Browser Isolation Trade-offs: Server-side versus Client-side

Choices, Choices...

As remote, mobile workforces slowly erode the sanctity of network perimeters, web browsers continue to increase in importance to facilitate day-to-day business operations and employee productivity. For IT Administrators trying to protect company information, the lack of control outside of their network is only compounded by the rise of contractors and other users who use their own personal devices for work. As if these challenges were not enough, ransomware attacks and other headline-grabbing malware reveal that current firewalls and antivirus solutions sometimes fail to adequately protect users from attack. Seeking a safety net to protect their users, many companies are adopting browser isolation.

Browser isolation was named a top technology for 2017 by Gartner, which recognized that “most attacks start by targeting end-users with malware delivered via email, URLs or malicious websites.” According to Gartner, more than 50% of enterprises will actively begin to isolate their internet browsing to reduce the impact of cyber attacks over the next three years, and organizations that isolate internet browsing will experience a 70% reduction in attacks compromising end-user systems.

Browser Isolation Technologies: Secure, but not Equal

Because different browser isolation technologies have different strategies and advantages, how does one choose? The most well-established products in browser isolation tend to be server-side applications that focus on a safe, cloud-based intermediary application. Conversely, client-side applications shield the endpoint device instead. Each technology’s emphasis and strategy leads to specific trade-offs and benefits for the organization – many of which go beyond the basic cybersecurity benefits. In many cases, both client-side and server-side technology might be deployed as layers of protection, but most companies don’t have the luxury to afford more than one solution.  Ultimately, CISOs and CIOs need to collaborate to determine which technology best suits the needs of their organization, taking into account control issues regarding the company data.

Let’s start with the server-side cloud-based solutions. The typical browser isolation product hosted on the cloud tends toward containerization or virtualization. In other words, they create mini-computers on the cloud in which a user launches their browser to view the web. There are definite advantages to this approach:

  • Minimal install (some require no application on the endpoint)
  • No out-of-date version installed on the local machine
  • New versions can be deployed quickly

Client-side endpoint solutions implement the same isolation principle as a sandbox on the endpoint. These applications sometimes deploy as a plugin to a browser, but may also completely replace the browser software with an application of their own. As you may expect, the strengths of the cloud-based solutions reveal weaknesses for the local installations:

  • Susceptible to out-of-date versions
  • Install requirements may be significant (at least one vendor even requires their software to be the first software installed onto the device, so deployment means reinstalling all other software on the computer!)
  • More work for IT to deploy, so less scalable

So why would someone consider an endpoint deployment?   Very simply, control.

Endpoint and Data Security – Plus Control

For many organizations, data security is a top priority. With a cloud deployment, the data generally resides on a cloud server outside of the organization’s control. The organization utterly depends upon the vendor to guarantee that the data will not reside on those cloud servers after the sessions’ end and that the “analysis” of the files will not make the data available to others. In 2017, The Hacker News revealed that various antivirus programs with incorrect settings accidently leaked terabytes of data to VirusTotal. It’s one thing if the CIO/CISO’s team makes the mistake, because at least they can take ownership. With a 3rd party, there is always that act of faith required… Additionally, if an organization wants employees to be able to view, edit or share corporate data, they must upload that data to the cloud so that the data will be accessible through the secure browser. This may mean more work for the users and more risk for the organization.

Beyond the basic functionality, there is also the issue of control on the endpoint. For a cloud application, how does it prevent their application from cross-talking with other applications on the endpoint? With the Cambridge Analytica leak, many people were shocked to learn how much data Facebook was harvesting from other applications on the phone. But Facebook is definitely not the only application to attempt to harvest data – and let’s not forget that the applications on the endpoint are not the only possibility for data leaks. In a study cited by Entrepreneur.com in 2016, 85% of employees admitted taking company data when leaving the company.  Furthermore, according to SecurityIntelligence.com, the Ponemon Institute determined that the mean cost of an insider threat has now reached $8.7 million dollars! Browser isolation technology that does not isolate company information on the endpoint leaves the data vulnerable to data harvesting or intentional data theft.

Soliton’s SecureShield technology resides in an encrypted application within the encrypted unit’s memory. This encrypted application is read-only and self-deleting so that no data may be leaked to the endpoint. This isolation prevents printing, copy-paste, saving files outside of the container, and other applications from reading data from within the encrypted application. Our technology also goes several steps further than other browser isolation technologies:

  • Internal file access: the corporate file server within the company’s network can be configured so that internal corporate files are available to SecureShield’s app.
  • Persistence: optionally, files can be downloaded into the container, allowing the user to edit the files – even without an internet connection. The application remains isolated from the endpoint so that, even downloaded, the data cannot be sniffed or stolen.
  • Application wrapping: for downloaded files, an application wrapping option uses local resources such as Microsoft Office to provide full functionality in editing (PC only).

When it comes to malware protection, many forms of browser isolation will work – but why limit the safety net to malware? No one technology can detect and protect against all security threats, so security leaders must consider browser isolation within the perspective of accomplishing other corporate goals and determine if their more valuable data requires additional layers and levels of security.

In the meantime, here are five qualities to look for in choosing a browser isolation solution:

  1. Isolation: enables the user to browse any website while protecting the endpoint from potential threats on that site. Each browser session takes place segregated from the endpoint. When the session ends, the entire container is destroyed, along with the browser and any malicious code encountered in the session.
  2. Browser policy enforcement: enable and facilitate the enforcement of organizational browsing policies.
  3. Browsing performance: deliver performance that is on par with popular desktop-based browsers in compatibility and capability.
  4. Device agnostic and seamless user experience: from the user’s perspective, browsing should be transparent, regardless of what device they use.
  5. Corporate data access and control: organizations should be able to maintain control of their most sensitive data and store the data where they feel most comfortable.

For information about Soliton SecureShield, please click here to download the data sheet or check out the SecureShield video.  Continue the conversation with us at BlackHat USA in Las Vegas! Stop by and visit us at Booth 2005.

Forni, A. A., Gartner, Gartner Identifies the Top Technologies for Security in 2017

MacDonald, N., Gartner, It’s Time to Isolate Your Users From the Internet Cesspool With Remote Browsing [ID: G00315285]

Khandelwal, S., The Hacker News, How Top Companies Accidentally Leaking Terabytes of Sensitive Data Online

Romano, A., Vox, Facebook warns “most users” have had their data harvested by third-party apps

Gasca, P., Entrepreneur, With Data Theft By Employees on the Rise, Don’t Look at Cybersecurity as a Mission Impossible

Schick, S. SecurityIntelligence, The Average Cost of an Insider Threat Hits $8.7 Million