Remote Browser Isolation
In today’s digital landscape, where cyber threats continue to evolve at an alarming rate, businesses and individuals alike are constantly seeking innovative solutions to safeguard their sensitive information. One such solution that has gained significant attention is Remote Browser Isolation (RBI). In this blog post, we will explore what RBI is, how it works, and its role in enhancing security in the digital era.
Remote Browser Isolation, as the name suggests, is a technology that isolates web browsing activity from the user’s local device. Instead of directly accessing websites and executing code on the user’s computer or mobile device, RBI redirects browsing activity to a remote server, where the web page is rendered and interactions are processed. This isolation prevents any malicious code or potential threats from reaching the user’s device, effectively minimizing the risk of a cyberattack.
Highlights: Remote Browser Isolation
- Challenging Landscape
Our digital environment has been transformed significantly. Unlike earlier times, we now have different devices, access methods, and types of users accessing applications from various locations. This makes it more challenging to know which communications can be trusted. The perimeter-based approach to security can no longer be limited to just the physical location of the enterprise.
- A Fluid Perimeter
In this modern world, the perimeter is becoming increasingly difficult to enforce as organizations adopt mobile and cloud technologies. Hence, the need for Remote Browser Isolation (RBI) has become integral to the SASE definition. For example, Cisco Umbrella products have several Zero Trust SASE components, such as the CASB tools, and now RBI is integrated into one solution.
- Its Just a matter of time
Under these circumstances, the perimeter is more likely to be breached; it’s just a matter of time. A bad actor would then be relatively free to move laterally, potentially accessing the privileged intranet and corporate data on-premises and in the cloud. Therefore, we must assume that users and resources on internal networks are as untrustworthy as those on the public internet and design enterprise application security with this in mind.
Before you proceed, you may find the following posts helpful for pre-information:
Remote Browser Isolation (RBI) |
|
Back to basics with remote browser isolation
Remote browser isolation (RBI), also known as web isolation or browser isolation, is a web security solution developed to protect users from Internet-borne threats. So we have on-premise isolation and remote browser isolation.
On-premise browser isolation functions similarly to remote browser isolation. But instead of taking place on a remote server, which could be in the cloud, the browsing occurs on a server inside the organization’s private network, which could be at the DMZ. So why would you choose on-premise isolation as opposed to remote browser isolation?
Firstly, performance. On-premise isolation can reduce latency compared to some types of remote browser isolation that need to be done in a remote location.
The Concept of RBI
The concept of RBI is based on the principle of “trust nothing, verify everything.” By isolating web browsing activity, RBI ensures that any potentially harmful elements, such as malicious scripts, malware, or phishing attempts, are unable to reach the user’s device. This approach significantly reduces the attack surface and provides an added layer of protection against threats that may exploit vulnerabilities in the user’s local environment.
So, how does Remote Browser Isolation work in practice? When a user initiates a web browsing session, instead of directly accessing the website, the RBI solution establishes a secure connection to a remote server. The remote server acts as a virtual browser, rendering the web page, executing potentially dangerous code, and processing user interactions.
Only the harmless visual representation of the webpage is transmitted back to the user’s device, ensuring that any potential threats are confined to the isolated environment.
Key Advantages
One of the key advantages of RBI is its ability to protect against both known and unknown threats. Since the browsing activity is isolated from the user’s device, even if a website contains an undiscovered vulnerability or a zero-day exploit, the user’s device remains protected. This is particularly valuable in today’s dynamic threat landscape, where new vulnerabilities and exploits are constantly being discovered.
Furthermore, RBI offers a seamless user experience, as it allows users to interact with web pages just as they would with a traditional browser. Whether it’s submitting forms, watching videos, or accessing web applications, users can perform their desired actions without compromising security. From an IT perspective, RBI also simplifies security management, as it enables centralized control and monitoring of browsing activity, making it easier to identify and address potential threats.
As organizations increasingly adopt cloud-based infrastructure and embrace remote work, Remote Browser Isolation has emerged as a critical security solution. By isolating web browsing activity, businesses can effectively protect their sensitive data, intellectual property, and customer information from cyber threats. RBI significantly reduces the risk of successful attacks, enhances overall security posture, and provides peace of mind to both organizations and individuals.
What within the perimeter makes us assume it can no longer be trusted?
Security becomes less and less tenable once there are many categories of users, device types, and locations. Users are diverse, so it is impossible, for example, to slot all vendors into one user segment with uniform permissions.
As a result, access to applications should be based on contextual parameters such as who and where the user is. And sessions should be continuously assessed to ensure they’re legit.
We need to find ways to decouple security from the physical network and, more importantly, to decouple application access from the network. In short, we need a new approach to providing access to the cloud, network, and device-agnostic applications. This is where Software Defined Perimeter (SDP) comes into the picture.
What is a Software-Defined Perimeter (SDP)?
SDP VPN complements zero trust, which considers internal and external networks and actors untrusted. The network topology is divorced from the trust. There is no concept of inside or outside of the network.
This may result in users not automatically being granted broad access to resources, simply under their being inside the perimeter. Primarily, security pros must focus on solutions where they can set and enforce discrete access policies and protections for those requesting to use an application.
SDP lays the foundation and secures the access architecture, which enables an authenticated and trusted connection between the entity and the application. Unlike security based solely on IP, SDP does not grant access to network resources based on a user’s location.
Access policies are based on device, location, state, associated user information, and other contextual elements. The applications are considered in the abstract, so whether they run on-premise or in the cloud is irrelevant to the security policy.
