How can you cost effectively isolate your browsers?

Internet based malware threats are increasingly affecting small businesses as well as individual internet users, the most vulnerable kinds of internet users and a group less likely to have the resources to properly protect themselves.

The more technically aware amongst you will have known for a long time that your anti-virus and firewall do not really protect anybody in any way, they have failed to protect the majority from malware, viruses and ransomware attacks, where they encrypt your data and refuse to decrypt it without a, sometimes very large, bitcoin ransom payment.

Larger businesses, the federal government and those with more money to spend on cybersecurity are increasingly leveraging a new cybersecurity model called browser isolation, or remote browsing if you look at it from a user perspective. Browser isolation is the low hanging fruit when it comes to solving the problem of malware attacks, because the browser is where most malware and ransomware attacks originate, the browser is almost always the source of infection.

Using remote browsers to physically isolate your browser and browsing activity away from your local machine and networks is by far the most sensible way to protect yourself from browser based attacks, you simply isolate yourself from the internet when you engage with it, making sure that the internet can not touch you back.

Browser isolation is the sexiest new way of protecting your users from malware according to Gartner, but how do you isolate your users browser and more importantly deliver a remote browser solution in a cost effective way?

It can be as easy as running open source VirtualBox on your desktop and using a VM to browse the internet, a solution used by many that is an effective way of containing malware, even if it is crude and clumsy at scale.

There are a number of ways to accomplish browser isolation and a number of companies approaching the problem from different angles, all of them trying to achieve more or less the same goal. Some remote browser isolation solutions stream a remote browser to you over the internet, others let you connect to a remote browser hosted on a third party server and there are others which force you to install hypervisors onto your local machine, client wank solutions they are called.

We were the first to develop a commercial browser isolation model in collaboration with the National Nuclear Security Administration at Lawrence Livermore National Laboratory, except that we called it Safeweb and this was back in 2010 when the best technology we had to isolate remote browsers was desktop virtualization technology.

Back then virtualization was the most effective way to isolate the internet facing activity of an internet user and it was an absolute godsend at a time when cyberattacks were rapidly becoming the norm. Instead of letting your users browse the internet on their local machines through a local browser, we simply gave them a remote browser on a virtual desktop and it was a wonderfully effective way of protecting large amounts of users, if horrifically expensive at scale.

This browser isolation model has since evolved and spread, today thousands of federal government employees call this remote browsing model 'Safeweb' and use remote browsers to connect to the open internet. We realized early on that in order to be successful, the remote browser isolation model had to protect lots of users in a cost effective way and the problem with using virtualization for remote browser isolation is that it is hugely expensive and not fit for purpose.

Using virtualization to isolate remote browsing activity compute loads requires you to pay for a lot more server infrastructure than you really want to have to deal with for this risk load, it gets incredibly expensive at scale, especially if you have embraced some kind of appliance, or SAN centralized model. The way around this is not to install the hypervisor on the client as some tried, because this breaks the underlying security through physical isolation model.

If you really want to protect a huge amount of everyday internet users by providing them with remote browsers in a cost effective way, then containerization based architectures that leverage grid distributed infrastructures are the way forward and this is something we at WEBGAP do incredibly well. I am quite proud of the fact that nobody else does what we do, in quite the way we do it, or that few fail to grasp the nuance around our work until they deploy solutions at scale.

When it comes to isolating thousands of individual remote browsing compute workloads simultaneously, containerization is an infinitely more efficient way of dealing with these workloads than virtualization, but its only recently that we have turned towards containerization and most of our space is still stuck on virtualization.

Malware, ransomware, advanced persistent threats and other kinds of cyber attack are are problem for everyone, not just large businesses and the government, but the browser isolation model is still too expensive for the many, something my co-founders and I set out to change with our WEBGAP Engine platform. Browser isolation is quite clearly the future of cybersecurity, but this future will only happen if it becomes cost effective enough to protect the many.

EDITORIAL NOTE: What’s that? You like the things we write? Follow @WEB_GAP on Twitter for more!

Previous PostThe Browser Is Broken
Next PostRIP Virtualization Cybersecurity