Browser isolation beta taps global infrastructure for online app security

Whether it’s email, collaborative tools like Slack or Teams, or project management software, many of the most commonly used workplace applications today are accessed through a web browser.

While that’s made it easier for many employees to seamlessly access their work tools, it’s also expanded the surface area for a number of web-based cyber threats, such as cross-site scripting or monster-in-the-middle attacks.

In response, a growing number of companies are developing browser isolation technologies designed to separate web browsing from the rest of an organization’s IT network.

This week, Cloudflare became the latest entity to enter this space, rolling out a new beta version of its isolated web browser that leverages its existing global infrastructure to deal with some of the latency issues that have historically plagued the technology.

In a blog announcing the beta, Tim Obezuk, the company's principal solutions engineer, cited the growing popularity of web-based applications and the lack of control organizations have over many of the ways they interact with users and the internet as the primary impetus for the move.

“Businesses struggle to control how users interact with web browsers. It’s all too easy for a user to inadvertently download an infected file, install a malicious extension, upload sensitive company data or click a malicious zero-day link in an email or on a webpage,” Obezuk wrote.

There are a number of ways that browser isolation technologies work to protect the end user. Some make a copy image of a website in their secure environment and beam it back to the user, while others use cloud-based platforms to disassemble the page, inspect it for malware, then put it back together and send it to the user if nothing malicious is detected.

Cloudflare’s approach involves setting up sandboxed virtual machine testing environments in their data centers across 200 cities across the globe that sends “the final output of a browser’s web page rendering” to the user instead of a recording.

“The approach means that the only thing ever sent to the device is a package of draw commands to render the webpage, which also makes [it] compatible with any HTML5 compliant browser,” wrote Obezuk.

Geographically dispersing their servers across the globe also cuts down on the lag time as data packets travel back and forth between Cloudflare’s virtual machines and the end user, something the company said should make for a faster browsing experience compared to other isolation approaches.

Curtis Dukes, executive vice president and general manager for best practices at the Center for Internet Security, told SC Media that despite only coming onto the scene around 2016, web browsing isolation is becoming more popular within the public sector and large enterprises as security philosophies like Zero Trust have gained more traction in the security space.

Web browsers in general have greatly improved their patching practices around common or popular software applications in recent years, something that has done much to shrink the attack surface for smaller organizations that primarily rely on commercial-off-the-shelf products. But for larger enterprises with more custom applications, isolation can be a useful tool.

"Frankly, even though we think [large enterprises] are typically well-funded, their track record hasn’t been great with patching and figuring and so this [approach] kind of removes a pain point for them,” said Dukes.

The onset of the coronavirus pandemic and surge in remote work has pushed organizations down the path of philosophies like Zero Trust, where employees and contractors are subject to the same security access protocols as outsiders and malicious actors. Dukes said the fallout from the virus “validated where the technology was going anyway which was to a boundary-less security perimeter.” That’s made tools like browser isolation more relevant.

You’ve got a workforce that’s getting access to data that before this was behind a perimeter and they’re not having to get access to it remotely,” Dukes said. “For that reason I believe the pandemic has just put this kind of technology to the forefront.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.