they browse — with no impact on the user experience. Users can interact naturally with their browser of choice, but no code ever makes it from the browser to the endpoint. Once users finish their session, the container is destroyed along with all malware (and any additional unwanted code) inside it.
The best of the solutions include sanitization for file downloads, which runs attachments through an intensive security stack that disassembles the file, inspects it, and refactors it to neutralize any malware contained inside it. They enable definition of role-based rules and policies.
For SaaS RBI solutions, all patching and updating are handled by the company that owns the platform. From the perspective of both users and administrators, RBI “just works.” Users may not even realize that it is there.
Isolated browsing has clear advantages over virtual browsers, but not every isolated browsing product is created equal. Administrators should shop around carefully to find a solution that combines low overhead and ease of use. This combination will help users enjoy security that’s so seamless that they won’t even notice that they’re exceptionally safe.
Ilan Paretsky is Chief Marketing Officer at Ericom Software