The maxim goes that employees are the weakest point in your cyber defence, and this has never been more true in the post-COVID workforce, writes James Derbyshire, browser isolation expert for Garrison.

As remote work became commonplace with the onset of the pandemic, the security risk posed by employees increased exponentially. Today’s virtual workforce operates beyond a business’ traditional security parameters, leaving organisations more vulnerable to cyber-attacks.

The reality is that governments and commercial organisations are often reliant on the judgement and behaviours of individual employees as they browse the web or click on email links and attachments.

This comes at a time when social engineering attacks, in particular phishing scams and ransomware, are becoming increasingly sophisticated and commonplace, accounting for over a third (36%) of all the data breaches in 2021, according to Verizon’s latest Data Breach Investigations Report.

Web‐based attacks are also on the rise. Google Safe Browsing lists over two million known websites as dangerous. Crucially, this doesn’t include unknown threats, meaning that the real number is likely to be far greater.

The result is that employees, especially high-risk staff such as privileged access users, payments teams in banks or senior executives, are facing an increased possibility of being targeted by malicious attacks, putting entire organisations at risk.

Traditional security solutions are no longer fit for purpose

Organisations have historically relied on detection-based security techniques – firewalls, proxies and web filters, amongst other tools – to keep users safe. However, these traditional methods are struggling to keep pace with increasingly sophisticated and targeted threats and struggle to defend against zero-day attacks.

To counter this growing problem, companies are heavily investing in user training. But unfortunately, this isn’t a fool proof solution; even with the best training, the well-intentioned and security conscious employee can still fall prey to a cleverly disguised social engineering attack.

Employees may be highly vigilant 99.9% of the time, but one false move from just one employee can puncture an organisation’s security perimeters and give malicious code access to your central network.

Introducing browser isolation

Security conscious organisations across the public and private spheres are starting to recognise browser isolation as a critical control to protect their employees from ransomware, phishing and web-based threats.

Browser isolation works by ensuring users’ devices never come into contact with web code. Instead, a remote machine acts as a protective buffer, accessing the web pages for the user, and then delivering a safe, clean version.

For the end user, there is no noticeable difference when accessing the web, but for the organisation, the implications are game changing; by separating an organisation's internal network from risky web pages, browser isolation completely removes the threat of attacks, meaning enterprises can keep their data secured.

The benefits of browser isolation

Securing your high-risk users

Targeted cyber-attacks typically focus on users that have access to the most sensitive data or systems, such as system administrators and finance teams. Whereas traditional security techniques focus on restricting web access for these groups, browser isolation enables full web access, but without compromising on security.

Eliminating phishing and ransomware attacks

Organisations continue to try to educate users not to click on links that may result in a cyber-attack, but with limited long-term success. The reality is that users are not security experts and risky URLs, and suspect files are hard to detect.

The use of a browser isolation solution means that employees access emails and web content in an isolated cloud environment, allowing them to follow links and open attachments safely, without putting the organisation's sensitive data and systems at risk.

Access to blocked pages

Security conscious organisations may restrict access to websites using URL filtering. However, security teams are dealing with an inordinate number of sites (over 1.9 billion at the time of writing) as well as limited security information to guide their decision making, making it challenging, if not impossible, to classify websites with confidence and at pace.

This can lead to increased risk if restrictions are too lax, or business frustration if restrictions are too heavy-handed, as users cannot access the information needed to perform their jobs.

By containing the web browser in an isolated environment before relaying web content back to the user, browser isolation solves this issue by enabling users to access any website safely, regardless of a page’s security status. As a result, organisations can improve business operations by giving their users unlimited access to the web, but without increasing risk.

Comparing partial and full browser isolation

Browser isolation offerings are generally divided into two camps – partial and full browser isolation – which use different approaches to relay the browsing session back to the user and offer differing security levels.

Before making a decision on which solution to opt for, it’s critical for CISOs to understand the key differences, the technology underpinning each, and the resulting impact on an organisation’s security defences.

Partial browser isolation

Partial browser isolation is usually achieved using transcoding, a process that reduces website code into smaller subsets of information, removes any malware and then reconstructs it before sending it back to the user’s device.

For you

Be part of something bigger, join the Chartered Institute for IT.

Transcoding is often software-based, so no additional hardware or browser plugins are required. Crucially, unlike full browser isolation, it is a porous solution that doesn’t offer full protection for users.

Partial browser isolation is not a zero-trust solution – it always lets some of the original web code through, and since most transcoding providers don’t offer details on what code goes through and what gets stripped out, it’s impossible to know exactly how secure any solution is.

An added complication is that users may find that partial browser isolation solutions offer poor compatibility with multimedia content like videos, resulting in a limited browsing experience. This inaccessibility of content can become a headache for IT, which will find itself facing poor interoperability and user complaints when sites fail to work properly.

Pixel-pushing for full browser isolation

Full browser isolation on the other hand takes a zero-trust security approach, completely separating web code from the user’s device, meaning that your company’s central network never comes into contact with malicious code.

Full browser isolation handles all web browsing and then feeds the information back as a video stream, known as pixel-pushing, much like a virtual desktop solution but with far superior user experience.

The end user never interacts with the original web code, instead only ever seeing a series of pixel images of the web page. This means that unlike the partial browser isolation options, an organisation is provided with robust, uncompromised security, while the user is delivered a seamless web browsing experience.

Unlike transcoding, full browser isolation doesn’t need to adapt significant amounts of website code in order to deliver pages to users, which reduces the possibility of new updates to websites disrupting the service. This also decreases the need for your IT team to constantly be installing update patches.

Software vs hardware-based solutions

Pixel-pushing can be achieved through software or hardware-based video encoding and delivery. While both offer high levels of protection for users, software-based pixel-pushing moves significant data volumes, which can be processor and bandwidth-intensive, leading to high operating costs. Newer, hardware-based solutions mitigate much of these bandwidth requirements, significantly reducing ongoing costs and improving browsing experience.

Hardware-accelerated pixel-pushing has the added advantage of being able to be deployed in the cloud or on-premise, reducing the upfront deployment requirements. Hardware-based alternatives vary in IT complexity, but while on-premise options require upfront installation and deployment, cloud solutions don’t – although, like any solution, some configuration is still required to ensure interoperability with proxies and other security tools.

Cloud solutions running on purpose-built hardware can offer the same benefits without the costs of hardware deployments maintenance. This provides a powerful mix of security, usability and compatibility alongside lower costs and management overheads.

Zero-trust security with uncompromised web access

Today’s threat landscape means that enterprises and government departments need to be guided by zero-trust principles if they are to comprehensively protect their critical data and systems from attacks.

Detection-based traditional techniques typically rely on a combination of technology and human judgement, leaving organisations vulnerable to attacks that could cost them their business, or in the case of government organisations, put sensitive data in the hands of adversaries or risk loss of critical systems.

Browser isolation gives organisations complete control of their web security, delivering full security, usability, IT simplicity, and cost-effectiveness, and all without the end user noticing a difference between native and isolated web browsing.