Browser isolation is a cybersecurity model which aims to physically isolate an internet user's browsing activity (and the associated cyber risks) away from their local networks and infrastructure. Browser isolation technologies approach this model in different ways, but they all seek to achieve the same goal, effective isolation of the web browser and a user's browsing activity as a method of securing

web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...

s from browser-based

security exploit An exploit (from the English verb ''to exploit'', meaning "to use something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanti ...

s, as well as web-borne threats such as

ransomware Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, ...

and other

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...

. When a browser isolation technology is delivered to its customers as a

cloud In meteorology, a cloud is an aerosol consisting of a visible mass of miniature liquid droplets, frozen crystals, or other particles suspended in the atmosphere of a planetary body or similar space. Water or various other chemicals may co ...

hosted service, this is known as remote browser isolation (RBI), a model which enables organizations to deploy a browser isolation solution to their users without managing the associated server infrastructure. There are also client side approaches to browser isolation, based on client-side hypervisors, which do not depend on servers in order to isolate their users browsing activity and the associated risks, instead the activity is virtually isolated on the local host machine. Client-side solutions break the security through physical isolation model, but they do allow the user to avoid the server overhead costs associated with remote browser isolation solutions.

Mechanism

Browser isolation typically leverages

virtualization In computing, virtualization or virtualisation (sometimes abbreviated v12n, a numeronym) is the act of creating a virtual (rather than actual) version of something at the same abstraction level, including virtual computer hardware platforms, stor ...

or containerization technology to isolate the users web browsing activity away from the endpoint device - significantly reducing the

attack surface The attack surface of a software environment is the sum of the different points (for "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. Keeping the attack surface as small as ...

for rogue links and files. Browser isolation is a way to isolate web browsing hosts and other high-risk behaviors away from mission-critical data and infrastructure. Browser isolation is a process to physically isolate a user's browsing activity away from local networks and infrastructure, isolating malware and browser based cyber-attacks in the process while still granting full access.

Market

In 2017, the American research group

Gartner Gartner, Inc is a technological research and consulting firm based in Stamford, Connecticut that conducts research on technology and shares this research both through private consulting as well as executive programs and conferences. Its clients ...

identified remote browser (browser isolation) as one of the top technologies for security. The same Gartner report also forecast that more than 50% of enterprises would actively begin to isolate their internet browsing to reduce the impact of cyber attacks over the coming three years. According to Market Research Media, the remote browser isolation (RBI) market is forecast to reach $10 Billion by 2024, growing at CAGR 30% in the period 2019–2024.

Comparison to other techniques

Unlike traditional web security approaches such as

antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...

and secure web gateways, browser isolation is a zero trust approach which does not rely on

filtering Filter, filtering or filters may refer to: Science and technology Computing * Filter (higher-order function), in functional programming * Filter (software), a computer program to process a data stream * Filter (video), a software component tha ...

content based on known threat patterns or signatures. Traditional approaches can't handle 0-day attacks since the threat patterns are unknown. Rather, browser isolation approach treats all websites and other web content that has not been explicitly

whitelist A whitelist, allowlist, or passlist is a mechanism which explicitly allows some identified entities to access a particular privilege, service, mobility, or recognition i.e. it is a list of things allowed when everything is denied by default. It is ...

ed as untrusted, and isolates them from the local device in a

virtual environment A virtual environment is a networked application that allows a user to interact with both the computing environment and the work of other users. Email Electronic mail (email or e-mail) is a method of exchanging messages ("mail") betwee ...

such as a

container A container is any receptacle or enclosure for holding a product used in storage, packaging, and transportation, including shipping. Things kept inside of a container are protected on several sides by being inside of its structure. The term ...

virtual machine In computing, a virtual machine (VM) is the virtualization/emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized hardw ...

. Web-based files can be rendered remotely so that end users can access them within the browser, without downloading them. Alternatively, files can be sanitized within the virtual environment, using file cleansing technologies such as

Content Disarm & Reconstruction Content Disarm & Reconstruction (CDR) is a computer security technology for removing potentially malicious code from files. Unlike malware analysis, CDR technology does not determine or detect malware's functionality but removes all file component ...

(CDR), allowing for secure file downloads to the user device.

Effectiveness

Typically browser isolation solutions provide their users with 'disposable' (non-persistent) browser environments, once the browsing session is closed or times out, the entire browser environment is reset to a known good state or simply discarded. Any malicious code encountered during that session is thus prevented from reaching the endpoint or persisting within the network, regardless of whether any threat is detected. In this way, browser isolation proactively combats both known, unknown and zero-day threats, effectively complementing other security measures and contributing to a

defense-in-depth Defence in depth (also known as deep defence or elastic defence) is a military strategy that seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space. Rather than defeating ...

, layered approach to web security.

History

Browser isolation began as an evolution of the 'security through physical isolation' cybersecurity model and is also known as the air-gap model by security professionals, who have been physically isolating critical networks, users and infrastructures for cybersecurity purposes for decades. Although techniques to breach 'air-gapped' IT systems exist, they typically require physical access or close proximity to the air-gapped system in order to be effective. The use of an air-gap makes infiltration into systems from the public internet extremely difficult, if not impossible without physical access to the system . The first commercial browser isolation platforms were leveraged by the

National Nuclear Security Administration The National Nuclear Security Administration (NNSA) is a United States federal agency responsible for safeguarding national security through the military application of nuclear science. NNSA maintains and enhances the safety, security, and e ...

Lawrence Livermore National Laboratory Lawrence Livermore National Laboratory (LLNL) is a federal research facility in Livermore, California, United States. The lab was originally established as the University of California Radiation Laboratory, Livermore Branch in 1952 in response ...

Los Alamos National Laboratory Los Alamos National Laboratory (often shortened as Los Alamos and LANL) is one of the sixteen research and development laboratories of the United States Department of Energy (DOE), located a short distance northwest of Santa Fe, New Mexico, ...

and

Sandia National Laboratories Sandia National Laboratories (SNL), also known as Sandia, is one of three research and development laboratories of the United States Department of Energy's National Nuclear Security Administration (NNSA). Headquartered in Kirtland Air Force Ba ...

in 2009, when browser isolation platforms based on virtualization were used to deliver non-persistent virtual desktops to thousands of federal government users. In June 2018, the Defense Information Systems Agency (DISA) announced a request for information for a "cloud-based internet isolation" solution as part of its endpoint security portfolio. As the RFI puts it, "the service would redirect the act of internet browsing from the end user’s desktop into a remote server, external to the Department of Defense Information Network." At the time, the RFI was the largest known project for browser isolation, seeking "a cloud based service leveraging concurrent (simultaneous) use licenses at ~60% of the total user base (3.1 Million users)."https://www.fbo.gov/index.php?s=opportunity&mode=form&id=00a1d0b4044cd5d87afa0069b11f53ab&tab=core&tabmode=list&=

References