How to Secure Browsers Across Your Enterprise

Posted on by

The extreme makeover of a browser as a managed security service has taken a long and tortured route to the present day. And after writing that the technology is “having a moment” last year, there is still new life in it with this week’s announcement by Google of a Chrome Enterprise Premium version that adds some security features.

These browsers can provide a variety of protective features, according to a 2022 blog post from Forrester, such as preventing phishing attacks or malware distribution and data leaks. And that is a good thing, given how easy it is to deploy these exploits.

This is the main reason why secure enterprise browsing is predicted to have a growth spurt by Gartner. They claimed last spring it will be found in a quarter of companies by 2026, more than double its present population. “The technology is still in the early stages of adoption,” the authors wrote in the post, which lays out a multi-phase evolution of the secure browser marketplace that may or may not come to pass. Some of these tools have been available for the past decade, and new vendors regularly appear to try to capture some market share.

But the browser’s complete makeover from a jack-of-all-trades application to a mainstay security tool isn’t going to be easy or effortless. The new version of Chrome from Google will be especially tricky to setup. It comes with a multi-step installation guide that can try even an expert’s patience. This is because its security choices are numerous, and there are many dozens of things to think about and set.

It is available now for all Google Workspace customers and will cost $6 per user per month, with a free 30-day trial period that includes 50 user licenses.

Google’s announcement follows a series of security improvements that Microsoft has made earlier to its Edge browser. Most of these enhanced security features are site-based, meaning you set up specific block lists. The Microsoft browser comes with two settings to make it easier to setup.

However, while Google’s approach is too fine-grained, Microsoft’s is too simplistic. What is needed is a way for corporate security managers to deploy a better browser, without having to rebuild what is the equivalent of a firewall policy rules set from scratch.

Deployment issues with secure browsers

There are several issues with this class of tools. First, secure browsers can have up to four different and non-exclusive operating modes, in various combinations:

  • Ones that use remote browser isolation methods, where the browser sessions run in a cloud service,
  • Ones that install the browser software on a local endpoint but isolate their operation through the use of various add-ons such as browser extensions,
  • Ones that work in conjunction with an on-premises appliance, and
  • Ones that are essentially managed services, typically run from the cloud.

For example, the Chrome Enterprise browser mostly relies on the fourth method, while TalonWork (now part of Palo Alto Networks) combines the second and fourth methods. Other products, such as Authentic8’s Silo and Island.io’s browsers, combine all of the methods. “Our platform is 100% cloud based so all code is rendered in a remote container, says Authentic8’s founder Scott Petry. “All credentials, application access controls and data policies are also managed centrally regardless of device, and IT gets comprehensive audit logging of all user activity.”

Why are these different deployment modes necessary? It is because the browser is so versatile and can operate in a variety of circumstances, ranging from controlling some SaaS-based application to viewing dynamic content from a database to managing a collection of remote servers. Having the different modes is a way to extend its utility and still providing a secure envelope in all these situations.

Gartner’s blog post wrote, “The extension ecosystem created by the enterprise browser provides an opportunity for third-party security solutions to be integrated with the browser to strengthen the organization’s overall security posture.” That is true, but it brings up a second point: if a vendor chooses to use a local isolated browser using security extensions, that means they must support code running on all five operating systems (Windows, MacOS, Android, Linux and iOS). This method is falling out of favor because of the heavy development lift to maintain all five versions, and because research from last year has found ways to get around any extensions to distribute malware.

The nature of isolation is not something simple to accomplish, either. Each tool is setup to isolate by application, by destination URL, by user access rights, or a subtle combination of all items. That makes for an inconsistent level of security applied to each browsing session.  And isolation should go both ways: the user’s session and web traffic is isolated from the website, and the website traffic is isolated from the user.

The setup for Google’s secure browser is brutal with using its cloud-based management, such as numerous steps to add encryption, and using specialized OS-specific installation such as mobile management software with more than a dozen steps. The other products make this a bit easier, but there is still a lot of trial and error to ensure that the security isn’t blocking legitimate browsing uses, sites, or corporate applications.

Next, having a secure browser requires integration with other security services, such as Data Leak Protection, Single Sign-On, and URL listing services, among others. These integrations are typically performed through cloud-based APIs that provide the provenance of a particular URL or IP address.

The authentication integration is particularly fraught with problems. This is because for the browser to be secure, users need to identify themselves and present login credentials. That is an initial usability stumbling block for many users who aren’t accustomed to that step for their web browsing. The better secure browsers also turn on multi-factor authentication by default (Google’s doesn’t).

This means that enterprises need to invest “in user adoption testing and training,” according to Forrester’s blog post. “Shadow IT happens when users or teams choose to work around the existing systems being deployed because they don’t meet their needs. If users don’t understand the need for these controls and aren’t consulted on your chosen solutions, they will find ways to work around them.”

Next, there are the details about how each browser images its web content. While almost all the browsers start with Chrome code and make various modifications, that doesn’t mean that each one images every web page consistently. There are subtle differences in the HTML v5 implementations that could prevent access to a particular site or page.

Finally, there is some cost involved. For decades browsers have been free or bundled with the endpoint operating system. Secure browsers will cost something, and even a few dollars a month per user can add up over time and across an entire enterprise population. Gartner said in its blog post, “Free browsers are ubiquitous, to the point that organizations must have specific use cases to justify the purchase of a separate browser.” It remains to be seen if security is that compelling use case.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.