There is a new cyber domain/niche that is trying to change how we do inline cyber security, called Enterprise Browser or Browser Isolation; there are many vendors in the space that are in the way compete with traditional SWG and ZTNA, and I am wondering what do you think on the space. What are some pros and cons, and is there a need for education on the topic?

Security & GRC
3k views1 Upvote6 Comments
CIO in Services (non-Government), 201 - 500 employees
I have always maintained that our Browsers are the number one way for end-users and their devices to get infected/infested with Malware, Spyware, Ransomware, etc, and that we need a completely different approach to browsing in general.  BY completely sandboxing/sequestering the browser from our main device/OS, we can try to stop the onslaught of dangerous attacks from bad actors.  It's a pity there's no silver bullet for users' bad browsing habits though.
Chief Information Security Officer in Healthcare and Biotech, 1,001 - 5,000 employees
The basic idea behind browser isolation is to keep the user's browsing activity separate from their local device by running the web browser in a remote virtual environment. This virtual environment, also known as a sandbox, is isolated from the user's local device and is designed to prevent any malicious code from reaching the user's device. 

There are two main types of browser isolation: server-side isolation and client-side isolation. Server-side isolation involves running the web browser on a remote server, while client-side isolation involves running the browser on the user's device in a virtualized environment. 

Both methods provide similar protection against web-based threats but have different trade-offs in performance, scalability, and user experience. 
Browser isolation is becoming an increasingly popular cybersecurity technique, particularly in remote work and cloud computing, where users may access sensitive data and applications from untrusted networks and devices.
1
Director of Consulting in Energy and Utilities, 201 - 500 employees
The previous posters did a great job of describing browser isolation. I don't think BI is competing directly with SWG, it is complimentary to addressing web as a threat vector and you should still have the upstream filtering capabilities to manage your users' web access.
Furthermore if you flip BI, using it as a reverse proxy you have the ability to provide isolation between your clients and applications. This could also be complimentary to your ZT aspirations. Some BI solutions provide high levels of assurance in this space and we are seeing those deployed as bridges into management networks or access of OT environments where air gaps would normally be maintained.
Global Chief Cybersecurity Strategist & CISO in Healthcare and Biotech, Self-employed
It's not new. Another marketing gimmick. Browser isolation, which involves running web browsers in isolated environments to enhance security, started gaining prominence around the mid-2010s companies like Symantec offered it as an example. However, the concept of isolating web browsers to protect against malware and web-based threats had been explored in research and development efforts prior to this period. Since then, browser isolation technology has continued to evolve as a valuable cybersecurity strategy to mitigate web-based threats.
1
Vice President, Self-employed
Declaring I am biased, but benefits should be:
   1) Dramatic reduction in attack surface by converting the #1 attack vector .. the browser ... into an enterprise security control.  If your users have to use a browser anyway, why not give them one that collapses risk and improves their experience.
   2) Dramatic reduction in costs .. Compared to VDI, RBI, SWG, SASE, etc. this approach promises to deliver nearly the same outcome for less than $20 per user
   3) Zero Trust .. the main reason browsers are the #1 attack vector is due to the implicit trust we allow .. "enter your creds anywhere you want" " download whatever you want" "enter whatever sensitive data you want into that Shadow IT app" .. etc.  This has to stop
    4) Simplicity .. Users alrady know how to use a browser and administration is elegantly simple enough for even a junior engineer to administer
    5) Continuity .. all the cloud based approaches have outage issues you will never get reimbursed for the full business loss.  No need by using the browser instead.
Vice President, Self-employed
Assuming my other post is approved, I would suggest:
   1) Consider the three top players .. Island, Surf, Talon
   2) Compare solutions to the use cases you have to deliver not just for security but to enable the business
   3) Be weary of which use cases require redirection of traffic and any dependency on cloud
   4) Consider if the vendor is full browser only or also has an extension based option for ease of deployment to managed devices

Test and validation is pretty simple and quick with these types of solution since you don't really have to touch other parts of your infrastructure, unless validating integration use cases.

Also consider in the context of potential gaps in existing platforms to strengthen:
   A) EDR .. isn't perfect.  In memory attack filtering before EDR sees them as a relevant consideration
   B) IDP .. have you extended MFA to all apps that touch business data?  e.g. Shadow IT apps?
   C) Email Gateways .. Most would admit advanced techniques like Browser in the Browser are hard for them to stop. Not necessarily so for EBs
    D) ZTNA .. Added infrastructure and complexity.  Cost.  Support for traditional Voice.  etc.
   D) Zero Trust adoption.. do you have a formal initiative?  Does the vendor understand how they enable Zero Trust for your business?  Does it align to NIST?  or DoD?

Content you might like

Can ISO 27001 compliance be considered as benchmark for security maturity of an organization?

Governance, Risk & ComplianceSecurity & GRC

Yes87%

No13%


157 PARTICIPANTS
1k views

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
143 19 Replies
Read More Comments
47.2k views133 Upvotes326 Comments

What services matter most (or are your favorite) in alignment with your cloud provider? i.e. Database/warehouse (like Redshift), analytics, AI/ML…

Strategy & ArchitectureCloudEnd-User Services & Collaboration+24 more
Read More Comments
2k views3 Upvotes2 Comments

Would anyone be willing to share best practices about how their organization deals with ensuring Cookie Compliance, specifically to GDPR rules? Where should this sort of compliance review sit in an organization? The particular issue we have is who should review new web deployments that use cookies and to make the decisions on whether Cookies are Strictly Necessary or Functionality Cookies. For example is a Cookie required for a Live Chat to work Functionality or Strictly Necessary? Our Security team does not consider taking on these compliance reviews as their domain, as Cookie Compliance is not an internal security matter and the Data Protection team has a limited interest as the GDPR rules around Cookies apply in case of any Cookie being used by a website, whether or not it contains personal data. 

Security & GRCRegulatory Compliance
667 views1 Comment

When migrating to the cloud, what's the top security issue that concerns you?

CloudSecurity & GRC

Data security52%

Shared resources/services34%

Compliance11%

Other: please specify.1%


704 PARTICIPANTS
2.6k views5 Upvotes1 Comment