Remote browser isolation (RBI) myths debunked
Have you heard that implementing isolation technology — while still enhancing your security stance — would impact your end users? A small minority of cybersecurity experts, analysts, and even some vendors have been saying that remote browser isolation (RBI) solutions are not a critical component of the enterprise security stack and erroneously claim that isolation — while effective — has too large of an impact on user productivity to be a must-have security measure.
These claims are based mostly around antiquated solutions that haven’t been invested in and therefore cannot manage to keep pace with the rapid shift in work practices and technology. Yet the myth that RBI solutions are too cumbersome to be effective is projected on the market as widespread truth.
Today, as we know, work is done on the Internet — from web-based development platforms to collaboration tools in the cloud to CRM and ERP solution providers. The distribution of users, devices, applications, and services has only increased over the course of the global pandemic, expanding enterprises’ threat surfaces to anywhere a company does business.
So, yes — RBI solutions that were designed before the shift in the way we work are ill equipped to protect enterprises from malware, ransomware, Zero Day attacks, phishing, and other threats without impacting the way people work.
But why would you use any technology built for a world that doesn’t exist anymore? Modern cloud-based RBI solutions are ideally suited for today’s distributed enterprise precisely because they provide complete protection for distributed assets without impacting the end-user experience.
Delivered through the Secure Web Gateway (SWG) as a cloud service, RBI can act as the front door of your protection strategy by preventing threats from gaining the ever-critical initial access to the endpoint. Rather than rely on a detect-and-respond approach, isolation stops the initial breach before threat actors have a chance to spread laterally throughout the network. At the same time, security administrators get all the granular controls and policy enforcement they need while minimizing power draw and keeping the user experience intact.
Here are four myths about RBI and why they are misleading and false:
1. RBI changes fundamental browser features, encouraging security risk.
Some legacy RBI solutions require a separate address bar, limit the number of open tabs, and change the fundamental features of popular browsers like Chrome and Firefox. Some even require users to use proprietary browsers, which annoys and distracts users who are just trying to get their work done. If you change users’ browsing experience, you run the risk of users finding workarounds that neuter security controls and protections. However, modern RBI solutions don’t have this problem because they work invisibly in the background with no changes to the way browsers function.
2. RBI makes websites look weird, limiting what users can do and impacting user productivity.
On a related note, some legacy RBI solutions use isolation techniques that radically change the content delivered to the end device. This is done by pixel or video rendering of the web page or by converting active content to read only. This, as you can imagine, is completely disruptive to productivity. Users are unable to intuitively interact with websites or take advantage of all the content they have to offer. Modern RBI solutions, however, give users the same web page that everyone else gets, just with any malicious content taken out. Users should still be able to copy, paste, print, safely click, and securely fill out web forms and enjoy all the interactive content the authors intended.
3. RBI saps bandwidth and increases latency, slowing performance for users.
Again, this criticism is leveled against legacy RBI solutions that require all Internet traffic to be routed back to secured data centers. This requires a massive amount of bandwidth and increases latency, as traffic is forced to travel from the source to the data center and then back out to a distributed user. As a result, many RBI vendors limit bandwidth as a cost-saving measure — building major performance inhibitors directly into their architecture. Modern cloud-based RBI solutions, on the other hand, provide complete protection against malicious threats without rerouting traffic to a central control point. A ubiquitous Global Elastic Cloud enables rapid provisioning of users while ensuring that security controls created and managed by the security team follow users wherever business takes them — whether it’s home, the office, or the road — without slowing performance.
4. RBI limits collaboration by making it hard to share and download files.
Sharing files and documents is a big part of a collaborative workspace, as users from different locations are asked to seamlessly work together. For reasons outlined above, legacy RBI tools put strict size limits on downloaded files, forcing users to create workarounds that increase security risk. But modern RBI solutions are built for today’s Internet, putting no restrictions on file size and allowing users to share and access any document pertinent to their job without limits.
5. RBI increases the attack surface.
RBI solutions can look quite different under the hood. Some use Document Object Mirroring (DOM) to run content in the browser, which essentially recreates the web page on the endpoint while isolating the components of the page, while others send screenshots from the remote server to the endpoint in what’s known as image rendering. While it may be technically true that solutions that leverage DOM use a greater subset of HTML5 code to display content than those that use image rendering, this doesn’t increase the attack surface when all active content is blocked from being executed on the endpoint. Without active content on the endpoint, it’s virtually impossible for an attacker to pull off a breach. While security differences between image rendering-based solutions and DOM-based solutions are negligible, DOM-based solutions have a clear advantage when it comes to user experience and latency improvements.
Modern workforces require modern solutions
The balance between providing protection against malicious threats and not impacting productivity is a battle that security teams have been dealing with for decades. And, yes, legacy RBI tools designed for a pre-digital transformation world can change how users interact with the Internet. Even the makers of these solutions admit as much. This causes users to find dangerous workarounds that increase security risks. Modern RBI solutions, however, can provide complete protection without impacting the way people work. As more business is conducted online through web apps and Software as a Service (SaaS) platforms, this balance is becoming more essential every day. In order to compete, keep up with competitors, and enable business agility while maximizing security, organizations are finding that it’s absolutely critical to implement an RBI solution built for today’s modern enterprise.
The post Remote browser isolation (RBI) myths debunked appeared first on Menlo Security.
*** This is a Security Bloggers Network syndicated blog from Menlo Security authored by Mark Guntrip. Read the original post at: https://www.menlosecurity.com/blog/remote-browser-isolation-rbi-myths-debunked/