Browser isolation protects the user (and by extension, your organization) by keeping their web browsing session isolated from the rest of the endpoint, ensuring malicious content is isolated and contained. We’ll explain the two types of browser isolation technologies, and why we recommend adding remote browser isolation (RBI) to your layered security approach.
While email is still the most popular attack vector for cyber attackers, the web browser can be just as dangerous. Malicious links can easily redirect unsuspecting users to unknown websites and download malware without a user’s knowledge.
Browser isolation, sometimes referred to as web isolation, is a technology that can protect the user from these types of attacks by keeping the web browsing session isolated from the rest of the endpoint. While browser isolation can be deployed with different methods, ultimately the end goal is to protect the local endpoint from malicious content, such as malware, ransomware, zero-day threats, drive-by downloads, and credential theft. Should something malicious happen to execute on the browser, browser isolation ensures that the threat is contained in the isolated environment and not passed to the endpoint.
In general, we can categorize browser isolation into two ways: Client-side isolation, and server-side isolation, also called remote browser isolation (RBI).
Client-side browser isolation works directly on the user’s machine, usually with a type of virtual machine or container technology. For instance, Microsoft has a client-side solution called Application Guard, which uses the native Hyper-V hypervisor. This platform runs the Microsoft Edge browser in a virtualized container, which helps prevent web-based exploits from reaching the actual endpoint. Once the browser is closed, everything in the container is destroyed.
Remote browser isolation (RBI) solutions are server-based and can be delivered to the user as either a SaaS or an on-premises solution. The isolated browser session runs on the remote platform in an isolated container and the session is streamed and rendered back to the client.
The two primary technologies used in RBI solutions are pixel pushing and DOM reconstruction:
No single solution is 100% effective in securing endpoints, so a multi-layered approach is necessary, and RBI helps in this aspect. For example, while most next-generation firewalls (NGFW) have a way to rate a website URL or IP address by assigning it a rating or category, if the websites or IP addresses are not rated, they are put into the category of unrated. Sometimes, legitimate websites also fall into this category, which may lead to numerous requests to unblock or recategorize those websites. This can be a nuisance to administrators, who might allow the entire unrated category in their NGFW or secure web gateway (SWG) in frustration. However, this can be dangerous as malicious sites can also fall into the unrated category. RBI is a wonderful solution to this problem since administrators can flexibly isolate sessions that fall into the unrated category while still protecting users from anything malicious.
Most browser isolation solutions are easy to deploy with a little planning. Depending on the type of solution you choose, you can integrate these solutions with your existing NGFW, SWG, in-browser via a plug-in, or via other zero-trust network access (ZTNA) type solutions.
If your organization is considering adding RBI to your security arsenal, here are some features we recommend you look for:
Browsers are essential, but because they were designed before security, privacy and regulatory compliance were critical factors, they are an easy target for cybercriminals looking to breach network defenses.
How remote browser isolation worksRemote browser isolation differs from local browser isolation, which uses sandboxing at either the app or OS level to separate the browser from a device. Local browser isolation is both resource- and administration-intensive, and it requires specific hardware and software components.
Remote browser isolation, by contrast, is primarily delivered as a service by a third-party provider, although some enterprises run it on a separate server attached to the corporate network. When users request a webpage — whether via desktop or mobile browser — the service creates an isolated browser session in a disposable containerized instance. The page is presented on users’ browsers as a rendering, commonly as pixels over an HTML5 canvas.
Keyboard and mouse inputs are transmitted to the isolation service via an encrypted channel, and any resulting updates to the remote browser webpage are sent back to the endpoint device in the same way. Because no active content is downloaded, any hidden malware or viruses in the page are unable to reach the endpoint.
This approach completely isolates users’ browsing activities from enterprise endpoints and networks, thereby providing protection from both known and unknown threats. Any threat risk is moved to the remote server sessions, which can be reset to a known-good state on every new browsing session, tab or page request. Remote browser isolation benefits the user’s overall experience. It enables users to access websites without worrying about downloading malicious webpages even if their browsers are outdated, vulnerable or have insecure plugins installed.
The main disadvantage with remote browser isolation is cost. Pixel pushing is resource-intensive and therefore expensive, and many services are built on centralized foundations that don’t scale, as well as distributed architectures. Remote browser isolation also requires large amounts of bandwidth to avoid latency issues. Document Object Model (DOM) reconstruction is an alternative to pixel pushing. With DOM, a page’s HTML, CSS and scripts are inspected, cleaned and repacked before being forwarded. However, malicious code could reach the endpoint if the threat is not detected and a page’s layout or functionality can also get broken.
Adopting remote browser isolation can benefit an organization’s overall enterprise cybersecurity strategy as it lets users access the internet, while mitigating some of the inherent risks. As a zero-trust technology, it gives companies an obvious choice in some situations. It takes less time to manage than traditional allowlists and blocklists, especially for those products that don’t require agents to be installed on users’ devices. Costs, meanwhile, can be addressed by, for example, deploying remote browser isolation only to high-risk users and C-level employees.
Before deciding on a service, companies should thoroughly research potential remote isolation vendors and determine how their services are implemented, what their scalability is, and whether they support specific plugins and remote viewers for certain file types.
Source: techtarget.com, silversky.com/