Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Dor Zvi of Red Access takes us through a tech crash course, breaking down new, emerging, secure browsing technologies.
In just the past few years, the rise of remote and hybrid work has turned the working world completely on its head — and with it, the fundamental rules of cybersecurity. With distributed workforces now becoming the norm, organizations of all sizes and stripes have found themselves struggling to shore up their defenses despite operating in what is essentially a “perimeterless” architecture.
Unsurprisingly, the average organization is not faring well as a result of this upheaval. For most, each day brings a flood of web connections from countless regions of the world, initiated by both employees and third-party contractors, who are using a mixture of managed and unmanaged devices to connect to their network. Together, these trends have created a quagmire of complexity and risk that has CISOs the world over scrambling for solutions.
Why Secure Browsing Solutions are Needed Now More Than Ever
One of the most significant side-effects of this push to remote and hybrid work is a phenomenon I like to call “browserization”— the phenomenon that’s seen web browsers take center stage as modern employees’ primary gateway to the working world. Today, web browsers function more like operating systems than just another application, forming the fundamental operating layer on which the modern employee’s core environment is built.
However, web browsers were never designed to play such a central role in the enterprise; and most certainly not from a security perspective. While leading browsers, like Chrome, Edge, and Firefox, do offer baked-in privacy and security features, they’re far from sufficient on their own.
As a result of this shift, we’ve seen the rate of browser-based attacks skyrocket in recent years. In fact, according to a study, nearly two-thirds of organizations have fallen victim to a browser-based attack within the past 12 months. At the same time, the number of browser-based zero-day vulnerabilities being exploited in the wild has increased dramatically, leaving little doubt as to threat actors’ newfound focus on this target.
Redefining the Web Browsing Attack Surface
It wasn’t long ago that web browsing took place only within the confines of a dedicated web browser (e.g. Chrome, Safari). Indeed, all web access happened inside this small category of purpose-built applications. However, that is no longer the case.
While linguistics do us no favors, it’s important to remember that not all web browsing occurs inside a web browser anymore. Applications like Facebook, Instagram, and LinkedIn, for example, now feature what are commonly referred to as “in-app browsers”— or, small software components (e.g. WebView) that allow users to open URLs, view web pages, and otherwise navigate the web without ever leaving the application itself.
These in-app browsers have already been found to pose serious privacy and security risk to users, however, they are far from the only way in which modern application architectures extend the reach of browsing-based threats beyond the purview of the web browser itself. In reality, any application that allows users to access remote files, open hyperlinks, or relay messages or chats is effectively bringing the act of web browsing outside the realm of the web browser.
And there is a long list of applications fitting this description being widely used in today’s enterprise environment. And while many of these applications now have web app versions available — meaning they can be accessed through the browser — there are still many users who opt for the native desktop versions instead. And in doing so, extend the web browsing attack surface beyond the browser.
A Look at The Secure Browsing Status Quo: VPNs, SWGs, and RBI
So, what can CISOs do to secure this rapidly expanding attack surface? Unfortunately, the lion’s share of modern security tools are not up to the task. For many years, the secure browsing status quo has been dominated by two core categories: secure web gateways (SWGs) and remote browser isolation (RBI). While each of these solutions offers some degree of browsing security, each comes with its own set of shortcomings and trade-offs.
SWGs, which despite being easy to deploy and manage, are decidedly lacking in their security capabilities — struggling mightily with encrypted content, and often failing to detect threats that utilize dynamic content for obfuscation purposes. RBI tools, meanwhile, provide more robust security than SWGs, but do so at the expense of the user experience and with high cloud resource costs. And as any admin will tell you, even the most sophisticated security tools won’t do you any good if employees routinely work around them.
In the age of hybrid work, SWGs and RBIs usually require the usage of VPNs or VDIs, routing remote employees’ web traffic back through the office or headquarters’ network in order to “recreate” the traditional enterprise security perimeter.
Next-Gen Solutions: Secure Enterprise Browsers and More
This brings us to the new breed of secure browsing solutions — a diverse group of tools that has emerged in just the past few years with the aim of resolving the challenges associated with remote work and “browserization”.
Perhaps the most widely-covered group of tools in this category so far is the secure enterprise browser (SEB). These solutions aim to secure the web browsing vector by replacing traditional web browsers (e.g. Chrome, Safari) with a purpose-built, security-first web browser. These tools often compile multiple capabilities into the browser itself, such as policy controls, URL whitelists, and various types of threat detection.
While these solutions promise simplicity and comprehensive coverage, in reality, they too come with considerable trade-offs. First and foremost is the challenge of convincing employees to give up their preferred web browsers — which they are already familiar with, and which often have saved preferences, passwords, plug-ins, and other bits of customization. We all know that forcing the adoption of new tools is an uphill battle, and this becomes doubly true when talking about a tool as foundational and central to the user’s day-to-day responsibilities.
However, these types of solutions fall short in significant ways, including being inherently limited in scope. As we’ve discussed earlier, the modern web browsing attack surface extends well beyond the web browser itself, meaning that, by definition, a secure web browser can’t secure all of today’s browsing attack surface.
What’s Next in Secure Browsing…
As we all know, there’s no such thing as a perfect security solution. At the end of the day, most organizations will need to implement some combination of solutions in order to effectively and completely secure the web browsing attack surface. However, there are new solutions emerging that take alternative approaches to those listed above.
There are solutions out there that provide agentless, browser and device-agnostic solutions that secure the entire web browsing attack surface. This newest breed of secure browsing solutions is still decidedly new, and time will tell how they fit into this bustling ecosystem. However, one thing is for certain: in the age of flexible work, the most successful security solutions will be those that are flexible themselves— securing all users (in-office, remote, and third-party contractors), all devices (managed, unmanaged, and Bring Your Own Device), and all browsing activities (across any browser, and any web application); and ideally, without impeding the end-user experience.
- Tech Crash Course: Secure Browsing Technologies - March 17, 2023