Few desktop and mobile applications are as heavily used as web browsers, yet browsers also introduce a slew of potential security exposures, no matter how carefully they're locked down. Large organizations have relied on so-called “browser isolation” services to deal with this risk for years, but these tools are often slow and clunky. As a result, many companies only require them for the most sensitive work; otherwise, employees would search for workarounds. On Tuesday, the internet infrastructure firm Cloudflare is debuting its own version—a service aptly named Browser Isolation—that the company says is just as fast, and sometimes faster, than browsing without the protection.
Browsers, by definition, are an open door. Their job is to receive data from web servers and send back information. This means, though, that in addition to legitimate, benign web data, users can end up downloading malware or malicious attachments through a browser. And hackers can also find vulnerabilities in a browser's own code and exploit them to attack targets.
“The browser is the stuff of nightmares for chief information security officers,” says Cloudflare CEO Matthew Prince. “Inherently, every time it runs, the browser is downloading completely foreign code and running it on the device. Browsers do a good job of sandboxing and controlling the risk that’s there, but on an almost weekly basis you’re going to see some sort of vulnerability in one of the major browsers that's allowing people to potentially break out of that sandbox.”
Browser isolation services like Cloudflare's, which has been in beta testing since October, protect computers by running the browser in a controlled container away from your other services and data. That way, any shady code your browser unwittingly tries to execute isn't actually running on your computer and can get flagged. That process, however, takes time: time to load pages remotely, beam them down to your computer somehow, and then deal with all the interactions involved in web browsing, like entering login credentials for a site or even simple user inputs like clicking and scrolling. It all introduces opportunities for lag, which is why many browser isolation services are so slow and buggy.
Cloudflare's service is part of a new generation of cloud services that aim to be more usable by smoothing out all that back and forth. In January 2020, the company acquired a small firm, S2 Systems, that Prince says had a different approach than most of the tools out there. Many services have approached the problem by loading a page in the isolated environment and then sending information about site components, or even every individual pixel color, to a user's computer to display. But S2's approach instead taps into the draw commands a browser sends to a computer's GPU in a normal browsing situation. It captures these as a page loads in its cloud container and then transmits them to the user's computer so the processor can essentially draw a recording of what the webpage looks like.
The idea is to watch a projection of your browsing in real time. With the stakes of web security so high, competitors have also felt the urgency to improve browser isolation in the hope of making the tools more appealing and ultimately more ubiquitous.
"Despite high security spending, many organizations struggle with security incidents associated with the web browser," says Matt Ashburn, a former CIA officer and National Security Council director who now heads strategic initiatives at the browser isolation company Authentic8. "As long as a two-way connection is allowed from a computer to the internet, advanced adversaries and criminals will find a way to remain successful."
As has been the case with other security initiatives, though, Cloudflare has the scale to quickly promote new offerings to a massive customer base. Browser Isolation will be a simple add-on to the existing Cloudflare for Teams suite of services for enterprises.
By getting browser isolation services through Cloudflare, customers will be trusting the company with yet another high-stakes, data-rich task. This centralizes even more data with Cloudflare and potentially creates more risk if the company is ever breached or goes rogue. Cloudflare says it has extensive security controls and third-party auditing in place, and the company spent months engineering Browser Isolation so there's an individual, separated cloud container for each customer to minimize the risk of cross-contamination or a single point of failure on Cloudflare's network. But ultimately, Prince says that Cloudflare's business model is the main assurance.
“We’re not an advertising company,” Prince says. “We have never thought of our customers' data as our data. We make money by charging companies for the services we provide. If at some point we were ever doing anything that took that data and misused it in any way, that would be the fastest way that we would lose all of our customer base.”
Other services have attempted to do browser isolation locally so organizations don't have to trust additional companies with their browsing data. Simon Crosby, who worked on browser isolation at Citrix and then as cofounder of the virtualization security firm Bromium, says the approach can have advantages in terms of speed and reliability. Bromium, which was acquired by HP in 2017, took a systemic approach, isolating browsing from the main operating system on special, physically distinct regions of a computer's processor. Microsoft licensed the technology and baked some of it into Windows 10. Crosby says this strategy works well at the operating system level but is generally less efficient and secure when added as a program running on top of an existing operating system.
Given that at least one large tech firm, an internet service provider or VPN vendor, already has access to its customers' browsing data, Crosby adds that the risk of using a cloud-based browser isolation service isn't necessarily a deal breaker. Organizations have to think about their specific circumstances, but reducing exposure from browsers one way or the other is worth considering.