Before the widespread adoption of remote work and the ubiquity of SaaS applications, nobody thought much about how web browsers could enhance enterprise security. However, as browsers became a common way for employees and contractors to access an organization’s internal resources, hackers took note.
Cyber attackers have various means at their disposal to exploit browsers and find their way inside corporate walls. They can use browsers as entry points to redirect users to fake websites where they can acquire their credentials, install malware, and steal sensitive data. Hackers might create malicious browser extensions or plugins containing malware and trick users into installing them. Additionally, they can gain access to users’ devices through web browsers to steal valuable information.
These developments have given rise to an emerging field – web browser security. At its core, web browser security includes all procedures and policies needed to protect users who access online corporate resources from a web browser application.
“Traditionally, we didn’t even know the web browser was a thing we could touch or change, so we didn’t look to it for security,” said Bob Schuetter, CISO for Ashland, a specialty ingredient company. Ashland has about 4,000 employees and an additional 2,000 contractors spread throughout about 40 countries.
As Ashland increasingly adopted SaaS applications across various functions, such as CRM, HR, and manufacturing, it became evident that the company needed a better way to detect and block web-based threats and risks. The traditional method – requiring users to install a client or application, connect to virtual desktop instances, and access sessions and applications either on-premises or in a private cloud – proved unwieldy. It not only led to a subpar user experience but also presented architectural challenges in maintaining high levels of security. It was at this point that Ashland began seriously considering a browser-native security approach.
The Benefits of Web Browser Security
Ashland and similar companies have a lot to think about when addressing web browser security. However, while there are different types of web browser security products (more on this later), they are all made of three core components, according to Rik Turner, senior principal analyst for cybersecurity at Omdia:
- Sensor: A sensor monitors all web session events and user activities.
- Risk Engine: A risk engine analyzes each event to identify potential risks it introduces.
- Policy Enforcement Mechanism: This component serves to block malicious activity and ensure that any risks to the device, data, or applications are mitigated.
Schuetter emphasized that one crucial requirement in any web browser security product is the ability to detect risks at a granular level. “It’s not just [to tell us] that this person went to a bad website we knew about,” Schuetter explained. “It tells us much more: the system the user went to, the credentials they used, and the type of data they accessed. So, we don’t have to contact the user and try to figure out what they did. We can see all of that through an alert we get, and that alert has the context of what happened in the browser within that session.”
In addition, web browser security can improve resilience, implement principles of secure access management, enforce security protocols for supply chain partners, and provide detailed visibility. Also, since web browser security products enforce security right at the “door to the internet,” they are device-agnostic, making technologies like mobile device management (MDM) less crucial.
On top of these benefits, the implementation of web browser security can significantly improve user experience, resulting in increased productivity. That’s because all security checks are done right at the initial access point.
Three Paths to Web Browser Security
There currently exist three primary categories of web browser security products: local browser isolation platforms, browser-agnostic platforms that rely on extensions, and enterprise browsers.
Local browser isolation
Local browser isolation platforms work by segregating users’ browsing activities within virtual environments or managing a browser’s performance in real time. Although this method is effective at preventing browser exploits, it frequently leads to a poor user experience, making it the least favored option for many organizations.
“I would personally avoid local browser isolation because the experience tends to be slow and you get higher latency with it, which can frustrate users,” said Jonathan Jaffe, CISO of insurance company Lemonade.
Jaffe recalled a recent conversation with a CISO who had opted for the local browser isolation approach because he wasn’t aware of enterprise browsers. He initially believed local browser isolation would provide strong security but soon discovered the drawbacks in terms of productivity and user experience.
The next level up is a browser-agnostic platform. This approach involves adding extensions to existing web browsers to secure browsing activities and using features like SaaS visibility and authentication. A browser-agnostic platform offers a smooth transition for users who don’t need to switch browsers, and it’s fairly quick for the IT department to deploy, Turner said. However, it has limitations in terms of device visibility and the ability to process files on devices.
Despite its limitations, the browser-agnostic platform approach has gained popularity due to its advantages. For example, the Seraphic browser claims to protect all browsers, even hidden ones, by enforcing corporate policies for cloud-based applications that users access through their browsers.
And then there are enterprise browsers – specialized browsers that are fully controlled and managed by the organization. Employees are required to use enterprise browsers for all work-related browsing tasks.
In many respects, enterprise browsers share similarities with browser-agnostic platforms, offering comparable threat prevention, SaaS visibility, authentication, and application mapping features. Proponents of this approach appreciate its comprehensiveness and the thorough visibility it provides into the hosting device. On the flip side, users can experience a learning curve, resulting in a longer onboarding process.
Still, many believe enterprise browsers are the ideal solution. For example, Jaffe said that while he initially began with the extension approach, his ultimate goal was always to transition to the enterprise browser approach. It’s one of the reasons why he selected Talon, as it offers both an extension version and an enterprise browser version.
“We’re not applying tight security policies initially, so people don’t even know it’s there,” Jaffe noted. “We’re not hiding it from them, but we don’t want them to run into any blockades, because users have only so much appetite for change.” However, Lemonade will eventually switch fully to Talon’s enterprise web browser because it has more security features and allows for deeper policies, he added.
Schuetter also prefers the enterprise browser approach. Ashland has adopted Island.io’s product, which now powers the company’s web browser and serves as the gateway to access SaaS applications that run the business. For instance, if an HR employee needs to access Workday, Island.io directs them to do so through the enterprise browser, which contains specific controls. Additionally, it will restrict the employee from accessing Workday through other browsers like Chrome. The same is true for third-party contractors working for Ashland or companies that Ashland acquires.
At the same time, the product is flexible enough to allow employees, for example during their lunch break, to freely browse the web or use social media without any intervention or supervision from Ashland.
The Future of Web Browser Security
With companies increasingly adopting secure web browsers, Jaffe hopes that the underlying device becomes less relevant in the overall security equation.
“Within the next few years, I think your license with an anti-malware or MDM provider might look different,” Jaffe said. “It might be reduced in cost or scope because the browser has rendered the OS almost irrelevant.”
While the future remains somewhat uncertain, many agree with Jaffe that enterprises browsers will become the norm within a few years.
“It’s efficacious because you can apply controls at one door and pat people down as they come into your club, and, as they leave, you can check to make sure they haven’t stolen bottles of whiskey,” Jaffe said.
About the authorKaren D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive.