Last year saw a new wave of high-profile data breaches that reminded us that no industry is safe. The number and magnitude of incidents indicate that there is a disconnect between the nearly $90 billion that organizations spent on data security in 2017 and their ability to actually protect their data.
Realizing that firewalls and anti-virus solutions fail to adequately protect them from fileless malware, malicious browser-executable code and other web-borne threats, many companies are adopting a new method of cyber defense: browser isolation.
Browser isolation was named a top technology for 2017 by Gartner, which recognized that “most attacks start by targeting end-users with malware delivered via email, URLs or malicious websites.” This is a solution worth considering for any CISO or CIO who wants to minimize exposure to threats from the internet.
How Browser Isolation Works
Like the name implies, browser isolation technology isolates the browser from the end-user’s system and organizational networks. Actual web browsing takes place on a virtual browser in a container that’s located remotely on the network DMZ or in the cloud. Web content is rendered as a clean content stream and transmitted to the endpoint browser, where users interact with it in a totally natural manner. All malicious content remains in the isolated container, which is discarded at the end of the browsing session.
Let’s say an employee receives a phishing email with a malicious link or visits a website compromised in a watering-hole attack. With the website opening securely in an isolated environment, any malicious processes are executed — and remain — away from the endpoint. But on the front end, the data stream (including images and video) renders safely and seamlessly to the user’s device in real time.
Consequently, web threats never reach the employee’s device, yet his productivity and workflow are not negatively affected.
Browser Isolation vs. Other Technology
Browser isolation creates a safe airlock between the internet and users. This separation can also be achieved through endpoint isolation (running a virtual machine on the endpoint) and virtual desktop infrastructure (hosting a desktop on a virtual machine that runs on a centralised server). These alternative methods, however, have drawbacks.
Running a virtual machine on an endpoint is theoretically a good way to isolate it from web risks. In reality, this involves large overhead requirements, especially for large-scale deployments:
● A VM must be installed individually on every endpoint .
● Costly hardware is needed because VMs are CPU and memory-resource intensive.
Endpoint isolation often results in slower device performance, and user complaints about sluggish VMs are common. In addition, not all applications are supported by endpoint-isolation solutions.
Virtual desktop infrastructure
VDI also isolates the user’s machine from malicious processes, because any infections or threats only impact the virtual machine. However, there are a few disadvantages of a VDI, including:
● Cost: Besides the cost of running VDI infrastructure, you have the double costs of licenses for both physical and virtual desktops.
● User experience: The remote desktop must be accessed via a dedicated client, and latency is a common complaint.
● Policies: VDI by itself is not a security solution, so organisations still need to implement and manage policies such as web-app access.
Containers for cost-effective browser isolation
Browser isolation is a user-friendly way to prevent web threats from compromising your entire organization. Among the different products available from vendors, container-based solutions are the most cost-effective, as well as most secure. Rather than virtualizing entire browser workloads, this technology uses dedicated containers for each browsing session.
Top cost advantages of implementing container-based browser isolation include:
1.Low overhead and administrative costs
Choosing a browser isolation solution that is clientless means there’s nothing to install on individual endpoints. Not only does this solve the issue of OS compatibility that endpoint isolation creates, but there’s essentially no administration required by your IT staff.
2.Architecture suited to the workload
Container-based browser isolation is the most cost-effective way to isolate the browser because it requires less server infrastructure and is more scalable.
Not only is there no latency when browsing the web but users may actually see increased productivity — they don’t have to worry about any warnings that would result in contacting the helpdesk, nor encounter issues related to blacklisting.
When implementing browser isolation, your organization will still need to have website policies for employees. Look for a vendor that will allow you to inherit those policies while tailoring the technology to best suit your needs.
Ilan Paretsky is Chief Marketing Officer at Ericom Software and is responsible for the global marketing activities of the company. Prior to joining Ericom in 2005, Mr. Paretsky held various leadership positions in marketing, business development, project management, and software development in the global software and telecom industries.