The extreme makeover of a browser as a managed security service has taken a long and tortured route to the present day. And after writing that the technology is “having a moment” last year, there is still new life in it with this week’s announcement by Google of a Chrome Enterprise Premium version that adds some security features.

These browsers can provide a variety of protective features, according to a 2022 blog post from Forrester, such as preventing phishing attacks or malware distribution and data leaks. And that is a good thing, given how easy it is to deploy these exploits.

This is the main reason why secure enterprise browsing is predicted to have a growth spurt by Gartner. They claimed last spring it will be found in a quarter of companies by 2026, more than double its present population. “The technology is still in the early stages of adoption,” the authors wrote in the post, which lays out a multi-phase evolution of the secure browser marketplace that may or may not come to pass. Some of these tools have been available for the past decade, and new vendors regularly appear to try to capture some market share.

But the browser’s complete makeover from a jack-of-all-trades application to a mainstay security tool isn’t going to be easy or effortless. The new version of Chrome from Google will be especially tricky to setup. It comes with a multi-step installation guide that can try even an expert’s patience. This is because its security choices are numerous, and there are many dozens of things to think about and set.

It is available now for all Google Workspace customers and will cost $6 per user per month, with a free 30-day trial period that includes 50 user licenses.

Google’s announcement follows a series of security improvements that Microsoft has made earlier to its Edge browser. Most of these enhanced security features are site-based, meaning you set up specific block lists. The Microsoft browser comes with two settings to make it easier to setup.

However, while Google’s approach is too fine-grained, Microsoft’s is too simplistic. What is needed is a way for corporate security managers to deploy a better browser, without having to rebuild what is the equivalent of a firewall policy rules set from scratch.

Deployment issues with secure browsers

There are several issues with this class of tools. First, secure browsers can have up to four different and non-exclusive operating modes, in various combinations:

• Ones that use remote browser isolation methods, where the browser sessions run in a cloud service,
• Ones that install the browser software on a local endpoint but isolate their operation through the use of various add-ons such as browser extensions,
• Ones that work in conjunction with an on-premises appliance, and
• Ones that are essentially managed services, typically run from the cloud.

For example, the Chrome Enterprise browser mostly relies on the fourth method, while TalonWork (now part of Palo Alto Networks) combines the second and fourth methods. Other products, such as Authentic8’s Silo and Island.io’s browsers, combine all of the methods. “Our platform is 100% cloud based so all code is rendered in a remote container, says Authentic8’s founder Scott Petry. “All credentials, application access controls and data policies are also managed centrally regardless of device, and IT gets comprehensive audit logging of all user activity.”

Why are these different deployment modes necessary? It is because the browser is so versatile and can operate in a variety of circumstances, ranging from controlling some SaaS-based application to viewing dynamic content from a database to managing a collection of remote servers. Having the different modes is a way to extend its utility and still providing a secure envelope in all these situations.

Gartner’s blog post wrote, “The extension ecosystem created by the enterprise browser provides an opportunity for third-party security solutions to be integrated with the browser to strengthen the organization’s overall security posture.” That is true, but it brings up a second point: if a vendor chooses to use a local isolated browser using security extensions, that means they must support code running on all five operating systems (Windows, MacOS, Android, Linux and iOS). This method is falling out of favor because of the heavy development lift to maintain all five versions, and because research from last year has found ways to get around any extensions to distribute malware.

The nature of isolation is not something simple to accomplish, either. Each tool is setup to isolate by application, by destination URL, by user access rights, or a subtle combination of all items. That makes for an inconsistent level of security applied to each browsing session.  And isolation should go both ways: the user’s session and web traffic is isolated from the website, and the website traffic is isolated from the user.

The setup for Google’s secure browser is brutal with using its cloud-based management, such as numerous steps to add encryption, and using specialized OS-specific installation such as mobile management software with more than a dozen steps. The other products make this a bit easier, but there is still a lot of trial and error to ensure that the security isn’t blocking legitimate browsing uses, sites, or corporate applications.

Next, having a secure browser requires integration with other security services, such as Data Leak Protection, Single Sign-On, and URL listing services, among others. These integrations are typically performed through cloud-based APIs that provide the provenance of a particular URL or IP address.

The authentication integration is particularly fraught with problems. This is because for the browser to be secure, users need to identify themselves and present login credentials. That is an initial usability stumbling block for many users who aren’t accustomed to that step for their web browsing. The better secure browsers also turn on multi-factor authentication by default (Google’s doesn’t).

This means that enterprises need to invest “in user adoption testing and training,” according to Forrester’s blog post. “Shadow IT happens when users or teams choose to work around the existing systems being deployed because they don’t meet their needs. If users don’t understand the need for these controls and aren’t consulted on your chosen solutions, they will find ways to work around them.”

Next, there are the details about how each browser images its web content. While almost all the browsers start with Chrome code and make various modifications, that doesn’t mean that each one images every web page consistently. There are subtle differences in the HTML v5 implementations that could prevent access to a particular site or page.

Finally, there is some cost involved. For decades browsers have been free or bundled with the endpoint operating system. Secure browsers will cost something, and even a few dollars a month per user can add up over time and across an entire enterprise population. Gartner said in its blog post, “Free browsers are ubiquitous, to the point that organizations must have specific use cases to justify the purchase of a separate browser.” It remains to be seen if security is that compelling use case.

A new study by Women in Cybersecurity paints yet another dismal picture of the gender gap. This time it dives into its potential causes. The study is based on surveying both men and women across 20 different organizations. Women encounter problems at twice the rate of men, especially when it comes to their direct managers and peer workers. The glass ceiling is still very much in evidence. It is a sad description of where and who we are, including disrespectful and sexually inappropriate behaviors, underappreciated skills and experience, and requests to do menial tasks (she’ll take the meeting notes).

“Organizations have a clear opportunity to significantly boost their financial results and employee satisfaction by addressing these disparities,” said one of the report’s authors. The revenue impact could be significant due to this differential treatment of women and people of color. You would think that would be obvious by now.

I am ashamed about our industry that continues to make this news, year after year. Back in 2013, I attended one of the Strangeloop conferences, which always were notable in how many women presenters they had. I wrote a follow-up piece in Biznology a few years ago, tracking down some of the women that I initially wrote about. I ended that piece with the suggestion that we should follow some people on Twitter who don’t look like you and widen your focus and perspective.

Well, Twitter turned out well, didn’t it? Perhaps follow folks on LinkedIn now. You might want to take a listen to the “bit of fun” Mark Cuban is having at Elon’s expense on diversity, when he was interviewed by Lex Fridman (here is a 35 min. excerpt). He makes some great points on why it works.

Speaking of conferences, it wasn’t all that long ago when attending RSA, you wouldn’t find many women speakers. Last year’s event even had an all-women panel of female all-stars talking about threat response. I guess that is progress.

And in 2016 I wrote about how female engineers were scarce. Back then, I said: “It is time that all companies adapt to a more diverse workforce if they want to succeed. And we need to be on the leading edge in tech.” It is still time.