Innovation Insight: Secure Enterprise Browsers

1 April 2025 - ID G00828063 - 11 min read
By Evgeny Mirolyubov, Max Taggett,  and 1 more
Web browsers are the primary access method for most modern corporate applications and provide an endpoint-agnostic enterprise security control point. This research shows how infrastructure security leaders can use a secure enterprise browser to reduce risk and improve the digital experience.

Overview

Key Findings

  • Organizations that primarily rely on SaaS applications, with minimal branch locations or cyber physical systems (CPS) to secure, need a simpler method of managing security technology than traditional security stacks. Secure enterprise browsers (SEBs) fulfill that need. In addition, SEBs enable segmented access from unmanaged or lightly managed end-user devices and bring-your-own PC (BYOPC), where deploying endpoint agents would be inappropriate due to privacy or maintenance reasons.
  • Network security solutions often result in increased latency due to the need to steer traffic to the cloud and perform decryption, including the need to block or disable Quick UDP Internet Connections (QUIC) traffic. As a result, inspecting sensitive content at the endpoint may become a higher priority requirement in the future.
  • SEBs embed enterprise security controls into the native web browsing experience using a customized browser or extension for existing browsers, instead of adding bolt-on controls at the endpoint or network layer. SEBs also enable segmented access to SaaS applications tunneled directly from web browsers, minimizing the need for full endpoint agents and tunnels.
  • Threat actors frequently target employees with phishing attacks to steal credentials and bypass endpoint detection and response controls, necessitating an additional layer of visibility and control within the web browser.

Recommendations

  • Start with incumbent vendors and existing browser management controls before investigating independent SEB offerings.
  • Address niche SEB use cases first by focusing on scenarios such as web and SaaS application access for contractors, third parties, shared kiosks requiring web-only access, and remote workers in cloud-based environments requiring only web, SaaS and virtualized apps.
  • Deploy an SEB as a complementary tool to address gaps in existing controls on managed devices rather than a replacement for existing security controls, unless you are a cloud-only, remote-work-oriented company with few physical locations to secure.
  • Choose to deploy a full SEB when you need device posture assessment capabilities, direct control over browser extensions, and when organizational policies permit the installation of full SEB software. Choose to deploy an SEB extension when end users require greater flexibility in their choice of a browser and when the priority is securing access to applications, rather than on assessing device posture or exerting direct control over unauthorized browser extensions.

Strategic Planning Assumption

By 2028, 25% of organizations will augment existing secure remote access and endpoint security tools by deploying at least one secure enterprise browser technology to address specific gaps.

Introduction

Established hybrid work patterns, increased use of lightly managed and unmanaged end-user devices and BYOPC in the modern workplace, and increased SaaS adoption have led to more work being done through web browsers. While these trends offer greater employee flexibility, they also introduce significant challenges related to maintaining a consistent digital employee experience (DEX) and managing security complexity.
Network security solutions often degrade DEX due to increased latency introduced by the need to steer traffic to the cloud and perform decryption. The proliferation of devices and application access methods — ranging from virtual private networks (VPNs) and virtual desktop infrastructure (VDI) to security service edge (SSE) — has also resulted in poor DEX for employees, contractors and third parties that require secure access to an organization’s data and applications. Based on data from Gartner’s 2024 Digital Worker Survey, nearly one-third of digital workers use a mix of six different devices, including personal devices, work-provided laptops, desktops and mobile phones, as well as virtual desktops accessed through thin clients or other computers.1
Concurrently, IT and security teams face the daunting task of managing this complexity while securing access to the organization and protecting data against loss to personal and third-party devices that are not managed by the organization. These challenges substantially increase complexity and operational costs for many organizations with limited resources and a growing stack of disjointed security solutions.
This research shows how infrastructure security leaders can leverage secure enterprise browsers (SEBs) to improve DEX, reduce endpoint threats and manage the risk of data loss. By serving as an endpoint-agnostic control point for end-user devices, SEBs help alleviate threats originating from unmanaged or lightly managed end-user devices and third-party access, reduce the need for in-line traffic decryption, and streamline real-time security at the edge. SEBs are best suited for organizations that prioritize remote work and primarily use web and SaaS applications. Figure 1 illustrates the capabilities of SEBs.
Figure 1. Capabilities of Secure Enterprise Browsers
Core capabilities of SEB market

