How can you cost effectively isolate your browsers?

The curse of internet based threats are increasingly affecting small businesses as well as individual internet users who are some of the most vulnerable members of the internet using community and a group less likely to have the resources to properly protect themselves.

The more technically aware amongst you will have known for a long time that your anti-virus and firewall do not really protect anybody in any way, they have failed to protect the majority from malware, viruses and the more nefarious cyberattacks, where they encrypt your data and refuse to decrypt it without a fat buttcoin ransom payment.

Larger businesses, the federal government and those with more money to spend on cybersecurity are increasingly leveraging new technologies and a cybersecurity model called browser isolation, or remote browsing to those of us who consume Gartner.

Browser isolation and remote browsing are easily the low hanging fruit when it comes to solving the problem of malware attacks, because the browser is where most malware attacks originate, it is the window through which the vast majority of internet users see the world and is almost always the original source of infection.

Using remote browsers to physically isolate your browser and browsing activity away from your local machine and your data is by far the most sensible way to protect yourself from cyber attack, you simply insulate yourself from the internet when you touch it, making sure that it can not touch you back.

Browser isolation is the sexiest new way of protecting your users from malware and cyberattack according to Gartner and perhaps because of this I may get a girlfriend, but how do you isolate your users browser and more importantly deliver a remote browser solution in a cost effective way?

It can be as easy as running open source VirtualBox on your desktop and using a VM to browse the internet, a solution used by many that is an effective way of containing malware, even if it is crude and clumsy at scale.

There are a number of ways to accomplish browser isolation and a number of companies approaching the problem from different angles, all of them trying to achieve more or less the same goal. Some remote browser isolation solutions stream a remote browser to you over the internet, others let you connect to a remote browser hosted on a third party server and there are others which force you to install hypervisors onto your local machine, client wank solutions they are called.

We were the first to develop the remote browser isolation model in collaboration with the National Nuclear Security Administration at Lawrence Livermore National Laboratory, except that we called it Safeweb and this was back in 2010 when the best technology we had to isolate remote browsers was VDI technology.

Back then virtualization was the most effective way to isolate the internet facing activity of your everyday internet user and it was an absolute godsend at a time when persistent cyberattacks were rapidly becoming the norm. Instead of letting your users browse the internet on their local machines through a local browser, we simply gave them a remote browser on a virtual desktop and it was a wonderfully effective way of protecting large amounts of users.

This browser isolation model has since evolved and spread, but today thousands of federal government employees call this remote browsing model 'Safeweb' and use remote browsers to connect to the open internet.

Thankfully we have come a long way since the early Safeweb projects at Lawrence Livermore, my team and I have been working hard over the last few years with Sandia building a next generation Safeweb platform that we call the Safeweb Engine. The Engine is based on the Safeweb remote browser isolation model.

We realized early on that in order to be successful, the Safeweb remote browser isolation model had to protect lots of users in a cost effective way and the problem with using virtualization for remote browser isolation is that it is not in any way fit for purpose.

Using virtualization to isolate remote browsing activity compute loads requires you to pay for a lot more server infrastructure than you really want to have to deal with for this risk load, it gets eye-wateringly expensive at scale. The way around this is not to install the hypervisor on the client as some previously failed at, because this breaks the core security through physical isolation model that we all love to hate.

If you really want to protect a huge amount of everyday internet users by providing them with remote browsers in a cost effective way, then container based platforms are the way forward in terms of the server infrastructure required to run them. I am quite proud of the fact that nobody else does what we do, in quite the way we do it, or that few fail to grasp the nuance around our work.

When it comes to isolating thousands of individual remote browsing compute workloads simultaneously, containerization is an infinitely more efficient way of dealing with these workloads than virtualization and we recognize that now, but its only recently that we have turned towards containerization as a way of handling browser isolation as a space.

Malware, ransomware, advanced persistent threats and other kinds of cyber attack are are problem for everyone, not just large businesses and the government, but the browser isolation model is still too expensive for the many, something my co-founders and I set out to change with Safeweb. Browser isolation is quite clearly the future of cybersecurity, but only if it becomes cost effective enough to protect the many, a problem that we have finally solved.

A Note From The Author: What’s that? You like the cut of my jib? Follow me on Twitter then!

Previous PostThe Browser Is Broken
Next PostRIP Virtualization Cybersecurity