True Isolated Browsing: The Key to Protecting Your Network
There have been many solutions used for isolated browsing such as: ad blocking, compartimentalization
,and proprietary browsers. But these have not been good enough to achieve true isolated browsing. Here is why remote browser Isolation is the answer.
Ever since the first pop-up ads began appearing on tripod.com in the late 1990s, users have had to reckon with an unsettling fact: What they see on the internet can touch their computers.
At first, this was a nuisance. You visit a website one day, and suddenly the content you’re trying to read is obscured by a window you didn’t open advertising a product you aren’t interested in. Annoying, but not a cause for alarm.
By 2008, these pop-ups had evolved into a threat. Malvertising, often delivered via pop-ups, began to appear on the internet for the first time in this era. In addition to displaying ads on your browser, malvertising would co-opt its mechanisms in order to download adware and spyware onto your computer. Since then, malvertising and other browser-based attacks have become a massive economic threat.
Around this time, people began thinking seriously about isolated browsing. How do you run a browser in a way such that malicious files don’t cross over from the internet to the user’s hard drive? Many ideas have been proposed, but none of them have provided complete protection with the convenience that users need -- until now.
What’s already been tried in terms of isolated browsing?
You’d be surprised at the number of ideas that have already been tried for disconnecting your browser from your operating system at large. For example, ad-blocking – yes, the free extension that you’re probably running right now – is a form of browser isolation. Ad-blocking and other forms of browser isolation are all effective to a certain degree, but typically the more effective they are, they less convenient they become.
Although there are many ad providers out there, most have been cataloged. Ad blockers put these providers on a blacklist. When a script on a website attempts to load content from a host belonging to an advertising company, the adblocker blocks it.
This technique is relatively effective at getting rid of ads, and any technique that gets rid of ads will also block malvertising. Ads aren’t the only browser-based danger out there, however. In addition, both ad providers and hackers are persistent. Companies like Facebook are constantly changing their platforms to make ads indistinguishable from regular content, fooling ad blockers. Other ad companies split up their ads via multiple anonymized CDNs to make their ads harder to block. These techniques can inspire hackers as well. A malvertising campaign known as Rough Ted recently infected thousands of users by using diverse traffic types to get around ad-blocker blacklists.
Local tab Isolation – sometimes known as site isolation – is a feature that has been built into every version of the Chrome browser since 2018. This process runs each tab of your browser in a separate browser process. This means that malicious sites can’t infect your browser and then use its session data to snoop on the contents of your other tabs. In other words, an attacker can’t infiltrate your favorite sports newsletter in order to catch you the next time you log into your bank account.
This method is more effective than ad-blocking, but it has some drawbacks. For example, running a new process for every single tab in your browser adds up to 15% in additional memory usage – in other words, this can slow down your browser and your computer.
Tab isolation isn’t foolproof. It was built to stop earth-shattering exploits like Meltdown and Spectre, and as such this security feature overlooks attacks such as malvertising and drive-by-downloads. What’s more, even though tabs are isolated, your browser still lives on your computer. There’s no barrier between your computer and the browser itself, which means that malicious software can still leak into your operating system.
This involves running the browser within a container, virtual machine, or separate hard drive partition. Even if a virus gets into the browser, the theory goes, it will find itself inside of what is essentially a Potemkin computer – an operating system fragment that has no direct access to files on the machine.
There are two problems with this approach, unfortunately. The first is that this is incrementally harder to set up than either downloading an ad-blocker or running a browser extension. Setting it up requires IT. While this isn’t bad in and of itself, the effort that IT puts in should guarantee that the browser remains secure. That’s not entirely the case, however – due to underlying vulnerabilities in VM and container software, viruses can and often do break out and infect the underlying host.
Vendors will occasionally spin up their own proprietary browsers that are supposedly more secure than the run-of-the mill ones. We’re not going to spend much time addressing these – we’ll only note that even when the touted security features of these browsers work, they uniformly contain UI and UX errors that cause frontline users to rebel. This is especially true in cases where the user is bringing their own device to the office – you’re essentially asking them not to use their preferred browser on a machine that they’ve purchased themselves.
Why Remote Browser Isolation is the Answer
Protecting your computer from your browser may seem like a no-win scenario – but not everything has been tried. Remote Browser Isolation (RBI) takes the concept of browser isolation and brings it to its most effective extreme.
With RBI, you open your browser to surf the internet like normal. Behind the scenes, your browser contacts a remote application – which happens to be another browser, located in the cloud. Your browser displays everything that the remote browser renders, with full interactivity, but nothing from the remote browser gets downloaded onto your computer.
This is a great system for secure browsing. Although the remote browser still has a chance to download malware, that malware ends up in a container that’s not even on your network. Even if the malware escapes from its container or VM and infects the host, you still don’t have a problem – the host still isn’t on your network and doesn’t contain any of your data. Under the shared responsibility model for SaaS applications, securing the host isn’t even your problem to worry about.
RBI gives you all the advantages of isolated browsing without any of the risks – and it also removes the effort and expense of installing and maintaining an isolated browsing implementation on-premises. Users can keep using the browsers they want, they don’t have to install any hardware or software on their devices, and they can remain protected regardless of the websites they visit. In short, isolated browsing makes sense when it comes to protecting everyday users from a chaotic internet.