Description

Gartner defines a secure enterprise browser as a solution that delivers enterprise security policies and controls through a centrally managed custom web browser or browser extension. SEBs provide security and policy enforcement for web, SaaS and private applications, as well as browser hardening delivered through the browser rather than at the endpoint OS or network level. SEBs also enable visibility, control and auditability of web application data accessed by end users from managed, lightly managed or unmanaged devices without the need for in-line decryption of web traffic.
SEBs can replace or augment browsers already in use and add a new security control point. Other security capabilities include:
  • Adaptive access to SaaS and other browser-delivered apps based on user identity and device posture assessment
  • Browser extension audit, risk profiling and control
  • Web content filtering
  • Data loss prevention (DLP)
  • Identity protection
  • Antiphishing controls
  • Browser attack surface hardening
  • Centralized visibility and reporting
  • Centralized policy management
  • Multifactor authentication (MFA)
  • Application usage, performance and behavioral analytics
SEBs support employee and third-party access wherever they can be installed. SEBs can be deployed as stand-alone solutions or as part of a broader endpoint and network security solution set.

Benefits and Uses

Organizations deploying SEBs can:
  • Enhance existing endpoint and network security controls with an additional layer of protection within the web browser.
  • Enforce enterprise security policies and gain web traffic visibility without requiring in-line decryption, potentially improving application performance and latency.
  • Simplify security policy management compared with traditional technology stacks, reducing the need for endpoint agents and tunnels (for organizations with minimal branch locations and CPS to secure).
  • Provide secure, segmented access to web and SaaS applications to employees, contractors and third parties, regardless of whether the device is managed, lightly managed or unmanaged (not enrolled in organization’s endpoint management tool).
  • Facilitate lightweight endpoint posture assessment for managed, lightly managed and unmanaged end-user devices attempting to access the organization’s applications and data.
  • Extend DLP capabilities to lightly managed and unmanaged end-user devices accessing organizational applications and data.
  • Support the transition from legacy client applications to modern SaaS application delivery.
  • Complement or reduce reliance on VPNs and VDIs, and desktop as a service (DaaS) for organizations prioritizing remote or third-party work and cloud delivery.
  • Protect shared kiosks and other thin client operating systems (such as IGEL and eLux) by providing only essential capabilities, thereby maintaining a smaller attack surface and prioritizing security over flexibility.
  • Augment antiphishing and credential theft protection capabilities — such as protection against reuse of corporate credentials on unauthorized or phishing websites — on devices where browser usage is restricted to selected SEBs.
  • Enhance visibility and reporting of web application usage, performance and employee behavioral analytics for lightly managed or unmanaged devices, and for organizations without a mature DEX strategy.
  • Enable lightweight BYOPC to support critical web applications for disaster recovery and business continuity use cases.

Risks

  • There may be organizational resistance to adopting a separate SEB to replace freely available consumer offerings.
  • Significant market hype and promise of future capabilities may never manifest into reality.
  • Most organizations already have two or more browsers (Google Chrome, Microsoft Edge, Apple Safari) and are not fully managing these today. IT’s desire to add another browser due to increased management overhead is low.
  • The utility of SEBs may be limited due to capability overlaps with other tools and constraints in addressed use cases. This is especially true given the costs and the necessity to maintain existing endpoint and network security controls, such as those needed for branch office security or behavioral endpoint protection.
  • SEBs can only be deployed to end-user endpoints. Use cases, such as branch office security or protection of CPS assets, are not supported.
  • SEBs cannot address legacy infrastructure or nonweb based client applications, which require continued use of a VPN and VDI/DaaS.
  • Initial deployment and onboarding can be complex due to the multitude of features integrated into a single product. Additionally, the technology is still in its early stages of maturity, and configuration management workflows are not fully developed in most products.
  • Most organizations haven’t identified sufficient gaps with existing browsers, security or endpoint management tools and processes to justify the incremental cost of SEBs, especially if they cannot offset the cost elsewhere.
  • SEB security controls may lack granularity and customization depth, which are often part of complex enterprise requirements for security products. For example, stand-alone SEBs may only support their own set of regex-based DLP controls rather than integration with existing DLP technologies and policies.
  • SEBs are already being included in broader SASE, SSE, EPP and ESP offerings, potentially reaching a plateau in development and progress.
  • Adding a stand-alone SEB to an endpoint that already has an SSE agent may cause conflicts — for example, with content filtering.
  • Working wholly within a web browser may actually degrade the user experience for workers who need to shift context between multiple applications, or for those who need to access nonweb applications using modified web front ends hosted in a browser (for example, collaboration, software development tools, SSH and RDP clients).