- Periodic Security Checking
Clients and their interactions are periodically checked to ensure they comply with the security policy. Periodic security checking protects against additional actions or requests not allowed while the connection is open. Let’s say you have a connection open to a financial application, and users access the recording software to record the session.
In this case, the SDP management platform can check whether the software has been started. If so, it employs protective mechanisms to ensure smooth and secure operation.
Microsegmentation
Front-end authentication and periodic checking are one part of the picture. However, we need to go a layer deeper to secure the front door to the application and the numerous doors within, which can potentially create additional access paths. Primarily, this is the job of microsegmentation.
It’s not sufficient to provide network access. We must enable granular application access for dynamic segments of 1. In this scenario, a microsegment is created for every request. Microsegmentation creates the minimal accessible network required to complete specific tasks smoothly and securely. This is accomplished by subdividing larger networks into small secure, and flexible micro-perimeters.
Introducing Remote Browser Isolation (RBI)
SDP provides mechanisms to prevent lateral movement once users are inside the network. However, we must also address how external resources on the internet and public clouds can be accessed while protecting end-users, their devices, and the networks they connect. This is where remote browser isolation (RBI) and technologies such as Single Packet Authorization come into the picture.
What is Remote Browser Isolation? Initially, we started with browser isolation, which protects the user from external sessions by isolating the interaction. Essentially, it generates complete browsers within a virtual machine on the endpoint, providing a proactive approach to isolate users’ sessions from, for example, malicious websites, emails, and links. But these solutions do not reliably isolate the web content from the end-user’s device on the network.
Remote browser isolation takes local browser isolation to the next level by enabling the rendering process to occur remotely from the user’s device in the cloud. Because only a clean data stream touches the endpoint, users can securely access untrusted websites from within the perimeter of the protected area.
SDP, along with Remote Browser Isolation (RBI)
In many important ways, remote browser isolation complements the SDP approach. When you access a corporate asset, you operate within the SDP. But when you need to access external assets, RBI is needed to keep you safe.
Zero trust and SDP are about authentication, authorization, and accounting (AAA) for internal resources, but there must be secure ways to access external resources. For this, RBI secures browsing elsewhere on your behalf.
No SDP solution can be complete without including rules to secure external connectivity. RBI takes zero trust to the next level by securing the internet browsing perspective. If access is to an internal corporate asset, we create a dynamic tunnel of one individualized connection. For external access, RBI transfers information without full, risky connectivity.
This is particularly crucial when it comes to email attacks like phishing. Malicious actors use social engineering tactics to convince recipients to trust them enough to click on embedded links.
Quality RBI solutions protect users by “knowing” when to allow user access while preventing malware from entering endpoints, entirely blocking malicious sites, or protecting users from entering confidential credentials by enabling read-only access.
The RBI Components
To understand how RBI works, let’s look under the hood of Ericom Shield. With RBI, for every tab a user opens on their device, the solution spins up a virtual browser in its dedicated Linux container in a remote cloud location. For additional information on containers, in particular Docker Container Security.
For example, if the user is actively browsing 19 open tabs on his Chrome browser, each will have a corresponding browser in its remote container. This sounds like it takes a lot of computing power, but enterprise-class RBI solutions do a lot of optimizations to ensure that it is not eating up too much of the endpoint resources.
If a tab is unused for some time, the associated container is automatically terminated and destroyed. This frees up computing resources and also eliminates the possibility of persistence.
As a result, whatever malware may have resided on the external site being browsed is destroyed and cannot accidentally infect the endpoint, server, or cloud location. When the user shifts back to the tab, he is reconnected in a fraction of a second to the exact location but with a new container, creating a secure enclave for internet browsing.
A key point: Website rendering
Website rendering is carried out in real-time from the remote browser. The web page is translated into a media stream, which then gets streamed back to the end-user via HTML5 protocol. In reality, the browsing experience is made out of images. When you look at the source code on the endpoint browser, you will find that the HTML code consists solely of a block of Ericom-generated code. This block manages to send and receiving of images via the media stream.
Whether the user is accessing the Wall Street Journal or YouTube, they will always get the same source code from Ericom Shield. This is ample proof that no local download, drive-by download, or any other contact that may try to hook up into your endpoint will ever get there, as it does not come into contact with the endpoint. It runs only remotely in a container outside the local LAN. The browser farm does all the heavy — and dangerous — lifting via container-bound browsers that read and execute the user’s uniform resource locator (URL) requests.
Summary
SDP vendors have figured out device user authentication and how to secure sessions continuously. However, vendors are now looking for a way to secure the tunnel through to external resource access.
The session can be hacked or compromised if you use your desktop to access a cloud application. But with RBI, you can maintain one-to-one secure tunneling. With a dedicated container for each specific app, you are assured of an end-to-end zero-trust environment.
RBI, based on hardened containers and with a rigorous process to eliminate malware through limited persistence, forms a critical component of the SDP story. The power of RBI is that it stops known and unknown threats, making it a natural evolution from the zero-trust perspective.
In conclusion, Remote Browser Isolation plays a crucial role in enhancing security in the digital era. By isolating web browsing activity from the user’s device, RBI provides an effective defense against a wide range of cyber threats. With its ability to protect against both known and unknown threats, RBI offers a proactive approach to cybersecurity, ensuring that organizations and individuals can safely navigate the digital landscape. As the threat landscape continues to evolve, Remote Browser Isolation will undoubtedly remain a key component of a comprehensive security strategy.
- DMVPN - May 20, 2023
- Computer Networking: Building a Strong Foundation for Success - April 7, 2023
- eBOOK – SASE Capabilities - April 6, 2023