The browser is the gateway to all content on the web, but unlike application security, people often don’t think about protecting it. There have been protections built around it, such as network DLP, web gateways, next-generation firewalls or packet brokers, all technologies that “oscillate around the browser to try to give an organization some control over what it can and can’t do, but we’ve never thought about actually just trying to control the browser until recently,” said Brian Kenyon, chief strategy officer for enterprise browser firm Island.
Kenyon spoke at RSA with Matt Alderman, vice president of product at Living Security and host of Business Security Weekly.
The problem with today’s browsers is inherent trust, Kenyon said. For example, once you’ve authenticated to get to your data, your rights and roles say you can see the data. But the data renders to the browser screen “and … you’ve now lost all control of that data,’’ because someone could take a screen capture or cut and paste it, he said.
“All of your wonderful network solutions do nothing when that end user is on the end PC with the data.”
This is where enterprise browsers come in. They are designed to let organizations gain control and secure their browsers as a vector, as well as help prevent the data from escaping from all the channels that have been left unprotected over the years, according to Kenyon.
How to start building a browser from scratch
Building a new browser with privacy and security controls baked-in starts with Chromium, an open-source package that powers browsers such as Google Chrome, Microsoft Edge, and Opera Software’s Opera, Kenyon said.
Chromium has become the standard because of how it renders and the user experience it provides. “That’s become the enterprise browser, if you will, by default,” he maintained, adding that this is what Island started with.
It has pre- and post-encryption. Island sees everything the user is trying to do and everything the web server is returning. By policy, an admin can determine what is and isn’t acceptable, he said.
When thinking about what’s missing from cloud, network, and gateway technologies, it’s everything that happens with a user at their keyboard and monitor—and their ability to cut and paste data or take a screenshot of it, Kenyon said. The first security control Island put into its browser is what he called “last-mile controls,’’ which are controls at the actual action. This creates boundaries over where you can cut and paste from and copy to, he noted.
It’s almost like building a DLP into the browser to control actions, Alderman said.
Kenyon agreed, saying that “At the browser, I can get far more granular than DLP can traditionally get.”
An enterprise browser also gives organizations complete control over what gets displayed, he said.
Granular control is great but sometimes comes at the cost of administration, Alderman noted.
Because Island authenticates by identity, it is easy to manage, but does require some customization when you want to modify an application, Kenyon said.
Benefits of a secure browser
An enterprise browser comes with benefits such as full visibility and control over every action taken. It also helps rein in unmanaged BYOD devices, something organizations continue to grapple with, Kenyon said.