Adoption Rate

Gartner estimates that less than 10% of organizations have adopted a secure enterprise browser.

Alternatives

VDI, DaaS, VPN, SASE, SSE, ZTNA, RBI, RPAM, endpoint access isolation

Recommendations

  • Start with incumbent vendors and existing browser management controls before investigating independent SEB offerings.
  • Address niche SEB use cases first by focusing on scenarios such as web and SaaS application access for contractors, third parties, shared kiosks requiring web-only access, and remote workers in cloud-based environments requiring only web, SaaS and virtualized apps.
  • Deploy an SEB as a complementary tool to address gaps in existing controls on managed devices rather than a replacement for existing security controls, unless you are a cloud-only, remote-work-oriented company with few physical locations to secure. SEBs help address gaps such as poor user experience caused by latency from traffic decryption, and administration complexity due to multiple secure remote access technologies for various end-user devices.
  • Choose to deploy a full SEB when you need device posture assessment capabilities, direct control over browser extensions, and your organizational policies permit the installation of full SEB software. Organizationwide deployments of full SEBs are for security-conscious organizations aiming to standardize on a single browser. Such organizations should prepare to address organizational resistance to replacing freely available consumer browsers with an SEB.
  • Choose to deploy an SEB extension on devices where end users require greater flexibility in their choice of a browser. SEB extensions are primarily suitable for devices where the priority is gaining visibility and securing access to web applications, rather than assessing device posture or exerting direct control over unauthorized or suspicious browser extensions.
  • Do not force staff to replace native OS applications — such as collaboration tools, software developer tools, or SSH and RDP clients — until there is sufficient buy-in that the user experience is acceptable.

Representative Providers

Check Point Software Technologies; Ermes Cyber Security; Google; Island; LayerX; Menlo Security; Netskope; Palo Alto Networks; Seraphic Security; SURF Security

Evidence

1 2024 Gartner Digital Worker Survey. This survey sought to understand workers’ technological and workplace experience and sentiments. The research was conducted online from April through July 2024 among 5,141 respondents, who were from the U.S. (n = 1,121), Australia (n = 1,086), India (n = 996), the U.K. (n = 973) and China (n = 965). Participants were screened for full-time employment in organizations with 100 or more employees and were required to use digital technology for work purposes. Ages ranged from 18 through 74 years old, with quotas and weighting applied for age, gender, region and income, so that results were representative of countries’ working populations. We defined “digital technology” as including any combination of technological devices (such as laptops, smartphones and tablets), applications, and web services that people use for communication, information or productivity. Disclaimer: The results of this survey do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.
This research draws on analysis of conversations between Gartner analysts and end-user clients from March 2023 through March 2025.
Analysis of SEB capabilities in this research is not tied to one particular vendor’s offering. We researched multiple vendors and their capabilities using private and public resources, such as vendor documentation, end-user inquiries, data sheets and vendors’ briefings to Gartner analysts.

Contributors

Dan Wilson

Acronym Key and Glossary Terms

BYOPC
bring your own PC
DaaS
desktop as a service
DEX
digital employee experience
EPP
endpoint protection platform
ESP
email security platform
RDP
remote desktop protocol
RPAM
remote privileged access management
SASE
secure access service edge
SEB
secure enterprise browser
SSE
secure service edge
SSH
Secure Shell
VDI
virtual desktop infrastructure
VPN
virtual private network
ZTNA
zero-trust network access