The Promise of Browser Isolation: A Panacea with a UX Problem?
“Some vendors are doing another copy of the Web site and de-fanging it, it just takes so much time…”
In 2018 Gartner released a report saying that trying to stop each cyber attack as they come will become impossible, amid the sheer volume and variety of attacks. Its analysts suggested that browser isolation could be the key to eradicating this problem completely.
Two years on and most businesses still seem to deal with each threat as it comes, using detection-based techniques. If browser isolation really is the ultimate answer, why isn’t it widespread?
What is Browser Isolation?
Essentially, remote browser isolation separates browser activity from local hardware, creating a healthy gap between a user’s machines/networks and where web code executes.
(This can be done numerous ways. There are two main ones: isolating a browser locally at either OS or application level or doing so remotely in the cloud, with browser workloads spun up as containerised instances).
Using browser isolation, for example, an end user could click a phishing link/malware-laced email and there would not be consequences. With the vast majority of attacks happening via browsers and staff infinitely hard to train out of bad habits/unable to detect phishing attacks, it seems like a no-brainer.
On paper this works perfectly. However, in practice there are three recurring problems, experts say.
Firstly, the price of browser isolation can be astronomical, especially for a larger company. Secondly, the speed at which browser isolation can work can be mind-numbing for anyone used to fast-paced browsing. Finally, scalability remains an issue: with hundreds of thousands of employees using ten or so tabs in each browsing session, this can escalate to close to a million tabs being spun up in VMs: an expensive, compute-hogging scenario.
Browser Isolation is too expensive for the bulk of the market
Rick Deacon, the CEO of browser defense platform creator Apozy, outlined to Computer Business Review the reasons why in his view browser isolation continues to remain a good idea — but not a practical one.
“I’ve heard price points that are $5 to $10 per user per month. Multiply this by one 100,000 people, if you’re a massive organisation, and it’s a lot of money.
“I don’t think some of our customers could afford browser isolation if they wanted to do it… The immediate price is often just a quick ‘no’ on the checkbox for companies of the size that we sell to. There’s no way they can afford it from a manpower perspective. They can’t afford it from a dollar perspective either”.
This is particularly true for SMEs. This is a major challenge for the future of browser isolation, as SMEs will be making up the bulk of the market, at least according to the CEO of browser isolation company WEBGAP, Guise Bule:
“The key to unlocking mass adoption is in lowering the cost. The real wealth in our space lies in small and medium sized enterprises, anything from five users to 1000 – 2000 users. However, the action in our space right now is in the enterprise space. Very large companies that know the absolute need to isolate”.
Yet much persuading needs to be done…
Browser isolated browsing can be drive-you-to-drink slow
Deacon from Apozy zeroed in on some of the reasons for this:
“[Browser isolation] is not going to ruin the experience to the point where people can’t work, but it’s more focused on a demographic of people who are used to not having lightning fast speed. If you go towards companies like Google, PayPal or Facebook, you have to have lighting fast MacBooks using the latest browsers.
“There’s lots of security controls but they’re focused around user experience with a combination of security settings”.
Rick Holland, CISO and VP of Strategy at cyber security company Digital Shadows was also passionate about this issue:
“Security should just happen in the background. I shouldn’t have a slow experience. I shouldn’t wait while something is checked in an offsite server someplace before it loads. Some vendors are doing another copy of the Web site and de-fanging it, it just takes so much time”.
Finally, Browser Isolation is Difficult to Scale Up
CTO at Menlo Security Kowsik Guruswamy added: “If you do the basic math, let’s say there’s a hundred thousand people that are using browser isolation, using a service like Menlo, each one of them has 10 tabs open. That’s a million tabs that are open out there in the cloud that somebody has to manage and orchestrate and make sense of”.
Native Browser Isolation
This is where the latest re-imagining of browser isolation comes in, a version that seems closer to a model that fits with what most users expect: Native browser isolation. Rick Deacon from Apozy explains further:
“The idea is that instead of isolating things in a virtualisation container, we isolate them using a built-in browser technology and we just focus on pages prior to download and the pages themselves. This means that native browser isolation stops phishing attacks. The other types of isolation can’t touch phishing attacks because they’re more focused on isolating bad downloads and sites that are running scripts.
“If there’s someone trying to steal your credentials, native browser isolation will isolate that threat from the user. We take a sandbox approach and create a sandbox in the browser that prevents people from typing in their password or downloading a file. These sandboxes that we create, these safety boxes, the safety nets that we put inside the browser are all built on technology that already exists in the browser, we just employ it in a different way and we enable it using a browser extension”.
Bule also spoke about the concept of the “true browser experience” which is the same thing:
“With true browser isolation you’re using your native browser and all of your traffic is isolated. That’s the model the space is swinging towards, to preserve the native user experience”.
The Future of Browser Isolation Lies in DOM
According to Bule, both native and true browser isolation are dependent on the concept of DOM (Document Object Model) reconstruction:
“[This involves] the way things in the browser are constructed.
“The browser uses DOM to build web pages just before displaying them. What we’re doing effectively is hooking up a mechanism to display the web pages on the user’s desktop, on the unused browser. But all that rendering is done in the cloud, meaning it’s isolated.
“What DOM is doing is extending the isolation model into the local browser and deeply and tightly integrated with a local browser. So you can use things like browser plug-ins and password managers, to give users a richer experience”.
This seems to be where the future is headed for browser isolation. Users won’t accept a sub-standard browsing experience. As Bule puts it: “Web browsing isn’t just about a window and an address bar, it’s about all the things that make up the browsing experience. And you have to be able to enable that.”
Industry interest in ironing out some of the kinks in the end-user experience remains high; with McAfee and Cloudflare both recently buying browser isolation startups: Cloudflare acquiring S2 Systems (which uses DOM technology) in January 2020, and McAfee agreeing a deal for Lightpoint Security the following month.
As endpoints get more powerful, networks faster, and cloud-based applications the norm, expect to hear more about browser isolation.