Browser Isolation: An In-Depth Look

What is Browser Isolation?

Browser isolation is a security model that physically isolates Internet users’ browsing activity from their local computers, networks, and infrastructure. In this model, browser sessions are abstracted from the hardware the browser is running on, and the Internet connection being used, ensuring that harmful activities can only affect the isolated browser environment. This model is also known as a virtual browser.

Browser isolation works by providing users with a one-off, non-persistent browsing experience. This can be done in a number of ways, but usually includes virtualization, containerization, or cloud-based application virtualization. The isolated environment is reset or deleted when the user closes the browsing session or the session times out. In addition, malware and malicious traffic are also discarded, so they do not reach the endpoint device or network.

This article is part of a series about browser security.

Types of Isolated Browsing

There are two main containment techniques for isolated browsing: local and remote isolation.

Local Isolation

This is the traditional isolation method. It includes running a sandbox or virtual machine on the user’s local computer to isolate its data from dangerous web browsing.

Remote Isolation

Remote browser isolation uses virtualization to create an isolated browser environment on a remote server. The user browses the Internet on the remote virtual environment. The remote server can be located in an organization’s network or hosted in the cloud.

In the remote isolated browser, there are two primary ways to isolate the user’s local device from web content. DOM mirroring is a technique that excludes certain types of web content that is considered dangerous, while displaying other types of web content in their original form—but the browser is not fully isolated.

Another technique is visual streaming, where the browser runs on the remote server and only its visual output is transmitted to the user’s device. This works similarly to virtual desktop infrastructure (VDI) systems. This provides complete isolation between the remote browser and endpoints.

What Threats Does Browser Isolation Defend Against?

Most modern web pages use JavaScript, and attackers can use JavaScript code to perform a variety of malicious activity on user devices. Because browsers execute JavaScript by default on a web page, these malicious scripts run as soon as a user visits the page. The scripts could be planted by malicious site owners, or by others, unbeknownst to the site owners, as in cross site scripting (XSS) attacks.

This can lead to attacks like drive-by downloads, in which the browser downloads files without the user’s consent, “malvertising”, in which malicious code is executed when the user views an ad, and clickjacking, which involves tricking users into clicking links they did not intend to click. XSS can also be used to hijack user sessions and steal credentials.

There are several other browser-based threat vectors, including forced redirects to malicious URLs, and exploiting unpatched browser vulnerabilities.

Almost all these threats can be prevented by using browser isolation, because malicious activity occurs in an isolated or remote environment, not directly on the user’s device. For example, if a malicious script forces a redirection or a drive-by download, this would not affect the user, as the URL or file are executed in an isolated environment.

Components of a Browser Isolation System

An isolated browser system is typically built of the following components.

Client

End users initiate web requests using a client interface, deployed on their local device. A client can be deployed on any desktop, laptop, smartphone or other computing device that has an Internet connection and local web browser.

In local browser isolation, the client coexists with an isolation solution that can run the browser separately from the local environment. In a remote browser solution, the client shows the visual output of the remote browser.

Web Security Service

Determines what traffic and types of content should be allowed for the user. Most browser isolation solutions have built-in web security services that can be configured according to your business needs. For example, you can choose to exclude traffic from certain websites, filter out specific types of content (such as Adobe Flash elements), block downloads in certain circumstances, and display warnings when suspicious behavior occurs.

Threat Isolation Engine

A decision engine that can run specific types of content in an isolated browser, depending on security rules from the web security service. It allows users to work in a regular, non-isolated browser, and switch activity to an isolated browser when needed.

Disposable Container

Containers are independent packages that can run software independently of the surrounding infrastructure. The container is disposable, launched to accommodate one user session, and securely deleted when the user ends their session, to ensure any malware or threats are removed from the local system.

Web Socket

A secure channel for data to flow between the client and the web security service. The web socket is connected to the client, receives instructions from the security service, and applies them to the browser environment in real time.

Hosting Environment

This is the infrastructure that runs the isolated browser. It can be:

The local user’s device, running an isolation solution
A server managed by your organization on-premises
A server running in the cloud
A fully managed third party service

The Public Web

The user uses the client to access addresses in the public Internet. However, unlike a regular browsing experience, communication is between public websites and the isolated browser, which may be hosted in a remote location. Some of the data may be blocked or filtered as defined in the web security service. The resulting content is displayed in the client.

The Content

Internet content retrieved by browser isolation systems can be legitimate or malicious. Some solutions display all content as is, as long as it meets basic security requirements. Other solutions add a layer of content filtering, allowing you to block inappropriate content and preventing it from being accessed by the client, even if it bears no direct security risk.

5 Key Problems with Browser Isolation

Browser isolation, while offering several security benefits, also comes with its own set of potential drawbacks. Here are some of the negative aspects:

1. Performance Impact

Browser isolation solutions can consume additional system resources, which may lead to decreased performance, especially on devices with limited hardware capabilities. Each isolated browser session requires its own set of resources, such as CPU, memory, and network bandwidth.

2. Complexity and Management Overhead

Implementing and managing browser isolation solutions can be complex and require additional overhead in terms of configuration, maintenance, and monitoring. IT teams may need to spend more time and effort to ensure proper deployment and smooth operation of the isolation environment.

3. Compatibility Issues

Certain web applications or plugins may not work properly within isolated browser sessions due to compatibility issues. Organizations may need to invest time in testing and troubleshooting to ensure that all necessary applications and functionalities remain accessible.

4. User Experience Impact

Depending on the implementation, browser isolation solutions can potentially introduce latency or delays in web browsing, impacting the user experience. Users may perceive slower load times or responsiveness, which could lead to frustration and reduced productivity.

5. Scalability Challenges

Scaling browser isolation solutions to accommodate growing user bases or increasing workloads can be challenging. Organizations may need to invest in additional infrastructure and resources to ensure adequate performance and reliability as demand increases.

Overall, while browser isolation can provide enhanced security against web-based threats, organizations need to carefully consider these potential drawbacks and weigh them against the benefits before implementing such solutions, or choose an alternative solution, such as a browser security extension.

The Alternative to Browser Isolation

Perception Point Advanced Browser Security adds enterprise-grade security to standard browsers like Chrome, Edge, and Safari. The solution fuses advanced threat detection with browser-level governance and DLP controls providing organizations of all sizes with unprecedented ability to detect, prevent and remediate web threats including sophisticated phishing attacks, ransomware, exploits, Zero-Days, and more.

By transforming the organizational browser into a protected work environment, the access to sensitive corporate infrastructure and SaaS applications is secure from data loss and insider threats. The solution is seamlessly deployed on the endpoints via a browser extension and is managed centrally from a cloud-based console. There is no need to tunnel/proxy traffic through Perception Point.

An all-included managed Incident Response service is available for all customers 24/7. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.

Customers deploying the solution will experience fewer breaches, while providing their users with a better experience as they have the freedom to browse the web, use SaaS applications that they require, and access privileged corporate data, confidently, securely, and without added latency.